New England Biz Law Update
Reports of data theft are on the rise, and whether the actual number of incidences has been rising, we are hearing about it more and more.
The response has been yet more legislation, FTC enforcement actions and a growing list of class actions filed by consumers and banks.
Most states, following California’s lead, have passed legislation requiring the prompt disclosure of the loss or theft of personal data, and federal legislation is pending. In August, Massachusetts enacted a law requiring, among other things, the prompt reporting by companies of the loss or theft of personal information. (Chapter 82 of the Acts of 2007.)
Publicly announcing the loss or theft of sensitive data – a circumstance that has been coined a “CNN moment” – has become a common nightmare for many corporate officers. Two thousand laptops are stolen every day and, according to a survey conducted by McAfee, a security software company, one third of the respondents believed that a major security breach could put their company out of business
It obviously makes good business sense to protect sensitive data with firewalls and encryption, but increasingly companies are being required to take steps to protect stored data, or “data at rest,” by industry-specific laws and regulations.
Such laws include HIPAA, applicable to health care providers, and the Gramm-Leach-Billey Financial Services Modernization Act of 1999 (GLBA), applicable to banks and many brokers and insurers.
Recently the Fair Trade Commission has filed enforcement actions against companies in other industries, such as Microsoft, BJ’s Wholesale Club, Tower Records and a number of others, based on an alleged failure to take adequate steps to protect customer data. The FTC claims this is an unfair and deceptive act that violates section 5(a) of the FTC Act.
And, of course, the frequency of reports of lost or stolen laptops and data security breaches has enabled plaintiffs’ lawyers to persuasively argue in negligence actions that such incidents are reasonably foreseeable, and that a failure to take adequate steps to protect personal information stored on such devices is a breach of the duty of care.
Steps to take
But what steps would be considered sufficient in the face of a data security breach to defend against a negligence claim, or to avoid a statutory disclosure obligation? One might assume that simply putting up a firewall on the company’s network, adopting strict security policies and loading the laptops with encryption software would be sufficient.
Unfortunately, it’s not that simple. Encryption of sensitive data is a minimum requirement to establish a defense to a claim of negligence in its loss or theft. The problem with software-based encryption is that it is “hackable.” A case in point is TJX, which claims that the data stolen from its network was encrypted. The thieves apparently hacked the keys.
Software-based encryption used on laptops and other portable devices bears the further frailty that its effectiveness depends upon the user observing company policy respecting its use. As any IT administrator will confirm, establishing policies regarding computer use does not mean that they will be followed.
Generally speaking, encryption software falls into two categories: file/folder encryption and full disc encryption. Each has its flaws. File/folder encryption software either requires the user to take the affirmative step of encrypting a file or folder when it is saved, or to set up protocols such that all files and folders of a particular type will be automatically encrypted when they are saved.
In either case, the user can either intentionally or inadvertently fail to encrypt sensitive data. Full disc encryption, on the other hand, automatically encrypts nearly all data on the hard drive. After loading the software it can take several hours to encrypt all the data on the drive, and several more to decrypt it.
While using the software, system performance decreases approximately 30 percent. As a consequence, many users succumb to the temptation to disable it, which they have the ability to do.
While software-based encryption, properly used, may protect a company from damages associated with the improper use of stolen data, it may not protect a company from the requirement to disclose the loss or theft.
In view of the growing body of legislation requiring the prompt reporting of lost or stolen data, the trend is that in order to avoid the disclosure requirement a company must be able to provide an audit trail demonstrating that the data was encrypted.
It is unclear whether simply proving that the laptop or portable device was loaded with encryption software will meet these requirements. If the user is able to turn off the encryption function, or must take specific steps to encrypt files, the company may be unable to satisfactorily prove that all sensitive data was encrypted. The company couldn’t take advantage of the safe harbor provision of such statutes.
Technology help
The best solution to both encrypting data at rest and providing an audit trail has just arrived on the market in the form of full disc encryption (FDE) hard drives. This summer, Seagate Corporation, the world’s largest hard drive manufacturer, launched the first commercially available FDE hard drive for laptops.
Hitachi has also just released an FDE drive but software is not yet available to manage the drives in a network environment. Seagate’s drive is compatible with software from Wave Systems Corporation to perform key back up and remote administration functions. FDE drives for desktops should be available from both companies in several months.
FDE drives present the most secure way to store data at rest, as the encryption function cannot be turned off by the user. Nor is there any temptation to do so, as the encryption function operating at the hardware level is performed invisibly, with no reduction in performance.
Further enhancing the appeal of FDE drives is the fact that they cost no more than a standard drive plus the price of an encryption software product. Thus, FDE drives are equal in cost to software encryption, superior in performance, and using FDE drives enables a company to irrefutably demonstrate that lost data is encrypted and to avoid the need to report lost or stolen laptops.
The future of network security is also hardware-based, according to the Trusted Computing Group. The TCG is an organization comprised of approximately 160 of the leading computer hardware and software companies around the world, creating and advocating the adoption of open standards for more secure, or “trusted,” computing.
The cornerstone of the TCG’s efforts has been the development of the Trusted Platform Module, a computer chip integrated onto the motherboard that, among other things, stores passwords, cryptographic keys and digital certificates. It can also securely generate and limit the use of keys.
Because the information stored on TPMs is protected by hardware, it is nearly impervious to both physical and software attacks. Each TPM is uniquely identified, which allows a network to verify that the user seeking access is who he says he is, and that the software on the remote device seeking access has not been tampered with, before granting network access.
In large part because Microsoft has required computer manufacturers to include TPMs in their products in order to meet logo compliance requirements for the higher-end versions of its new Vista operating system, nearly all laptops and desktops purchased by businesses today (and for the past year) are equipped with TPMs.
Most buyers don’t even realize it, as TPMs are simply included on the machine and not an additional cost option. Moreover, their presence is undetectable unless you look for them, as they are “off” when they are shipped and need to be “turned on” before they can be used.
TPMs can be used to verify that the computers connected to a network are authorized to be connected and in an unadulterated state. TPMs can also greatly improve password security, as they can be used to store all of the user’s various passwords securely.
The user need only remember one password to log onto the PC and the TPM then authenticates the user to the various sites where the user has a password-protected account.
The advantage is that a user need only remember one password (ideally one that is long and difficult to guess), and there is no need to store a list of the user’s other passwords in an unprotected file or in hard copy form, which could be surreptitiously viewed.
TPMs can be also used to strengthen the security offered by biometric devices, such as fingerprint scanners, and smartcards.
All sensitive data on laptops, PDAs, flash drives and other portable storage devices should be encrypted. At least, in this way, a company can reduce the damages associated with the loss or theft of such data.
However, to avoid the “CNN moment,” a company must be able to prove that the data was encrypted. Software-based encryption alone may be insufficient to avoid the spotlight.
Jeffrey Upton is a shareholder at Hanify & King in Boston. His practice focuses on general business counseling and litigation, real estate and employment litigation, arbitration and mediation and intellectual property. Jeffrey can be reached at 617.423.0400 or [email protected].
