Breach Notification Clauses: A Manifestation to Protect the Trust Between Businesses and Consumers

In the US, more than 33 states have implemented breach notification clauses in their respective privacy and security legislation. Aside from the confusing set of prerequisite conditions for security breach notification from state to state and the lack of an overall comprehensive federal piece of legislation dealing with breach notification, the fact remains that consumer confidence in businesses handing their personal identifiable information (PII) is at an all time low. The lack of consumer confidence is further fuelled by the numerous data security breaches reported due to lost or stolen notebooks, and other various endpoint devices including removable media (USB thumb drives and CD/DVDs). The Privacy Rights Clearinghouse reports that approximately 154,525,715 records containing sensitive personal information were subject to data security breaches since 2005.

Clearly, consumers must be able to trust the organizations they interact with to use the personal information they willing provide for the intent by which it was given, that this sensitive data will be protected through controlled access to only authorized individuals who need this information to perform their duties, and that consumers will be notified if their personal information has been but at risk. The overwhelming justification for breach notification clauses to exist is merely the manifestation of the demand from consumers to be given the opportunity to protect themselves from identity theft and potential financial fraud in the event of a data security breach.

The response from the IT community has been to encrypt data, provide an electronic mechanism to facilitate authorized access, develop strict IT data security policies, and manage the data leaks. This has brought about a huge contingency of IT hardware and software vendors developing encryption software to deal with the various information stores. This, in itself, has brought into play disruptive technologies to deal with problems related to data at rest, data in use, and data in transit.

With the increasing consumer demand for protection against unauthorised access to PII, one can expect breach notification clauses to increasingly be included in today’s data security regulations. With customers, partners and shareholders expecting organizations to demonstrate system security, regulatory compliance, and good governance, clearly breach notification clauses will be more commonly introduced as privacy and security regulations are revised nationally and internationally.

In addition, we need to recognize that businesses have become global with almost every company possessing an international presence either directly, through partners, or through the internet. This has led to organizations grappling to understand, and to institute IT data security policies and strategies that meet the privacy and security requirements locally and also internationally. The key issues for global enterprises exchanging sensitive data across boarders (albeit PII, sensitive information or data surrounding intellectual property) directly relate to the varying considerations for privacy, security, and risk from state to state and country to country; and the determination of how their specific IT security policies, strategies and controls currently in place need to change as a result.

So the question remains, are disruptive regulations having an impact on IT data security policies or is it disruptive data security technology that is impacting the manner in which organizations protect sensitive data?

With the exchange and access to sensitive data increasingly linked to corporate governance, enterprise architecture and compliance issues, senior executives worldwide are spending ever-more time overseeing regulatory compliance projects. A litany of complaints from senior executives express frustration over the added workload compliance pressures have brought to IT departments internationally.

Yet, regulations defining the manner in which businesses behave in the marketplace are not new. Businesses have long been regulated on how they market, how they report their financials, how they interact with their customer base, and how they produce and sell products and services. The management of PII is no different.

The simple reality is that worldwide privacy and security regulations, including the European Union Privacy Directive, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), HIPPA, CS Senate Bill 1386 and the Gramm-Leach-Bliley Act (GLBA), are designed to drive strong data security adoption. Security breaches must be disclosed, and penalties include fines and/or criminal/civil action – although the severity of these penalties are inconsequential when compared to the negative impact bad publicity can have on customer trust and company profits.

Worldwide regulations relating to security and privacy are constantly being revised to meet new threats. The US has taken a leadership role not only in data protection, but in breach notification that has caused foreign governments to take notice and follow suit. For example, the UK government has recently commissioned an independent review which will report on how its government agencies manage and protect data. Under the Central Sponsor for Information Assurance, part of the Cabinet office, The Information Assurance review is tasked with determining structured policies for information handling by the end of May. Many security experts are calling for breach notification clauses to be included in any recommendations being brought forward. Similarly, the federal Canadian Privacy Commissioner is now reviewing PIPEDA to potentially now include breach notifications clauses. Internationally, foreign governments point to CS Bill 1386 and GLBA as examples to follow.

Unfortunately, while well intended, most regulations protecting sensitive information simply do not possess the mandatory enforcement necessary to compel custodians of personal data to comply with the legislation. Starting with California Senate Bill 1386 in 2003, security breach notification clauses embedded within security and privacy legislation have given these measures real “teeth” in forcing organizations to disclose data breaches – with the exemption of data that has been encrypted or where disclosure may interfere with police investigations.

The Gramm-Leach-Bliley Act actually goes one step further as it does not exempt data encryption if the electronic key used to encrypt the data resides on the hard drive itself – making a clear case for two-factor end-user authentication or authentication that does not allow for keys or key files to be stored on the encrypted device’s hard drive.

The interesting observation here is not that breach notification clauses are now being incorporated within privacy and security regulations as they are revised, but rather that the breach notification clauses are defining the nature of the electronic encryption key or keys to be implemented to exclude oneself from breach disclosure.

How can organizations ensure their employees adhere to endpoint security practices? The best approach is to make the entire process completely transparent to the user. This does not mean that policies surrounding the care of laptops and mobile devices should be ignored, but rather organizations should understand that simply implementing a sound policy does not mean it will be adhered to at all times.

Data encryption is the ideal method of controlling access to PII whether it is data at rest, data in transit, or data in use. But, in order to enable organizations to comply with new data security legislation without negatively impacting user productivity, encryption vendors must ensure solutions keep pace with ever-changing regulatory policies. This would include encrypting the entire hard drive at pre-boot, which would make it simple to integrate single or multi-factor end-user authentication, and ensuring organizations can manage keys/key files to easily comply with privacy and security regulations. As a result, today’s encryption solutions have to be able to provide transparent data security that is robust and flexible enough to enable organizations to customise security to meet changing standards.

WinMagic’s SecureDoc prevents any unauthorized user seeking to start the Windows operating system, or seeking to gain access to the same encrypted hard drive installed as a slave drive, from viewing files stored on the protected drive. Access to the hard drive can only be obtained at pre-boot through end-user authentication via any combination of password, USB hardware token, PKI (Public Key Infrastructure), smart card, or biometrics. Once the hard drive is encrypted, data is simultaneously encrypted and decrypted as information is being written and read from the hard drive. During this process users will not notice any performance difference between encrypted and non-encrypted hard drives.

In addition, transparency also refers to the pragmatic approach to dynamically managing and provisioning keys / key files to end users. This includes the functionality of key labeling to identify electronic keys associated with encrypted data stores in a pragmatic fashion with human readable text. Given the recent focus on data breaches and the introduction of breach notification clauses, encrypting data at rest in your archives is now a mandatory requirement to ensure personal identifiable information is not put at risk. The question then becomes: Will your encryption solution give you access to your data 10 or 20 years from now? Will you have an intact electronic key repository that will allow your organization to efficiently identify which key or key file is to be used to decrypt archived stores of data?

Electronic key labeling answers this question. The benefit of key labeling has allowed enterprises to quickly identify and associate an electronic key or key file with its respective encrypted data store in order that it can be decrypted. The advantage of such a system is that it simplifies the complexity of key or key file management to allow your organization to quickly decrypt and access encrypted archived data. The SecureDoc Enterprise Server (SES) is based on a SQL DBMS backend that will provide you visibility to the thousands or millions of keys your enterprise might have generated. These keys are represented as a string of alphanumeric values in various lengthens and can be labeled with human readable text for easy identification. This competitive advantage over other data encryption software is that all keys and key files remain intact and secure, yet intuitive to identify and easy to use.

The return on investment is such a system manifests itself immediately where electronic keys can secured, shared if required, and dynamically provisioned through our central server. In taking the complexity out of the application of data encryption, SecureDoc can protect information and ensure that only authorized users can share sensitive data across an enterprise or within a group or department.

Looking back at the last five years, almost all of the innovation seen in today’s disk encryption arena has been delivered by WinMagic. Its comprehensive solutions are robust and yet flexible enough to meet the unique processes inherent with corporate governance from organization to organization. As thought leaders and innovators, WinMagic works towards open standards by supporting the adoption of security enhancing technologies like the Trusted Platform Module. Other examples of pioneering innovation include being the first full-disk encryption developer to support biometric pre-boot authentication, removable media, hibernation, imaging software like Ghost, and disk utilities like defragmentation.

In order to ensure all data is protected, it is important for enterprises to drive the convergence of IT business processes and business security, as well as their associated expenditures. However, this convergence should not come at the expense of end-user productivity and hard drive robustness, or limit the functionality of imaging software or disk utilities. Equally, any technology deployed without taking into consideration corporate governance and unique security requirements is doomed to fail because it will not account for the non-technical processes related to securing data at rest.

For example in addressing the specific requirements of the National Security Agency, WinMagic had to provide dual pre-boot authentication via crypto tokens and PKI integration as a pre-requisite of doing business. While other vendors failed in meeting this requirement, WinMagic delivered a solution in record time that addressed all issues relating to compliance with encryption open standards, compliance with security and privacy legislation, and adhesion to the human element wrapped in corporate governance.

In conclusion, when purchasing technology, organizations must seek encryption solutions that allow for multi-factor authentication, effective key file management, and policy controls for disk and removable media encryption in order to easily comply with privacy and security regulations. And now, thanks to WinMagic’s innovative functionality, it is easy for organizations to protect all data at all times with full-disk encryption while still complying with national and international privacy and security regulations.

by Joseph Belsanti, Director of Marketing, WinMagic Inc.