is impossible for ideas to compete in the marketplace if no forum for
California SB 1386 Compliance
Author: Bill Rudolfsky, CISSP
On July 1, 2003, Senate Bill (SB) 1386 became effective in the State of California, requiring government agencies and businesses operating in California to publicly disclose computer security breaches, whenever it is reasonable to believe that a security breach may have compromised personal data belonging to a resident of California and that the compromise could lead to an incident of identity theft. Covered entities include government agencies in California and any entity (individual or company) conducting business in California where the business involves collecting personal data belonging to a resident of California.
Based on the way SB 1386 is written, it would appear that the intent of the California Legislature was to not require that a covered entity have a physical presence in California to be subject to this legislation. Personal information can be collected from a resident of California over the Internet while using a Web Site that is hosted in some other state or in some other country. SB 1386 can be seen as attempting to assume jurisdiction over any business, regardless of where it is located, as long as the business is collecting personal information belonging to a resident of California. Some legal scholars may question the constitutionality of such a broad claim; something that may ultimately have to be settled in the courts.
In implementing this law, the California Legislature is recognizing that a resident of California is at a greater risk of becoming the victim of identity theft when certain kinds of security breaches occur. By requiring covered entities to disclose security breaches, it is plausible that the prospect of having to make a disclosure will provide covered entities with an incentive to strengthen their security practices, reducing the likelihood that they will need to make an embarrassing disclosure while mitigating the threat of identity theft. Scope of SB 1386 -- Reportable Security Breaches.
Notification Provisions, and Civil Remedies
A security breach is reportable if an intruder had an opportunity to access an unencrypted combination of information about a resident of California: The name of the resident of California. Note only the first initial may represent the first name or the first name may be spelled out in its entirety.
One or more of the following items of personal information:
What makes a security breach reportable depends on the combination of personal information that is compromised and whether or not the information can lead to identity theft. The combination of personal information, in conjunction with its encryption status, determines whether the information is considered “protected” under the provisions of SB 1386. Any security breach of “protected” personal information needs to be reported to all the owners of the compromised information.
Unauthorized disclosure of only the name of a resident of California introduces no risk of identity theft. Unauthorized disclosure of the resident’s name and one of the items of personal information, provided the combination is unencrypted, is assumed to introduce the risk of identity theft and is therefore reportable.
By recognizing the role of cryptography in preserving confidentiality, the California Legislature is implying that access to personal information be actively monitored as long as the information is in a vulnerable format that can be used by an identity thief. It is interesting to note that the California Legislature made no stipulation about the quality of cryptography that is used. It seems that a covered entity could conceivably encrypt all protected data with a simple substitution algorithm (replace “A” with “B”, “1” with “2”, ...) and be free from the burden of monitoring and reporting security breaches. Note: also that even if the information is encrypted with a quality algorithm (e.g.; Rijndael Algorithm), if an intruder had an opportunity to copy an encrypted database containing protected personal information, and the intruder manages to discover the encryption key, the unauthorized copying of the encrypted database is not considered reportable, even though the intruder has a means of decrypting the encrypted database and committing identity theft.
It should also be noted that a reportable security breach does not have to be based on irrefutable evidence that protected personal information was compromised. The California Legislature recognized that in many situations a covered entity may be aware of an intrusion, but may be unable to pinpoint exactly what information the intruder compromised. For example, a covered entity may be monitoring logons to a computer system, but may not monitor file access or may not monitor transactions within applications that process protected personal information. Through the monitoring of logons, a covered entity may be in a position to determine that an account was used in an unauthorized manner. Perhaps a logon occurred to an account belonging to a user who was on vacation and an investigation determined that the account owner did not log in from a remote location while on vacation. If monitoring was only limited to authentication related system events (logons, logouts, and failed logons), the covered entity will not be in a position to ascertain with any degree of certainty what the intruder accessed.
In ambiguous situations like what is suggested above, the covered entity would be expected to make a reasonable judgment of the likelihood that an intruder took advantage of any “opportunities” to access protected personal information. “Opportunities” could be identified by understanding the length of time an intruder was on a system and determining if the account that was penetrated was directly authorized to access any protected personal information or could have indirectly received authorization by exploiting some security vulnerability on the compromised system. The direct approach is easy to understand, but what is meant by an indirect approach?
As an example of an indirect approach, assume that an intruder becomes aware of the existence of a file containing protected personal information but has compromised an account that has insufficient rights to access the desired file. While a direct path to the desired file may be shut down, the intruder can search for indirect paths by using a vulnerabilities scanner to search the penetrated system for other exploitable vulnerabilities.
The vulnerability scanner may reveal a program on the compromised system that is running with supervisory rights and is not write-protected or reveal a system process that contains a technical defect that can be exploited. Either scenario, if exploited, could allow the intruder to achieve arbitrary control, with potential full privileges, over the exploited system. Armed with knowledge of an exploitable vulnerability, the intruder can now indirectly obtain access to the protected personal information by exploiting a vulnerable program, causing it to copy the protected personal information to a location that the intruder can then access.
When analyzing “opportunities”, if a covered entity believes it is reasonable to expect that protected personal information may have been accessed in an unauthorized manner, the situation is considered a reportable security breach.
SB 1386 does not make a distinction between unauthorized access by outsiders and unauthorized access by employees or contractors. So, for example, if a system administrator is expected to keep a system up and running, but is not authorized to access any protected personal information within a database on the administered system, unauthorized access to the database by the system administrator would be considered a reportable security breach.
When a covered entity out-sources the processing of protected personal information to another company or individual, the covered entity is still responsible for reporting relevant security breaches that occur at the outside service provider. With this in mind, every covered entity will need to ensure that contracts with outside service providers contain appropriate provisions to obligate the outside service provider to report a relevant security breach.
SB 1386 specifies a number of ways a resident of California can receive a notification of a security breach, with a mailed written notice being the stated preferred method, although substitute methods are considered permissible to contain costs if the written notice needs to be sent to at least 500,000 individuals or will cost at least $250,000. Substitute methods may include e-mail messages, posting a notice on the covered entity’s Web Site, or reporting the security breach through the Press.
A covered entity is able to delay notifying a resident of California if law enforcement determines that notification needs to be delayed to avoid impeding a criminal investigation. Any delay will be designed to give law enforcement an opportunity to apprehend a criminal without tipping him or her off that an intrusion is being investigated. The right to delay disclosures pending the outcome of law enforcement activities is likely to lead to an increase in computer crime reported to law enforcement, as covered entities attempt to use law enforcement to help more precisely identify what information has been compromised and whether the compromised information has in fact been misused. Law enforcement can be expected to show an interest in evaluating any evidence that a covered entity has gathered that can explain the security breach, including any activity logs or other evidence that has been collected. The results of law enforcement activity can clarify that protected personal information was in fact not compromised during a security breach, eliminating the need for an entity to unnecessarily go through a potentially difficult public relations situation. If law enforcement does not authorize a delay in reporting a relevant security breach, the covered entity is expected to report the breach in an expeditious manner.
Civil suits can be initiated against a covered entity by an individual or through a class action to recover damages resulting from a covered entity’s failure to comply with SB 1386. In addition, covered entities that fail to comply with SB 1386 may face enforcement actions imposed by the Office of the Attorney General in the State of California, with the thrust of any enforcement action likely to require that a covered entity improve its information security monitoring practices.
Impact of SB 1386 -- Public Relations/Reputation
Critics of SB 1386 have included the Investment Company Institute (representing nearly 9000 investment companies and over 12 million shareholders in California), expressing a number of concerns with the potential impact of SB 1386 (see June 14, 2002 letter to Senator Steve Peace, http://www.htcia-texasgulfcoast.org/ICI.pdf)
One of the concerns raised is that a resident of California receiving notification of a security breach may have no means of preventing misuse of one’s identity, so the notification will only serve to create needless worry. On the surface, this particular concern would appear to have some merit. For example, when an intrusion could have led to the disclosure of an individual’s social security number, it may seem that there isn’t much that the individual can do to prevent the social security number from being used by an identity thief to fraudulently obtain a new credit card account. It isn’t like an individual can easily change a social security number, although changing a social security number is possible, but is generally limited to situations where it is necessary to protect victims of harassment, abuse and domestic violence - http://www.esia.net/Social_Security_Numbers.htm
In addition, the United States does not have a single clearinghouse that can be tasked with performing additional screening of applicants whenever credit is requested for an individual who has been warned that his or her social security number may have been compromised.
Though it may seem that there isn’t much that an individual can do, once receiving news that his or her social security number has been compromised, there is in fact proactive steps that can be taken to reduce the risk that the compromised personal information can be misused. One of the problems with SB 1386 is that it does not require a covered entity to offer appropriate guidance to a resident of California. A second problem is that the best guidance that can be offered would still require the resident of California to expend considerable effort to manage the risk of becoming an identity theft victim. An excellent compilation of guidance can be found within Fact Sheet 17(a):
Depending on how a security breach is reported, a covered entity may either be elevating anxiety, if unable to narrowly define the scope of the breach (i.e.; by concluding that SB 1386 Compliance with LT Auditor+ 8 any one of large numbers of California residents may have been compromised), or promoting comfort, by being able to precisely identify whose personal information was compromised and being able to explain how the criminal was apprehended before the personal information was misused. The real impact will depend on the scope of the notification and whether the covered entity offers the California resident useful guidance on remedial steps that can be taken.
With the above in mind, the public relations implications of SB 1386 can be very interesting, to say the least. Effectively, the California Legislature has enacted a law that can put pressure on any covered entity at any time to publicly disclose the effectiveness of their information security controls. Disclosure of a security breach will not in itself be evidence of ineffectiveness, since the public can be educated that achieving “fool-proof” security is cost prohibitive and largely untenable. For example, it will be difficult for any company to protect themselves against a security administrator that has decided to become evil. However, the activities of an administrator can be closely monitored, so that evil acts can be recognized and dealt with before significant losses start accumulating.
Any covered entity that discloses a security breach could expect the adequacy of their security controls to be questioned by information security experts. Many questions may be raised. Could the entity have done more to prevent the security breach? Did the entity fail to implement available security controls properly (e.g.; does the breach imply that firewalls were implemented incorrectly, that antivirus measures were not kept up to date, or that file access controls were improperly implemented?) Could the entity have done more to detect a security breach in a timely manner, thereby reducing the potential to misuse personal information that has been compromised?
Some covered entities will be able to tell an impressive story, explaining how they detected a breach, revealing that a conscientious investment in a monitoring infrastructure has paid off, and showcasing the talents of their incident response teams. Other covered entities may only be able to offer a weakly worded admission, “As required by law (SB 1386), we are notifying you that we have suffered a security breach that could have exposed your personal information. We do not know if you personal information has been compromised, but we cannot validate that it has not been compromised.” This can indeed become a moment of truth for any covered entity faced with the need to make a disclosure and reveal the maturity of its information security practice.
Covered entities that choose to suppress knowledge of a relevant security breach run the risk that law enforcement will discover the breach after the fact as part of an effort to investigate the root cause behind an identity theft. In striking a plea bargain with an identity thief, law enforcement may find that the trail leads to a covered entity that choose to violate SB 1386. Covered entities also run the risk that an insider may become a whistleblower, revealing to law enforcement or the press an act of willful neglect. Such situations could result in an enforcement action by the Attorney General’s Office of the State of California and result in reduced business from bad publicity that is generated. The potential losses from not complying with SB 1386 can be significant.
Managing SB 1386 with an Effective Monitoring Practice
With the above considerations in mind, Blue Lance believes that any entity subject to SB 1386 will need to ensure that its monitoring practice is sufficiently robust in order to prepare itself for the day when a public disclosure will be necessary. Blue Lance, with its LT Auditor+ activity monitoring product, can help covered entities prepare for an SB 1386 disclosure, when protected personal information resides on systems that LT Auditor+ is capable of monitoring.
Although SB 1386 does not stipulate what system activities are to be monitored, the implication is that the level of monitoring should be sufficient so unauthorized access to protected personal information can be recognized and acted upon. Covered entities will need to consider various ways in which information can be compromised in determining the most effective level of monitoring. Opportunities may exist to monitor activity from a number of vantage points including: (1) the operating system’s perspective (using available system level auditing capabilities); (2) the network communication’s perspective (using network traffic monitoring tools); (3) from the perspective of the application processing protected personal information (using available application transaction logging capabilities); and (4) a database management system’s perspective (using available database access logging capabilities). The importance of a particular level of logging will be situational, where varying circumstances could make the information in one log important one day, but less important another day.
In order to design an effective monitoring policy, covered entities may seek guidance from the widely respected information security management standard, ISO 17799, and in particular, clause 9.7 within the standard entitled “Monitoring System Access and Use.”
Requirement 9.7.1 within this clause specifically advocates the importance of recording exceptions and other security-relevant events. This includes records of successful/rejected system access attempts (logons, logoffs, connections) and other successful or rejected resource access attempts (including file access).
The business case for comprehensive monitoring at the operating system level can be further strengthened when considering scenarios that could compromise the confidentiality or integrity of protected personal information. Examples of such scenarios (and potential compensating monitoring practices) include the following:
System infiltration by a computer virus or worm that is designed to randomly grab files and e-mail the compromised files to randomly selected e-mail addresses. If through a stroke of bad luck a grabbed file contains protected personal information, this type of attack could potentially lead to a violation of SB 1386 requirements. It may be worthwhile to note that the concept of designing a worm with file grabbing properties was experienced with the highly prevalent Sircam.A computer worm and is likely to be repeated with new viruses/worms programmed with similar capabilities1.
Exploitation of a technical vulnerability in the operating system or some other system software running in a privileged mode, allowing a skilled adversary to obtain “privileged control” over the compromised system and potential unauthorized access to protected personal information on the penetrated system. Statistics reported by Carnegie Mellon University’s Emergency Response Team (CERT) over the last 3 years illustrate a steep increase in reported vulnerabilities, with many vulnerabilities introducing ways to get unauthorized privileged access to vulnerable systems. 7,913 vulnerabilities were reported in 2003 and 2002, compared to 5,033 vulnerabilities reported over the previous 7 years, with many vulnerabilities affecting software that is in widespread use.
In reflecting upon the above sample scenarios, one may begin to see a networked computer system as an inherently vulnerable environment and it may be easier to understand the challenges covered entities will face in complying with SB 1386. Clearly, the statistics reported by CERT demonstrate that most businesses will be faced with continuing pressure to respond to vulnerabilities that affect their computer systems. In general, operating system level monitoring can help a business manage its vulnerabilities in two significant ways:
Vulnerabilities that are exploited can lead to other important controls and logs becoming compromised, further degrading the integrity of a penetrated environment. Maintaining a detailed record of activity from the operating system’s perspective can be advantageous in validating the integrity of other important controls and logs, including logs at the application and database management system levels. Of course, this assumes that the operating system level monitoring capabilities employ reasonably reliable defensive methods to protect its logs. Without a record of activity from the operating system perspective, we would not have an independent “controlled” means to ensure that other logs recording access to electronic protected personal information have not been tampered with.
With the above in mind, it is easier to understand how system monitoring can have a deterrent effect in discouraging unauthorized access by criminals who are looking to profit from identity theft or can be advantageous in prosecuting or recovering from an act of identity theft. It can be assumed that most criminals do not want to be caught and if a criminal has a choice of environments to attack, the environment that is more likely to be attacked is the environment that the criminal believes is least likely to be monitored.
Leveraging LT Auditor+ Capabilities to Help Achieve Compliance with SB 1386
Organizations that are required to comply with SB 1386 will be able to take advantage of the ability to use monitoring agents that record system activities from the operating system perspective. A detailed record can be generated of access to any file containing protected personal information.
The ability to use monitoring agents to implement an effective level of security-event monitoring, achieved through the monitoring of:
The ability to monitor systems in a transparent manner.
In conclusion, this paper discussed the role of system monitoring in complying with California’s SB 1386. With the enactment of this law, the California Legislature introduced statutory requirements that reinforce the importance of monitoring systems for intrusive activities. Through effective monitoring, covered entities will be able to improve the ability to protect a resident of California from becoming the victim of identity theft. Residents can be warned that protected personal information may have been compromised and will be able to take proactive steps to manage the risk that the compromised information can lead to an act of identity theft. Blue Lance Customers that are subject to SB 1386 will be able to take advantage of LT Auditor+ as a way to validate that electronic protected personal information is being accessed in an authorized manner and to recognize and respond to attempted unauthorized access.
Bill Rudolfsky is the Chief Information Security Officer for Blue Lance, Inc. and a 23 year veteran in providing Information Technology Services. Within the last 12 years, Mr. Rudolfsky held various information security leadership positions for large organizations in the banking and financial services industry including the Federal Reserve Bank and JP Morgan Chase. His credentials include obtaining Certified Information Security Professional (CISSP) status in 1999.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business