1 / 29

Protecting Data On The Move

Protecting Data On The Move. Scott Spiker. Enterprise Account Executive - NorCal. Agenda:. The Evolution of Data Regulation Complexity Dealing with Data Loss Strategic Planning Q&A. Evolution of Data . Protect your vital data

Download Presentation

Protecting Data On The Move

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting Data On The Move Scott Spiker Enterprise Account Executive - NorCal

  2. Agenda: • The Evolution of Data • Regulation Complexity • Dealing with Data Loss • Strategic Planning • Q&A

  3. Evolution of Data • Protect your vital data • Your data is no longer confined to the 4 walls of your organization • Desktop, Laptop, Server, Mobile, USB Drive, Email, Cloud Storage, SMS, Chat, Social…..

  4. Evolution of Data • Collision of data points and employee efficiencies • More data, more access • Post Recession Workplace • Do more with less • Distributed workforce • Increased collaboration

  5. Regulation Complexity • State Privacy & Disclosure laws • HIPAA/HITECH (medical) • PCI-DSS (credit card) • FERPA (education) • FISMA (federal) • GLBA (finance) • SOX (corporate auditing) The good news is the holes in the armor are defined

  6. CA Data Breach Act : SB 1386 Standards for The Protection of Person Designed to ensure that Californians are alerted whenever their personal information may have been compromised. The law went into effect July 1, 2003. Essentially, any organization with a customer or employee residing in the state of California is affected. • Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  7. California SB 1386 Requirements Any company with employees or customers in the state of California must notify them, at the company’s expense, if their personal information is lost, stolen, or believed to have been lost or stolen. It furthers specifies that a breach must only be “reasonably believed” to have occurred to force notification. • Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  8. California SB 1386 Requirements “Any person or business that conducts business in California shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Where does the burden of proof lie?? • Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  9. California SB 24 - What’s changed? • Enhanced Breach Notifications (to include specific information) • Requirement to notify Attorney General (if breach >500) • Covered Entities/Business Associates considered HIPAA HITECH Compliant must also comply. • Entities notifying individuals through the media must also notify Office of Privacy Protection • Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  10. California SB 1386 - What can we do? Section 1798.29 (a) of the regulation specifies that encrypted data, even if lost or misdirected, is not subject to customer notification requirements. Access control is not enough. • Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

  11. Payment Card Industry Data Security Standard 12 key elements to protect sensitive data & over 250 controls At a high level, PCI-DSS Boils down to these 4 key things: 1) All merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times –the deadlines have already passed. 2) Merchants cannot store certain credit card information or track data from the magnetic strip or PIN data. 3) If permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. 4) “Carrot & the Stick” – Safe Harbor from fines IF a merchant was in compliance at the time of a breach, versus fines as high as $500,000 per incident and the potential loss of the ability to take credit cards. Source: PCI DSS Compliance Overview, Braintree Payment Solutions, www.getbraintreee.com

  12. Health Insurance Portability and Accountability Act (HIPAA): Secure “protected health information” (PHI). • Health Information Technology for Economic and Clinical Health Act (HITECH) includes funding for electronic health records, and enforces increased security & privacy protection requirements. • The regulation defines unsecured protected health information (PHI) that is not secured through the use of a technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized individuals.

  13. HIPAA HITECH now applies to Business Associates (BAs) directly. • HITECH also increased the penalties for Violations of HIPAA. • Not just big breaches – 57,000+ breaches reported of under 500 individuals • HITECH also requires PHI breach notification, which was not part of the original HIPAA rules. • HITECH Establishes punishment for willful neglect.

  14. Repercussions of a breach…. Or just use the state’s handy breach search tool! http://oag.ca.gov/ecrime/databreach/list

  15. Recent Data Breaches • May 2013, CA Dept of Public Health, 2,000 records, unsecure reel • May 2013, University of Rochester Medical Center, 537 records, lost USB drive • May 2013, Honolulu Police Dept, 3,500 records, unknown breach • April 2013, Orthopedic Physician Associates, unknown # of records, stolen laptop • April 2013, Hope Hospice, 818 records, unencrypted email • April 2013, Upstate Univ Hospital, 283 records, stolen laptop

  16. How data is lost 8% 10% 31% 14% 17% 17% • Source: www.datalossdb.org

  17. Data loss: Just the facts 346M records1 compromised since ‘05 Costs: 214/record2$7.2m/incident2 Fines: $1.5m/yr3, 5k/violation/record4, unlimited5 Disclosure: Bad press, Reputation damage • Net: Loss of business • 1) www.privcyrights.org • 2) Annual Cost of a Data Breach ‘10, Ponemon Institute • 3) HITECH Act (US) – healthcare 4) Mass. Data security regulation 201 CMR 17 5) Data Protection Act (UK)

  18. Mobile workers = data on the move • More workers are mobile, businesses are buying more laptops • They’re easy lose and attractive to thieves • Physical security isn’t always a priority 86% of IT practitioners say someone in their organization has had a laptop lost or stolen Source: Ponemon Institute

  19. Security vs. Productivity Balancing act – CISO’s are struggling with maintaining security

  20. Questions to ask:

  21. Is your data copied to portable devices? • They take data everywhere • If they’re lost can you be sure they’re secure? • You probably can’t ban removable media • People will plug them in anywhere

  22. Do you have a cloud problem? According to a survey 61% 52% of organizations are already using or planning to evaluate cloud storage of organizations had yet to put controls in place to mitigate the risk of a data breach BUT Source: Ernst & Young Global Information Security Survey 2011

  23. Network files: Who’s in charge? • Need to make sure the right people can share files • Are roles being separated in the right way? • Securing sensitive data (Finance, HR etc) from those inside the organization is difficult

  24. If you’re not sure you’re not secure • Encryption now comes built in to some operating systems • Can you be sure it’s still functional? • How do you know if a user has changed settings? • You may have to prove compliance with regulations

  25. Strategic Planning • DLP Plan • What are you doing to identify, classify, and protect your data • Device Control • What considerations have been made for USB/Portable Drives • Email • What email controls do you have around data • Encryption • Whole Disk, Removable and Cloud Storage, Mobile • Mobile Control • BYOD or Corporate owned • Network Protection

  26. Compete Security Leading with Complete Security

  27. SafeGuard Enterprise Your key to data protection with encryption

  28. For More Information …. • LEARN MORE ABOUT • Sophos SPX DLP Encryption - email encryption • Sophos SafeGuard – encryption management • Sophos Web Gateway • Register Today http://www.sophos.com/security/webseminars/

More Related