A decade ago I wrote a four-part series about the state of security touching on the relationships between regulations, standards, and ultimately business expectations in the light of risk and liability. It’s an interesting read from a throw-back perspective.
The State of Security (Part 1 of 4)
Will state law set a new low for information security?
Arguably, regulations have done a lot for security. I vividly recall a world with no HIPAA, GLBA, SOX, PCI, HITECH, and many others where security was predominantly based on FUD – fear, uncertainty, and doubt. If you couldn’t prove there was a need, security was marginalized and open to interpretation and opinion. The degree of security implementation was founded on culture, risk, and valuation of information and not external forces. The advent of regulations helped to “push” security by providing additional reasons for sound security. However, over time, will the explosion of regulatory oversight threatened true security?
By now I’m sure everyone is familiar with the multiple lawsuits against companies such as TJX, Heartland, WorldPay, and others. Heartland alone is facing more than 31 lawsuits estimated at over a $120 million and TJX, who is facing a new class action lawsuit, is projected to spend nearly $200 million in total. In June earlier this year lawsuits against Heartland and WorldPay were consolidated to “… eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel and the judiciary,” said Chairman John Heyburn II of the US Judicial Panel on Multidistrict Litigation.
All together TJX, Heartland, and WorldPay lost over a 150 million credit card numbers to hackers losing millions of customer dollars – in one case $9.1M in one day – and an untold amount in the following months. Of course, this does not include the estimated more than 500 institutions affected in having to reissue cards, of which 8 major issuers have formed a combined lawsuit for damages against Heartland and WorldPay.
Interestingly, the actual charge in the lawsuits is essentially “negligence”, specifically negligence in following sound security practices, aka due diligence. Of course, PCI plays a compliance role, but this appears to be a far second at best. In other words, it wasn’t really the regulatory demands from entities like PCI that made the basis of the litigation, but rather operational integrity of the business, or lack thereof, which has been around, well, forever.
Under greater scrutiny you find that many lawsuits reflect the same core charge – negligence. Of course, law makers are keenly aware of this and as a result a trend is surfacing, especially at the State level.
We’re all familiar with SB-1386, a California law that says state agencies must disclose any breach of security of computer data systems that contain personal information. (Actually, SB-1386 is a misnomer seeing it was chaptered out by AB-700 in September 2002, but people still call it SB-1386.) This law has now not only manifested itself in some way in nearly 45 other states, but a version of it remains in the House and Senate of the US Congress being considered for a federal law. What we can see from this is states are taking the initiative and this may have interesting implications for security.
Take for instance the Massachusetts’ data security law addressing identity management and encryption of personal information. This reflects what we saw in California with SB-1386/AB-700 nearly a decade ago – it’s a shift in setting precedence. It’s now only a matter of time before other states move to replicate.
How does this tie into lawsuits? With the basis of lawsuits being negligence, state governments are looking to set expectations (i.e., define due diligence) for their constituency providing a foundation for acceptable activities. On the surface, this sounds no different from PCI’s DSS. However, law is ubiquitous and laws that introduce specifics are quantifiable in court as opposed to an industry driven standard. This isn’t HIPAA and the like where legal proclamations can be somewhat interpreted.
This is not to imply HIPAA is not or has not been effective, which it has. However, it was far more nebulous compared to what we’re seeing today with laws such as the one in Massachusetts. While on the topic of HIPAA, HITECH makes very clear statements concerning things such as exposure of information and even encryption. So, this is evolving in State and Federal government.
By setting expectations, States have the legal foundation to better quantify charges as opposed to generalities such as negligence that today have to be proven through an exhaustive and expensive process simply because security due diligence is not well defined. This is no different from other laws and regulations that define expectations in manufacturing processes to financial process that can be used as the quantification for state prosecutors, avoiding ambiguity.
Nevertheless, by definition, laws set the minimum requirements and are also relatively stagnant. Normally, stagnation has not been an issue with regulations because they have not been specific. However, they are increasing in specificity and will likely continue to do so which may introduce unforeseen challenges when the law becomes out of sync with technology evolution. In fact, we’re seeing this now with the Cloud.
Although the impact to security by stagnation can be somewhat minimized, especially when dealing with encryption, the same cannot be said of the minimalistic nature of the laws. As stated, this cannot be avoided. Laws define the expectations and as such draw the line at the exact point of acceptance and non-acceptance. You are free to do more than what is expected, but not permitted to do less. As a result, this can have a wide range of affects on organizational security.
In the next part we’ll look at the meaning of security from the perspective of what you have to do verses what you need or want to do, and how this relates to emerging laws.
The State of Security (Part 2 of 4)
Will state law set a new low for information security?
There are basically two fundamental approaches to security: do what you have to do, and do what you need or want to do. These are not mutually exclusive and you find many scenarios where these are mixed. However, this does not mean there are not companies that simply do only what they have to and in these cases it resonates with a minimalistic approach, which many refer to as the “checkbox” approach. On the other end of the spectrum are organizations that implement security because they need or want to in order to reach a level of assurance that is supportive of the business or organizational mission.
To elaborate, take a typical merchant that is affected by PCI. Prior to PCI there was little – if any – requirements mandating information security practices of card processing. With PCI in place they are now faced with requirements or suffer the consequences. Some approach this in a checkbox manner. PCI says I must do this, I do it, check… next. If PCI doesn’t require it, it won’t get done. On the other end is the DoD and things such as FISMA and DIACAP. Everything required is to ensure the mission and failure of mission systems (specifically MAC I and MAC II) represent an unacceptable impact to the mission. This is an example where an organization needs and wants security to complete an objective, or protect the information processing assets that are used to facilitate the mission.
Although FISMA, or DoDI 8500.2, etc. appear as regulation – and they are – it is the result of governance and mission management. In other words, it is self-imposed based on reasoning to their existence, and effective existence. This is completely opposite of the merchant example. A merchant’s mission is to make money, not spend it on controls that do not produce revenue. Therefore, to ensure the success of the organization and their mission, the DoD drive security, but for a merchant security has very little meaning to the objective and therefore is contrary to business success factors, and as such a cost of doing business. As we all know, businesses want to minimize cost, therefore a minimalistic approach is preordained.
Add this to the fact that laws are naturally minimalistic and you’ll find that companies are now provided the quantifiable and legal minimal limits for operating. This is a dramatic shift and to help see why, let’s have a quick review to summarize.
Before regulations, security was based on organizational culture, interpretations, risk, and valuation. As such companies could choose exactly what security they thought they needed. This was the time of security best practices. Early regulations, like HIPAA and GLBA were effective in raising awareness and general expectations, but were not necessarily specific, which was actually to their favor concerning longevity. Throughout 2006, 7, and 8 there were some high profile attacks leading to substantial litigation that was ultimately based on negligence in security, not necessarily that of non-compliance as the root. During this timeframe, mostly starting in 2001 in California, states learned that they could take the initiative, avoiding slow congressional red tape at the federal level and take things into their own hands. Empowered with more ability to control, combined with the litigious activities that were consuming resources through the burden of proving what is security due diligence relative to security breaches and class actions, states are moving rapidly to create laws defining specific expectations for due diligence to avoid ambiguity in the court of law.
Meanwhile, the evolution of security within businesses and organizations have broaden the spectrum between checking the box and doing what is needed or wanted for the business, with more and more moving to a checkbox approach to minimize costs. However, prior to emerging state and federal laws, only PCI, among a small few, were setting specifics on requirements. Unfortunately, it wasn’t PCI DSS that was raised as the charge in legality, but again, negligence.
Based on this evolution – states defining minimal requirements to streamline legal processes as more and more companies take a checkbox approach – we may see a debilitating collision between what is required by law and what is really required to protect information assets.
To boil this down, states are looking for a clear, legal delineation of acceptable due diligence to not only protect constituents, but to reduce vagueness in court. Companies are overwhelmed with regulations and growing weary of spending massive amount of money in becoming secure (e.g. compliant) only to be successfully attacked and have that attack present legal implications based on nebulous due diligence.
In the next part we’ll explore all this from the business executive’s point of view and take a look at what is really important. Is it customer retention, brand and valuation, or is it avoiding legal liabilities?
The State of Security (Part 3 of 4)
Will state law set a new low for information security?
Look at this phenomenon from an executive perspective. You run a business and use IT and information assets to achieve objectives and grow the company according to your mission. You implement security to protect those assets for three very basic reasons: 1) reduce impact to your consumers, 2) reduce impact to your company brand and value, and 3) reduce legal liability. Now, the question becomes, which one of these is most tangible from a negative impact perspective? Of course, the answer is “it depends.” Let’s walk through these.
Consumers typically have a short memory and will usually either persevere with the provider or move to a competitor. However, into today’s highly competitive market, consumers frequently shift providers for reasons that are not necessarily the result of an event or in control of the provider. This is why we see less metrics in certain industries for customer retention and more focus on customer acquisition. No company wants to lose customers, but it can be argued there are a number of non-security event related environmental characteristics that can have the same or greater affect, and have less control over them.
As an executive you want to ensure company value and brand. For some companies brand is everything, like Nike, Coke, Pepsi, UPS, among others. Then there are brand behemoths like P&G and Unilever. Brand is critical and for the giants, brand risk is distributed. So if one product takes a hit the public is typically unaware that the same or similar product has a different name from the same company. Corporate valuation, especially in publicly traded companies, is critical as well. Investors, individual and group, are going to make decisions based on the productivity potential of the company, which can be greatly influenced by a security event. Take as an example Heartland. Their stock value dropped 79% in days after the attack was publicized, and at the time of this writing stock value is 58% of its worth prior to attack, and only 38% of a three year average. Clearly, valuation and brand are important to an executive.
So, losing customers hurts and in really bad cases will hurt a lot. But in most cases, consumers have short memories, companies can acquire new customers through strategic marketing, and customer loss is – to a certain degree – expected and planned for already. So, we’re talking spikes more than anything. In short, painful, but recoverable. A decline in brand has the potential to be devastating… take the Tylenol example of 1982, it took years for the company to recover and resulted in massive changes to over the counter medicine packaging. But, it recovered. Valuation can hurt a publically traded company and affect operations in many ways. But, many, many companies have survived their own crashes, such as Lucent going from the most widely held stock in the $80 range to well less than $1 in as little as a year. Nevertheless, there are numerous examples of where valuation dropped, but the company continued on successfully.
Then there is legal liability, not only for the company as a whole, but for individuals. ENRON was the impetus for SOX, but there were many cases of executives going to jail and companies imploding because of legalities long before ENRON, many since, and many more to come. Corporations have been dramatically impacted by legal implications. The legal process is extraordinarily expensive and resulting fines can be well into the hundreds of millions. Case in point, AEP finally settled in mid 2008 for $4.6 billion, plus the $15 million in civil penalties and the $60 million in clean up and mitigation. Legal liabilities are, in a word, expensive.
When it comes to legal liability it can be the root of loss of customers, brand, and valuation. Although customer loss hurts as does loss in brand and valuation, it is the legal side that carries the big hit and can impact the other two areas. As an executive, you don’t want to experience any of these situations, but I think many would agree that legal related costs and liabilities are of the greatest concern. Of course, there are different scenarios and executive interpretations may change with economic tidal shifts and industry movements, but suffice it to say legal ramifications are, or can be the most painful of the three deadly outcomes.
Therefore, when it comes to security, through the eyes of an executive who may be predominately focused on legal liability, plus brand, valuation, and customer confidence in a close second, they are going to start with, “What do I have to do?” Translated this means “What is the minimum requirement that I must invest in so that I can demonstrate due diligence in the court of law to minimize my legal liability footprint?” Interestingly, today, with charges based on negligence, the definition of exactly due diligence in security is not readily definable. Enter the state governments. Moving forward they are going to provide these expectations to which companies will rapidly gravitate to in order to minimize legal liability. State laws will become the cookbook to liability mitigation.
In the next and final part we’re going to talk about the end of the “security loophole” that was formed by compliance and will be killed by it. What implications will this have into the future?
The State of Security (Part 4 of 4)
Will state law set a new low for information security?
Adding to the malaise, each state will look at what others are implementing and implement their own version. In short order you will have – as we currently have with iterations of SB-1386/AB-700 in several other states – different laws with very similar demands, but differences in expectations. It will take time for the federal government to normalize as a singular law, but by then the states will have moved on to a new regulatory target and the cycle repeats.
Taking all this into account, security will be less about protecting the business, organization, customers, and constituents than it will be about ensuring limited legal liability. Now that businesses have the cookbook on due diligence, they will follow it to the “T” so that when something goes wrong they can demonstrate they did everything “in their power” (aka “what you said we had to do”) to avoid such an outcome, which will exonerate them – to some degree. You can see this already happening. In HITECH there is a very clear definition of exposure of information scenarios that are deemed “acceptable”. Meaning, you have followed acceptable practices and due diligence, but the information was still exposed. In those cases, you’re exempt – is what it is essentially saying.
Again, this is the result of many vectors that are colliding. Legal case studies that all but ignored “compliance” and charged based on negligence, states making specific security laws to quantify due diligence and setting the minimum, and companies looking to protect themselves from what really stings and that is legal liability. The entirety of the impact to security is based on the assumption that the government is not good at setting specific expectations. However, the employment of NIST in defining standards will be their saving grace and it’s already started with HITECH, and will become the norm. Nevertheless, as government looks to security qualified and proven standards producers (i.e., NIST) there will remain the low bar – the unavoidable minimalistic approach.
As a result, CISOs can no longer just say, “To meet compliance” and in doing so apply a custom set of methodologies, technologies, and processes to characterize due diligence that may or may not work at any given time, much less in the court of law. It will be provided to you and executives will quickly see it for what it is – a way out. A way of reducing may be even eliminating legal liability in the space of information security. CISOs will be faced with implementing standards that may result in a security posture that is far less than desired and spending a great deal of energy in convincing executives to spend more to address the real and tangible risks, which may not resonate because executive may be most concerned with legal risk. It reminds me of a meeting I had with the CEO of a major stock trading company when I was talking about security risk. His response was essentially, my risk is in processing millions of transactions a second perfectly, what you’re talking about pales in comparison – and he was right. One misstep and his problems we’re monumental and predominantly legal.
This is noteworthy because it is virtually opposite from what we have today. Many security groups are propped up by regulations and use as the basis for risk management and investment strategies. Through this foundation a security posture is reached. That posture may be checkbox or more to meet real threats. But this has been based on the ambiguity of security, security best practices, due diligence, and interpretation of existing regulations. It was a loophole. For example, how do you quantify identify management? What are the defined core requirements? Well, it depends… what is the environment, what are your threats and risk, what, what, what… The line of questioning is because identity management is complicated and as such has many, many options each with requirements and implications, so it all depends. This is the current grey area of security – the loophole. Today, in a court of law due diligence and “effectiveness” of identity management has to be proven or disproven based on interpretive language and testimony because it is not defined legally – or in a legally binding manner.
And therein lies the crux. Today, security is open to interpretation and therefore can be applied in a number of ways, each with varying degrees of capability. State laws are going to remove the fluidity of interpretation to a point where defensible measures of due diligence can be quantified and by their very existence will be minimalistic.
Over the last 15 years compliance was a boost to security. It raised awareness and acted as an external motivator for sound security practices. From this parapet formed in the 90’s, the security industry blossomed, CISOs came into existence and investments in security increased year over year. Security as a true industry was born and thrives to this day. But the same catalyst of emergence – regulatory compliance – has the potential to reverse the tide of the relationship between the security industry and regulation. Once a friend may become a foe. I’m not suggesting security as an industry will decline, that’s another article, but what I am saying is that what used to provide support for emerging security will eventually force a minimalistic, checkbox approach that has the potential to dramatically change the dynamics of security in the business and how it is justified.