The cost of securing the people"s privacy

Von C.J. Kelly

I was recently asked to analyze a legislative bill to determine what fiscal impact it could have on our agency. In this state, it is a requirement that before a proposed bill can go before the legislature for approval, it must be distributed to all of the state agencies so that they can analyze the fiscal impact. The bill in question would force the agencies to take additional security measures, and the legislature needs to know how much they"d likely cost.

The aim of this particular bill is to protect consumer privacy, something that seems to be getting attention in a lot of states.

California"s SB 1386, a similar law that passed a few years ago, states, "Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

Personal information is defined as a person"s first name or initial and last name combined with his Social Security number, driver"s license number, or credit card or account information, including the PIN or password. Publicly available information like an address or anything that"s in the public record, such as real estate transactions, isn"t considered personal information.

The statute allows for written, electronic or substitute notice. Substitute notice can be provided via mass e-mails or public forums such as newspapers and broadcast media.

If you or I hear on the radio that our state"s Department of Motor Vehicles" security was breached and the personal information of everyone in the state was compromised, what is our recourse?

The California law states, "Any customer injured by a violation of this title may institute a civil action to recover damages." But many of us do nothing when we hear about such things, other than shake our heads. Until . . .

Here"s a nightmare scenario: Two years later, you are buying a home. You have already sold your old house and moved into temporary housing, since you have every reason to believe that the purchase of the new home will go through without a hitch. In the middle of the back-and-forth with the loan officer over interest rates, he calls and tells you that your loan has been turned down because of an overwhelming number of extremely negative items on your credit report. You"re stunned. You may not have perfect credit, but it certainly qualifies for the best interest rates. The loan officer provides copies of your credit report to you, and you see that it"s filled with items that you don"t recognize, including locations you have never lived in or visited. Your credit score is in the proverbial toilet. How could this have happened? Without your knowledge, ever since that DMV security breach, someone else has been using your Social Security number and identity and has basically ruined your life.

Costs, Layer by Layer

Back to the bill that was sitting on my desk. Our agency is responsible for providing a critical service to state residents, and our databases contain a lot of their personal information. The databases sit on local file servers, on data center file servers in a separate location and in each branch office throughout the state, as well as on the local hard drives of our employees. The data in these databases isn"t encrypted. Furthermore, the information is shared with other agencies via file transfer protocol (FTP), e-mail and the Web. The question I have is, What would it cost our agency to put security controls in place that would protect this vital information?

If I start at the bottom and work my way up through the Open Systems Interconnection layers, I might be able to take a swipe at the cost for implementing controls.

At Layer 1, I am concerned about network access, and that includes physical access. For example, there is roof access to our main building that would allow a maintenance person or anyone else to enter the crawl space above our data closets. The ceiling tiles can be easily removed, and access to our routers, switches and servers would be readily gained. However, since the Health Insurance Portability and Accountability Act requires that physical security concerns be remedied, corrective measures are under way.

At Layer 2, I am concerned about traffic that traverses the statewide network. I consider the statewide network to be "untrusted," and since I have no knowledge of the endpoints of that network or the security controls within it, I have to treat it the same way I would any other Internet service provider. This calls for a firewall capable of 3DES- or AES-level encryption with virtual private network capability for each agency office. This will require more bandwidth than we currently have.

Layer 3 is about host-to-host connectivity via TCP/IP, and I don"t think the legislators would understand this level of discussion, so I"m not going to address it on this round of the analysis.

Layer 4 is the biggest concern. We need to replace our FTP sites with Secure FTP, requiring the highest level of encryption possible. Secure Sockets Layer needs to be instituted on our Web servers. We need to encrypt our internal e-mail. Every database that contains personal information must also be encrypted.

My fiscal impact analysis showed that we would need to spend several hundred thousand dollars and hire additional staffers. It created quite a buzz among the other agencies, which wanted to know how we came up with the figures. Hopefully, our analysis will spur those responsible for the statewide network to implement controls that will benefit all agencies. w What do you think?

This week"s journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at, or join the discussion in our forum: QuickLink a1590

To find a complete archive of our Security Manager"s Journals, go online to


Security Log

Yellow Light for Online Banking

New research from TowerGroup has found that advances in online fraud pose a significant and fast-growing threat to consumer confidence in online banking. New approaches go beyond e-mail-based phishing scams and include the use of spyware, remote administration tools and various methods of hijacking browsers. In the face of this evolution, the practice of requiring a username and password as the sole means of online customer authentication is becoming rapidly outdated, the Needham, Mass.-based research firm states. In its report, TowerGroup advocates two-factor authentication as a vast improvement in security.

Broadcom Adds Hardware Security

Broadcom Corp."s newest NetXtreme Gigabit Ethernet controllers will include integrated Trusted Platform Module 1.2 functionality. TPM is a security standard created by the Trusted Computing Group for a hardware-based secure computing environment. Broadcom noted that the integration of TPM on its NetXtreme network interface controllers means a higher level of PC security can be placed on motherboards at negligible incremental costs.

New IPS Line

NitroSecurity in Portsmouth, N.H., will announce its newest intrusion-prevention system product line Monday. The NitroSecurity IPS 6.0 suite includes an event management tool designed to identify and neutralize internal and external attacks in real time. In addition, it draws from the industry"s largest signature library and powerful anomaly detection methods, allowing for seamless integration with routers and switches located across enterprise networks of all sizes.