Saturday, August 05, 2006

Theft of sensitive information

A bit of a diversion from the standard environmental stuff today...

I've been seeing more and more news items involving stolen laptops that contain people's personal information, social security numbers, etc.
This absolutely blows my mind, especially given the companies that have been involved...
The Veterans Administration. ING Financial Services.. These are companies/agencies that should know better.

Fact #1- Laptops are rediculously easy to steal because of their mobility and reasonably small size, and even easier to fence for a quick buck.
Fact #2- The average computer user barely knows how to safeguard their own personal information from being stolen and used fraudulently. Why would they be trusted with someone elses?
Fact #3- Even if the laptop in question isn't physically stolen, there are plenty of ways to break into either a data stream or the hard drive itself by exploiting vulnerabilities in the Operating system, or by sniffing unencrypted packets out of the air when the owner is using wireless at Starbucks.

Given these three facts, why on earth would any systems administrator allow sensitive information to ever leave the doors of the office??
The answer? There are plenty of sysadmins out there who have never given any serious thought to their information access policies, or have been shot down by people above them who wanted their people to be able to work remotely and weren't willing to spend the money necessary to implement proper controls.
What scares me is that the government hasn't stepped in to fix this problem yet. I guess maybe some senator has to be victim of an identity theft before it becomes his concern.

To that end, I propose the following rules:
Treat the social security number like classified information. The government has plenty of spook agencies that know how to deal with classified information, and even more government contractors that have this down to a science. There should be a required Information Security training course for people who access things like social security numbers to make sure that they are aware of proper handling procedures for sensitive data like this.

The general rule of thumb for classified information? Background checks for anyone that needs to access it to do their job, so that you catch people who might misuse it before they do so. Information access is on a need to know basis. If you don't need access, you don't get access. This includes use of partial numbers, such as last 4 digits. Storage restrictions- This data must be stored in an encrypted, password-protected form. It can not be copied in whole or in part from the secure location(s) that it is stored in except for backup purposes. Any need to access the data for analysis or manipulation must be done by linked access, so that the data only leaves it's storage area in encrypted form, and only exists on the user's local machine in encrypted form, so they (or anyone else) can't directly get to it. When they disconnect from the network, it stays on the network, and not on the laptop that they tote home with them, or the USB drive attached to their keyring that has all of their work files on it, or other removable media. If they need to be able to access the data from outside the office, proper procedure should be followed, such as using a server that is only reachable using an encrypted Virtual Private Network, a SecurID token, and a password, so that this isn't something your average hacker can find his way into.

Further restrictions on the use of such information. If you don't NEED to have a system key off of the social security number, you can't use the social security number. Basically, except for things involving a person's finacial records, the SS# is not to be used as an identifier. Any user who is being asked for their SS# as a login to a website, or otherwise suspects that a company or person is not observing proper security measures in handling the SS# can report the asking party to the FTC's Identity theft folks for investigation and prosecution.

To ensure that this is immediately followed, penalties will be stiff. Depending on how egregious the violation (number of people compromised, willful vs. accidental, individual vs. corporate), fines can range from a few dollars to a few thousand dollars, assessed on a per-violation basis. This will add up very quickly when you're dealing with a database that is accessed every day, or with a huge database.
If an employee violates existing company policy and takes information home that they shouldn't have, like in the case of the VA person earlier this year, the company will be held partially responsible, since they obviously had a hole in their policy that provided opportunity, but the individual will be held personally responsible as well, for civil and criminal penalties. This seems harsh, but if people believe that they will not have anything worse happen to them than that they lose their jobs, and the company will take all of the heat, there's not much disincentive there. If they are worried about going to jail, and being in debt for the rest of their life because of fines, they might think twice about bending or being ignorant of that particular set of rules.