How to protect personal info

A little-known California law went into effect on July 1.

It requires "any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data of any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The law's intent is to help prevent one of the fastest growing crimes in California, identity theft.

The full implications of this legislation are still unknown since no enforcement actions have been brought yet.

The law is know as Senate Bill 1386 (SB 1386) and was authored by State Senator Steve Peace (D-El Cajon).

Gov.

Gray Davis signed it into law on Sept.

25, 2002 after a unanimous vote from the state legislature.

The full text of SB 1386 is available in a formatted version at www.strongauth.com.

SB 1386 was a legislative reaction to the state's Teale Data Center hacking of 265,000 state employee payroll records on April 5, 2002.

The victims of this hack, which also included 120 state legislators, were not notified of the compromise in a timely manner.

Sen.

Peace held a hearing on privacy at the state capitol on June 6.

Perry Kenny, the president of the California State Employees Association, reported his observations of the hearing to his members in a newsletter on June 18, 2002.

The director of the Teale Data Center responded under questioning that his agency "receives and repels an estimated 720,000 automated electronic attacks per month, 11,000 of which it investigates and another 400 to 500, which it formally scrutinizes as it did the attack in question." It was also revealed "that patches that should have been installed prior to the attack were not operative, and that the hacked server sat outside the firewall." This bill does not provide for any criminal penalties but allows civil remedies for those agencies that do not promptly notify California residents of the compromise of their personal information.

Personal information in SB 1386 is defined as first and last name in combination with:

*Social security number

*Driver's license number or identification card number

*Account number, credit or debit card number, in combination with any required security code, access code, or password.

If a breach occurs, agencies are required to provide notice by one of the following means:

*Written notice

*Electronic notice, if the notice provided is consistent with the provisions, regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.

*Substitute notice, if the cost exceeds $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information.

Substitute notice shall consist of the following:

*E-mail notice

*Conspicuous posting of the notice on the agency's Web site page, if the agency maintains one

*Notification to major statewide media.

Many groups unsuccessfully lobbied the governor not to sign SB 1386.

The Information Technology Association of America believes that data privacy issues should be left to the federal government to prevent a "crazy quilt of state-by-state piecemeal and inconsistent regulation with which it will be difficult or impossible to comply with simultaneously."

In anticipation of SB 1386 I have provided my Top 10 steps that a Nevada business can take to protect personal customer information.

View network security strategically to protect your business.

Implement security policies using best practices to safeguard confidential records.

Install as a minimum a two-factor authentication like SafeWord Premier Access from Secure Computing (securecomputing.

com) for network logins.

The ordinary user name and password are not adequate since password cracking tools are freely available on the Internet.

Acquire SB 1386 policy and procedures templates from companies like StrongAuth (strongauth.com) to prepare to handle any breach.

Provide employee training on how to recognize breaches on their personal computers and how to report them to the correct authority within the company for investigation.

Then follow it up with actual implementation using a control tool like SENSIDIEM.

Conduct annual external vulnerability assessments and follow them up with internal and external penetration tests.

It is better to have a trusted advisor point out where your network weaknesses are than to have to handle notifying customers of a breach and the resulting PR nightmare.

I recently spoke to an IS manager at a bank in Reno who stated that the bank regulators would not accept vulnerability assessments that they conduct themselves.

They require a separation of role.

Install a firewall that meets Common Criteria EAL4+ certification like the Sidewinder G2 from Secure Computing.

Turn on software auditing to track who accesses critical information.

Install an intrusion detection system from companies like Cisco and Tripwire.

Seek security advice from a Certified Information Systems Security Professional.

Test and apply security patches as soon as they are available.

The breach at the Teale Data Center was caused to a great extent by not applying known security patches.

Maintain strong anti-virus software and update it daily.

This article is provided by WCS Networks for educational and informational purposes only and is not intended as legal advice.

Larry Ellison is director of sales at WCS Networks.

WCSN specializes in security consulting and the installation and support of computer networks for small to medium businesses.