Responsibilities and Expectations

In an organization, the question of responsibility is a big one. Is the organization responsible if the end user misuses his company-owned laptop and gets caught with illicit material, or is the user responsible? What about for use of items such as PDAs/Blackberrys/smartphones, and so on? What about the use of sites such as Wikileaks, or social networking sites such as Twitter, Facebook, Linked-In, or MySpace? The proliferation of electronic media and the tendency for people to talk too much are not a good combination. Ultimately, it is the responsibility of the organization to protect itself, the information housed in its databases, and its users. To do so, you must implement policies, standards, procedures, and guidelines to ward off potential lawsuits, loss of intellectual property (IP), and loss of resources, and set forth the expectations you have of your personnel. It won’t be a cure-all, but it will give the organization a leg to stand on when the need arises to protect corporate assets.

A Real-World Example

In 2009, Heartland Payment Systems,¹ which processes card payments for restaurants, retailers, and other merchants, was attacked by intruders who hacked into the system used to process 100 million payment card transactions per month for 175,000 merchants. Essentially, the hackers wormed their way into the system and recorded Heartland’s system for weeks in late 2008. The CISP then PCI-DSS security standards were created to prevent examples like this from happening.

1 www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

Who Is Responsible? You Are!

It is the responsibility of the organization to protect its personnel, the organization, the data entrusted to that organization (such as credit card, bank accounts, and Social Security numbers), and the IP resources (designs, plans, and code) of the organization, if applicable. You should be aware of legal precedence, ISO certifications, and security standards that pertain to your organization, or type of organization, such as a medical office and the Health Insurance Portability and Accounting Act (HIPAA). Ignorance is not bliss when your organization gets levied with fines; it’s expensive—and depending on your tier level when it comes to PCI-DSS, which is quite prescriptive from a technology perspective, can run into the millions of dollars of fines to the corporation at fault.

Legal Precedence

The United States Department of Justice maintains a Computer Crime and Intellectual Property website (www.justice.gov/criminal/cybercrime/index.html) providing you with news releases for computer crime, current and archived cases, policy and programs, legal resources, and so on—there is a wealth of information out there.

Internet Lawyers

There is new legal precedence everyday concerning such things an intellectual property, Internet law, and domain disputes. If you are in need of protection, you can find a good Internet lawyer. These individuals specialize in Internet laws and information technology company representation. They specialize in Internet law and understand better than anyone the challenges that occur when legal issues arise in cyberspace. They deal in specialties such as areas of jurisdiction, venue, breach of contract, e-commerce, trademarks, copyrights, and patents, and other issues often out of the realm of typical corporate lawyers.

Evolution of the Legal System

As we move forward the legal system is evolving. Many states and countries now have specific laws concerning cyber security and the protection of people and their assets. Information Technology Law (IT Law) is a set of recent legal enactments that digitally govern the process and dissemination of information. These legal enactments cover a broad range of different aspects relating to computer software, protection of software code, access, and control of digital information, privacy, security, Internet access and usage, and electronic commerce.

• Florida Electronic Security Act

• Illinois Electronic Commerce Security Act

• Texas Penal Code - Computer Crimes Statute

• Maine Criminal Code - Computer Crimes

• Singapore Electronic Transactions Act

• Malaysia Computer Crimes Act

• Malaysia Digital Signature Act

• UNCITRAL Model Law on Electronic Commerce

• Information Technology Act 2000 of India

• Computer Misuse Act of 1990 (Great Britain)

A prime example of this is the September 2009² case in which an Indiana couple was allowed to sue their bank for its alleged failure and negligence to implement the latest security measures. The judged ruled that a “...reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiff’s account against fraudulent access....” It was pointed out that the authentication methods were inadequate. That the bank relied on usernames and passwords to control access to accounts whereas other banking institutions had begun using two-factor or multifactor authentication, including token-based authentication (hardware and software tokens). The couple highlighted the fact that a 2005 document authored by the Federal Financial Institutions Examinations Council (FFIEC), called single-factor authentication inadequate and recommended the use of two-factor authentication by banks.

2 www.computerworld.com/s/article/9137451/Court_allows_suit_against_bank_for_lax_security

Criminal Prosecution

With new laws and new legal precedents being made everyday, prosecuting individuals and corporations is becoming more and more common. Your organization can be sued for breach of contract because of insufficient security, insider trading, or just loss of your clients’ PII—all the more reason to know what data needs to be secured and how to best do so without hindering productivity. You run into the continual situation in which maintaining a secure platform hinders the research and development aspect of your job. There needs to be security, but there also needs to be an understanding of why you protected those assets.

Real-World Example

In 2007, TJX Companies (T.J. Maxx, Marshalls, and Bob’s Stores) revealed that some 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. In addition to that, the personal data provided with the return of merchandise without receipts by an estimated 451,000 individuals in 2003 was also stolen. Now you might be asking yourself how this happened. In addition to poor wireless network security (the WEP key was easily cracked—the current standard PCI-DSS 2.0 10/28/10 does not enable the use of WEP—www.pcisecuritystandards.org), “...poorly secured in-store computer kiosks are partly to blame....” The kiosks that enabled individuals to electronically apply for jobs were not isolated on the network and enabled direct access to the company’s network infrastructure. The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals.

Attorneys are suing retailer TJX citing TJX failed to comply with 9 of 12 applicable PCI requirements and that the data thief managed to walk away with 80 gigabytes of data on TJX customers. Following are some of the security issues:

• An improperly configured/secured wireless network

• Failure to isolate and secure cardholder data devices from the rest of the network

• Failure to properly securely manage the systems used to store, process, and transmit cardholder data

• Insecurely storing prohibited cardholder data

• Using usernames and passwords that were easy to crack or guess

• Weak or nonexistent security software and systems

The most heinous allegation in the court filings are charges that TJX was aware of the security problems and failed to disclose the risks or remedy those problems; those inactions have increased the company’s liability under the law.

Individuals Being Prosecuted

This isn’t just concerning larger corporation getting sued or being held liable. Even the people who work on the systems are not immune from prosecution; take for example the case of Terry Childs.³ Terry Childs was the network engineer for the city of San Francisco. At a meeting he was asked by his boss to reveal the passwords to the FiberWAN and essentially relinquish control. Terry refused. The city of San Francisco then slapped him with four criminal charges and set his bail at $5 million dollars; only one charge stuck and that was specifically “...Childs violated a California statute regarding illegal denial of service for the San Francisco FiberWAN....” Ultimately, Terry was found guilty and sentenced to 2 to 5 years for what amounts to not having given up the passwords to the network. Once again, role-based access control and segregation of duties is critical to prevent this type of criminal and job protection behavior.

3 www.ktvu.com/news/23283217/detail.html

International Prosecution

Furthermore, prosecution is no longer limited to the United States. In Sept 2009, Computer World ran a story about a long-running cybercrime operation.⁴ New York prosecutors indicted five eastern European men in an extensive credit-card fraud operation that saw the theft of more than $4 million using nearly 95,000 stolen credit card and debit card numbers. This was the third phase of a four-year investigation involving law enforcement agencies in the U.S., the Czech Republic, Greece, and Ukraine. A total of 17 defendants have been indicted—these are very serious crimes.

4 www.computerworld.com/s/article/9137403/Five_indicted_in_long_running_cybercrime_operation

We don’t bring these incidences to your attention to scare you but as a spotlight on the importance of establishing, implementing, and maintaining a strong, sound security strategy. The best way to protect yourself and the sensitive information you are entrusted with as an organization is to begin by establishing sound policies and procedures where security is concerned. Information security and policy are not a nice-to-have, they are a must-have and need to be effectively communicated, kept up to date, and built in to the overall SDLF (software development lifecycle) for an organization.