The Private Side of Security
March 1, 2009
There are not many words that carry the baggage that privacy does. It’s important and elusive. It’s not a U.S. Constitutional right but has been stitched together by court decisions and Constitutional Amendments.
There are some state constitutions which cover the right of privacy. At one time, and primarily through the federal Privacy Act of 1974, concerns centered on protecting mostly paper-based records by government agencies. But, as rapidly changing technology makes information increasingly available, scholars, activists, and policymakers have struggled to define privacy.
That’s also the case for enterprises and the security leaders tasked to protect organization, employee, client and consumer information from invasions of privacy.
Respecting privacy concerns is a business bottom line issue.
IN THE HEARTLANDAsk the C-suite executives at Heartland Payment Systems, which recently released information on a 2008 intrusion that “may be the result of a widespread global cyber fraud operation.”
After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland found malicious software. In a letter posted on the company Web site, the CEO wrote, “Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin.
“Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.” Heartland processes about 100 million transactions a month.
Ask officials at the Veterans Affairs Department. In January, the agency agreed to pay $20 million to veterans for exposing them to possible identity theft in 2006 by losing their sensitive personal information. Lawyers for the VA and the veterans said they had reached agreement to settle a class-action lawsuit filed by five veterans groups alleging invasion of privacy. The money, which will come from the U.S. Treasury, as everything these days does, will be used to pay veterans who can show they suffered actual harm, such as emotional distress or expenses incurred for credit monitoring.
However privacy is defined or perceived, it’s a growingly important concept that needs protecting, although the lines between information that can be shared and information that must be protected continues to move.
WHAT DO YOU HAVE TO HIDE?In a blog from Daniel Solove, author of Understanding Privacy, he recently covered remarks, as reported by the Associated Press, from U.S. Supreme Court Justice Anton Scalia. He said he was largely untroubled by some Internet tracking. “I don’t find that particularly offensive,” he reportedly said. “I don’t find it a secret what I buy, unless it’s shameful.” He added there’s some information that’s private, “but it doesn’t include what groceries I buy.”
Beyond Scalia’s legal perspective, enterprises realize of the need to understand privacy, the liability of intrusions and the price that will be paid in dollars, brand and publicity. Healthcare facilities, educational institutions and government agencies are more sensitive to privacy concerns, thanks in part to federal, state and industry rules and regulations.
HIPAA RuleFor hospitals, health insurance firms and healthcare facilities, their administrators, IT and security executives must follow the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, issued by the U.S. Department of Health and Human Services. The Office for Civil Rights enforces the Rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Act, which protects identifiable information being used to analyze patient safety events and improve patient safety.
The Rule has teeth.
It gives patients an array of rights with respect to information about them. At the same time, it’s balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
There is, however, a potential privacy fight brewing relative to the electronic medical records provisions of the Economic Stimulus legislation. Google is in a beta test of Google Health, aimed at citizens so they can be “in charge of (personal) health information.” Among the services: People can organize their health information all in one place as well as gather medical records from doctors, hospitals and pharmacies.
Reacting to a rumor that the search firm may lobby Congress to allow some level of the sale of electronic medical records in the current version of the Stimulus legislation, advocacy group Consumer Watchdog called on Congress to remove loopholes in the ban on the sale of medical records and include other privacy protections absent from the current bill such as giving patients the right to an audit detailing who had accessed their medical records and how the records were used.
But much of the security action today centers on protection of digital-based information whether held in servers, transmitted or shared.
For example, California-based Marin Montessori School brought in new technology to secure staff remote computer network access and traffic. “Our school manages sensitive information and records on our internal network. We want authorized staff to have easy access to it from any location and from any operating system platform, but need to ensure that unauthorized remote access is impossible. Our networks are a mixture of many brands, and we needed a remote access solution that is compatible with everything we have. Our faculty and staff often work outside of school, requiring secure access of the network from home, while traveling or in coffee shops,” said Zarko Draganic, IT manager at the school.
TRANSPARENCY“The best solution for staff is one that is transparent. They are non-technical users trying to get their work done. Ease of use and reliability across platforms are most important. Cost is also a big concern for all. We found Microsoft’s virtual private network or VPN to be cheapest, but least secure and almost impossible to configure. The Cisco VPN client required a very expensive support contract, not a good value for the school. NCP offered a client that is secure, reliable, easy to configure, compatible with different gateway brands, and affordable by our organization, with excellent support included,” added Draganic.
Added Rene Poot with NCP, user awareness is essential. “Understanding the needs of the user and trying to make it as easy to use, but also maintaining an awareness of the dangers involved is critical. Locking down and imposing very stringent access restrictions will only frustrate the user, whereas allowing he/she to take full control is the opposite end of the pendulum. It’s also important to create security awareness through user education; they don’t need to or want to know every detail or bit, but you should provide a general understanding of what and why.”
The school’s solution is multifaceted.
Powerful encryption enables remote staff to access the network from anywhere and seamless compatibility with existing network infrastructure allows Marin Montessori School to avoid any disruptions to service.
AN INTEGRATED APPROACHA single software solution that provides ease-of-use for both the school’s staff and its IT managers by integrating strong data encryption, and one-time password token and certificate support through a public key infrastructure (PKI).
The unique assurance that data packets are not sent until a safe network has been detected. Configuration and policy logic are easily set and managed centrally or through the client itself.
A dynamic firewall that allows Draganic to set policies for ports, IP addresses and segments as well as applications. The firewall can work in conjunction with or replace existing ones – the choice is the users.
For security and privacy solutions, Draganic believes that this year the challenge will be all about value. “We need to prevent any compromise of our network, while remaining within the ever decreasing IT budget.”
Added Poot, “I believe that there will be strong growth in the use of mobile devices/mobility and an increased desire of employees to work while being mobile or from home. The need for network access control and endpoint security will also be a concern in 2009.”
SIDEBAR: The Privacy ActThe U.S. Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of records contained in a system of records maintained by a federal agency (or its contractors) without the written request or consent of the individual to whom the record pertains. This general rule is subject to various statutory exceptions. In addition to the disclosures explicitly permitted in the statute, the Privacy Act permits agencies to disclose information for other purposes compatible with the purpose for which the information was collected by identifying the disclosure as a “routine use’’ and publishing notice of it in the Federal Register. The Act applies to all federal agencies and certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.
SIDEBAR: Canada’s Tougher Privacy ViewThe Office of the Privacy Commissioner of Canada oversees compliance with both that country’s Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law. The Privacy Commissioner, Jennifer Stoddart, is an officer of Parliament who reports directly to the House of Commons and the Senate. An external advisory committee provides strategic directions and priorities.
SIDEBAR: What is Privacy?It’s the quality or condition of being secluded from the presence or view of others. Or the state of being free from unsanctioned intrusion. Or the state of being concealed; secrecy. If employees, visitors and customers reasonably expect to be left alone, then certain types of security technologies should not be used in those environments.
The key words are reasonable and expectation. The elements can apply to security video cameras in public places as compared to locker rooms and toilets. When it comes to computer data, it gets a bit dicey.