Massachusetts rule may boost exposure for companies
Judy Greenwald Apr. 04, 2010
Data security regulations in Massachusetts, which many describe as the most stringent such rules to date, are proving to be a challenge for businesses, observers say.
The regulations, which apply to any company that has personal information on a Massachusetts resident regardless of whether the business is based in the state, could lead to increased litigation against firms, legal experts say.
The rules that Massachusetts implemented last month based on a 2007 law are likely to influence other states in developing their own regulations, experts say.
Unlike most previous data security rules, Massachusetts' regulations require businesses to proactively implement security measures to protect personal information before a data breach occurs.
The 2007 law, however, is ambiguous about fines for violating the data protection requirements. It also is unclear how vigorously the state attorney general will enforce the provisions. The law was delayed and revised several times in response to complaints by businesses about its feasibility and expense.
***** Moderaotor's Note *****
My new employer has given me a new laptop, which has a built in provision to encrypt the entire hard disk. The encryption is done by the laptop's hardware, not the Operating System, and I've been assured that the hard drive is unreadable in any other machine.
The point is that I don't think protecting data is that hard to do.
Yes, but there are still ways to get at any data if the user has not powered down or locked the screensaver. What I don't understand is why so many business people walk around with their customer records on their laptop, including credit card numbers and SSNs. How many times have you heard about data being taken from stolen laptops?
Folks, if they can keep just any employee from viewing my salary and SSN, then they can keep customer information private too.
Consider: If the machine (*not* the disk) breaks, is all the data on that drive then "irretrievably" lost? or can it be recovered? If not, then either (1) there is 'nothing important' on the machine, (2) it can all be readily re-constituted from other records (raising the question of how secure are _those_ records), or (3) the data is duplicated 'somewhere else'.
Consider: _all_ the "box specific" information needed to encrypt/decrypt _is_ in the hardware on that box. And, on another identical machine, *it* has the corresponding information for -that- boxes encryption/decryption stored in the *same* places. Once you identify _where_ that information is stored, how difficult would it be to copy the 'secrets' from the first machine to the second one, _assuming_ you got access to the hardware?
That is an utterly *MEANINGLESS* statement -- unfortunately.
Before one can classify the effort required for protection, one must decide "how much" protection, is required. This requires analyzing the type of 'threat' one is protecting against, and _how_much_ they have by way of resources to 'attack' you.
For 'securing' _anything_, data or anything else, there are precisely
*three* basic methodologies, known colloquially as: 1) "something you have" -- e.g., a physical key. 2) "something you know" -- e.g., a password. 3) "something your are" -- e.g., a fingerprint, retinal scan, etc.
Protection against 'more determined' threats may employ _more_than_one_ of the above methodologies.
And, it is worth noting that 'whatever it is' that is protected by the security system is *ONLY* as secure as the security on the thing you 'have/know/are'. If the bad guy is willing to go to the effort of cutting off your finger, then protection by a fingerprint scanner is
*NOT* adequate, nor effective.
If the extent of the 'threat' is "accidential disclosure", then providing 'adequate' protection _is_ fairly simple/straightforward.
If you're talking about a 'directed threat' -- where the bad guy has expressly targeted you and/or your secrets -- the landscape is *VERY* different. WHAT is the value of those secrets to someone else (not just "anybody", but to someone who is optimally positioned to 'take advantage' of those secrets, _and_ has the resources to do so)? HOW MUCH money or other resources can they devote to getting the secret and still 'come out ahead' (in whatever measuring system _they_ are using)? And, lastly, HOW MUCH can -you- afford to devote to 'making it difficult' for them to do so?
Say you know where you can sell stolen credit-card numbers, with the related ID info, for $10 each. Say you know somebody who has a _million_ such records. That's a potential $10,000,000 'sale'.
Is it 'worth it', if it takes you 6 months, and you have to spend $3,000,000 to 'make it happen'? You don't have the $3 mill? is it worth it if you find somebody who will 'front' the $3 mill, but wants triple their money back if you succeed? Is $1 million 'adequate' compensation for the 6 months you'll have to put in?
"Merely encrypting the disk is -not- going to be adequate. in this kind of a situation. Controlling physical access to the machine is also part of the game. Next, where is the access key ('what you have/know/are') kept and how is _that_ protected against forcible seizure? physical or other- wise.
_IF_ as Bill said, the disk cannot be put in a different laptop and decrypted there (given you have the password/whatever), then the encryption is _also_ based on some UNIQUE per-machine "secret" (something like the 'serial number' perhaps) that is stored IN the machine itself.
I would _hope_ that the system required some form of external input, password, fingerprint scan, 'whatever'
Ah. _that_ kind of a system. The entered password is of a limited-enough length that it is pretty much guaranteed vulnerable to brute-force attack using 'not impossibly expensive' (as in "probably under $100k") purpose- built MPP hardware. The form/format/content of the critical filesystem metadata (boot block, MBR, partition tables, etc.) is well enough known that one can 'recognize' a correct decryption when it occurs. Making it possible to read the encrypted sector into memory -once-, and run 'all the possible' keys against it, unit you find the one that succeeds. With limited key size, this approach _is_ "computationally feasible".
This level of defense *IS* sufficient to protect against "casual", or 'target of opportunity', attacks -- where the bad guy has come into possession of the machine, _NOT_KNOWING_ what it contains (nor, therefore, how valuable the information therein "might" be), and goes looking to see what he can find.
As I said previously, if it is an expressly targeted attack, where the bad guys already know "what" information is there, and the _value_ of it is 'significant' enough to justify expending real effort (i.e., 'serious industrial espionage, 'sale-able' financial data, stuff with 'national security' implications, etc., etc.), such a defense is little more than an 'inconvenience' to the attacker.
Unfortunately, in real life such protections are easily forgotten; e.g. laptop or flash drive with sensitive data left in an automobile. Heck, a file folder containing sensitive information left behind in a car is a risk. Or, you have papers in your den at home. You have a party with many guests. Someone could easily inadvertently stumble into the den seeking the bathroom, and then while there, take a peek.
Aside from technical computer protections, what prevents an employee from being bribed to make copies, either electronically, on a Xerox machine, or even by hand? Or a disgruntled employee, who knows he/she has no future at the company, offering out data just to be spiteful? Do companies somehow 'lock' their desktop computers so that people can't copy data (by a merely resaving it or a screen print) onto a flashdrive or floppy disk?
Depending on the sensitivity of the data, yes. I'm aware of companies that superglue USB jacks and lock the cases of the computer to prevent unauthorized data transfer. Haven't seen a modern computer with a floppy drive in years.
Windows can actually be locked down pretty tight if user mode accounts and groups policies are used. Others use terminals to access a Citrix session.
This doesn't preclude using a cell camera to take screen shots, but companies into security tend not to allow those inside either.
*SMART* security-conscious employers _do_ tend to disable the use of -any- removable media -- for exactly that reason. Not just 'writable' media, but even read-only ones -- blocking the latter does wonders for reducing the possible infection vectors available to malware.
On portable machines, networking is also often locked down so that the only connectivity available is via VPN back to 'corporate' -- behind the same defenses/filters/protections/restrictions/*monitoring* of external Internet access, _and_ with only 'restricted" access to corporate internal resources.
This gives a laptop effectively the same degree of protection as the 'in office' desktops. *BOTH* in terms of preventing malware from 'sneaking in', and with regard to 'confidential' (or 'more sensitive') information sneaking *OUT*.