Security: Strive for 'Defensive Depth'
Good data security means having "defensive depth" embedded in information systems, says Alain Sheer, an attorney in the Federal Trade Commission's division of privacy and identity protection. "Relying on one defense is problematic."
Speaking at the Safeguarding Health Information Conference in Washington, Sheer gave examples of the need for multiple levels of defense. An organization, for instance, may encrypt data but have weak user authentication controls. This enables a hacker to access the encryption module and find the decryption key.
Sheer also gave several examples of major breaches of well-known retailers who were amazingly lax in protecting sensitive consumer information. Petco Animal Supply, for instance, on its Web site collected consumers' names, addresses, and payment card numbers with expiration dates. The Web site stated that data was encrypted, but it was not. The FTC charged the company with deception and in a settlement order mandated a comprehensive information security plan and independent assessments of Petco's security measures every three years for 20 years.
Pharmacy chain CVS was assessed similar but broader sanctions for a low-tech breach. Across the nation, its pharmacies were disposing of paper records--including identifiable medical and payment card information--in public dumpsters. CVS had represented to the public that it would protect information, so the FTC charged the company with deception, as well as unfair practices. CVS' settlement order with the FTC called for comprehensive information security measures and long-term independent assessments, but the order also covered personnel information collected by any part of the company, including its Caremark pharmacy benefit management firm. The Department of Health and Human Services' Office for Civil Rights further imposed a $2 million fine and a three-year collective action plan on CVS.
Sheer also warns of the security risks of online peer-to-peer file sharing programs, which often have not protected information. The FTC, Sheer says, informed more than 100 P2P companies that personal information was being improperly shared. "We found health information, drivers' licenses, financial information and Social Security numbers, among other information."