BPOIndia.org
Google
  Web BPOindia.org
 FAQ    |    Columns   |    Companies   |    Events    |    Govt. Initiatives   |    Fraud    |    knowledgeBase
Mailing List   |    News   |    Research Reports   |    Vendors   |    VC Funding    |    Search


Affordable VoIP Service







  Home => Research

Data Security Acts For Safeguarding Customer Information


California's SB 1386, operative since July 1, 2003, was created in response to the rising rate of identity theft as a result of compromised personal information. SB 1386 affects any state agency, business, or person that conducts business in California and maintains computerized data that includes personal information. Security analysts believe that most large companies, whether actually domiciled in California, will thus be affected. SB 1386 states that any breach of the security of the data must be reported in the most expedient time possible following the discovery of the breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.1 Personal information is defined as an individual's last name and first name or initial, in combination with a social security number; driver's license or California ID Card number; or account, credit or debit card number, in combination with any security code, access code or password that would permit access to the account. Failure to promptly notify the information owner or licensee of the data makes the organization liable to civil action to recover damages.

AB 1950 takes personal data privacy a step further, requiring that businesses owning or licensing such personal information about a California resident, when held in unencrypted form, to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification, or disclosure.2SB 1386 and AB 1950 are having a significant impact on the way an enterprise protects its electronic data due to the potentially severe penalties that can be inflicted by class-action lawsuits and other potential penalties that may be levied against the organization for negligence in exercising an adequate standard of care. Additional costs that can be attributed to SB 1386 and AB 1950 include the damage to image, reputation and brand resulting from public awareness of security breaches, the cost of notifying data owners, and the cost of defending lawsuits brought against the agency or enterprise. Data privacy legislation modeled after California bills has been introduced at the federal level as well, which should have the effect of making the identity theft issues raised by the California legislation of even greater concern nationally.

The Role of Encryption as a Security Mechanism

Differing interpretations in the media of the intent and effects of SB 1386 indicate that significant confusion exists regarding the role of encryption in excusing liability for safeguarding personal information. The bill states that any breach of the security of the data in the system shall be disclosed following discovery or notification to any resident of California whose "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."3 While some have chosen to interpret the use of data encryption by the organization as an automatic exemption to the law, a more accurate interpretation of the law's intent points to the function of encryption as a security mechanism. If the encryption method used to safeguard personal information is defeated by an unauthorized person, as is known to frequently happen with other traditional security measures, such as firewalls, then the data should be assumed to be acquired in unencrypted format and the agency or enterprise is responsible for notifying data owners under SB 1386. Defeating the data encryption may be accomplished by acquiring authorized user status on a host upstream from an inline data encryption device, for example, allowing the attacker to access information in cleartext form. Only in the case where the data is acquired while unmistakably still in ciphertext form, such as via theft of backup media, is the enterprise not required to notify data owners.

Similarly, AB 1950's definition of 'personal information' as a name or a defined data element that is not encrypted or redacted is vaguely worded. While encrypted data is clearly exempt from the rule, a defeated encryption mechanism that allows the information to be received by the unauthorized user in cleartext form would not be interpreted as a loophole to the legislation. The exemptions in SB 1386 and AB 1950 for encrypted data theft also highlight another ambiguity-the lack of definition of qualifying encryption. Instead, the bill puts the onus on the organization to support the current standard for adequate data protection. Diligent security practices for protecting data at rest now call for a minimum 128-bit key length for symmetrical encryption keys (i.e., 'strong' encryption). The use of weaker encryption, or the practice of encrypting only short fields (which is inherently weak), may allow ciphertext data to be cracked in hours or even minutes using a fast computer. As a result, data acquired by unauthorized persons in encrypted format-ostensibly releasing the enterprise from its responsibility-might be subsequently decoded in a short period of time, leaving data owners vulnerable to the exploitation of their personal information by identity thieves. Only if an enterprise uses strong encryption (e.g.,AES, 3DES), and the encryption key was stored in such a way that it could not have been obtained by the attacker, can it be reasonably assumed, post-attack, that unencrypted personal information was not acquired by an unauthorized person.

In order to help clarify these ambiguities, the California Office of Privacy Protection has published their "Recommended Practices on Notification of Security Breaches Involving Personal Information." Recommended safeguards include the implementation of host protection and access control functionality to support data encryption wherever feasible, and specify the use of AES encryption technology.

As this is not a legally binding set of practices, however, court cases will be required to formally clarify this issue over time.

Protecting Vulnerabilities to Data Theft
The intent of California data privacy legislation is to protect data owners from the exposure of usable personal information to identity thieves. There are, however, many opportunities for attack originating both inside and outside the perimeter that unauthorized users might exploit to obtain or corrupt information. These include the following attacks, based on the vulnerability being exploited:

Root Attack The ability to illegally obtain 'trusted' root access privileges.
Worms and Trojans The alternation or insertion of executable code for the purpose of running an unauthorized application. Buffer Overflow Overflow of stored data into adjacent buffers, executing code that triggers malicious or unauthorized activity.
Unintended Admin Privilege
The use of privileges to access, copy, or tamper with data outside the requirements of a user's authorized role.
Unauthorized Data Viewing
The use of privileges to view information outside the requirements of a user's authorized role. Audit Log Tampering Prevents tampering with audit log files data by restricting access to allow only authorized users and applications.

Physical Theft The theft of information through extraction from stolen hardware or storage media. While providing an effective barrier against the unauthorized viewing of information off of stolen media, the ability of encryption alone to protect against unauthorized access to stored data is very limited. Architectural approaches to encryption that provide no linkage into the context of the request at access point, such is the case with inline bulk encryption devices installed into the SAN fabric, are unable to determine the context of I/O requests and generally assume a 'trusted fabric' above the storage layer. Similarly, backdoor access to a server or workstation left open by an unpatched vulnerability or Trojan horse attack provides an opportunity for attackers or root users to obtain access to clear text information if their identity has not been confirmed by the network authentication service.

Storing encryption keys on a host platform where they can be accessed by IT administrators provides another example where a poorly designed architecture provides an opportunity for protected information to be compromised, and defeats the separation of duties principle.

Encrypting stored data encryption alone, without integrating host protection and context-aware access control or using an architecture that protects access to encryption keys leaves the organization vulnerable to legal action, since it is unlikely that the courts will accept the solution as meeting the intent of the law. A comprehensive information protection solution with an effective architecture is needed that provides active enforcement for policies defining the appropriate use of personal data.

Amit Nayak

Recommended Links
Bollywood - Movies, Reviews, Previews Karnataka.com Gallery, Wallpapers, Screensavers India Phone rates - BSNL, Bharti, Reliance, Tata Indicom
Home   |   About Us   |   Introduction To BPO   |   Feedback   |   Disclaimer   |  Public Notice  |   OneIndia   
Copyright © 2001-2008 BPOIndia.org