Legislation , Privacy

Measure Goes to Senate, Where It Has Bipartisan Support Eric Chabrow (GovInfoSecurity) • April 27, 2016     Sen. Patrick Leahy calls on his colleagues to pass the Email Privacy Act.

The House of Representatives has unanimously approved the Email Privacy Act, which would require law enforcement to obtain a warrant before compelling third-party service providers to surrender their customers' email and text content.

See Also: 2016 State of Threat Intelligence Study

The legislation, which the House ok'd on April 27, would establish for the first time a requirement that police obtain a warrant to retrieve stored communication content for criminal investigations, regardless of the type of service provider, the age of an email or text message or whether the message had been opened.

The measure goes to the Senate, where it has bipartisan support.

"It is long past time to reassure the American people that their online communications are protected from warrantless searches," Sens. Patrick Leahy, D-Vt., and Mike Lee, R-Utah, say in a joint statement. "As today's House vote shows, it is that rare bill that garners support from the full range of the political spectrum, and that can become law even in an election year. ... It is time for the Senate to act ... without delay."

Protect Privacy Interests

The bill's sponsor, Rep. Bob Goodlatte, R-Va., says the Email Privacy Act represents significant reform. "It establishes a standard that embodies the principles of the Fourth Amendment (which prohibits unreasonable searches) and reaffirms our commitment to protecting the privacy interests of the American people," he says.

By approving the bill, the House takes a long-awaited step to address problems with the Electronic Communications Privacy Act, enacted 30 years ago before anyone ever heard of cloud computing. That statute does not specify how law enforcement should gain access to email and text messages stored by third-party providers, including those offering cloud services.

Interest groups on the political left and right have supported passage of the Email Privacy Act. "On balance ... this bill is a solid step in the right direction and would, with limited exceptions, ensure that the government obtains a probable cause warrant to gain access to personal electronic communications held by online providers," says Wade Henderson, president of The Leadership Conference on Civil and Human Rights, an advocacy group.

The existing law, says Adam Brandon, chief executive of the libertarian proponent FreedomWork, "is in dire needed of an upgrade."

Five new payment card data security requirements for third-party service providers are among the most significant changes included in version 3.2 of the PCI Data Security Standard released April 28, says Troy Leach, chief technology officer of the PCI Security Standards Council.

The new requirements for service providers, such as those that help organizations carry out certain security policies or encrypt card data, will require some significant policy and procedural changes, Leach says, which is why the council is giving the companies until Jan. 30, 2018, to comply.

"We are giving ... service providers several business cycles to budget, plan, prepare and implement these types of changes," Leach explains during this interview with Information Security Media Group.

The new standard will require service providers to:

Detect and respond to critical failures in a formal and prompt way. Conduct regular penetration tests on segmentation controls. "If a service provider is saying that they have isolated the card data environment, we require that they test that every year, or after so many changes to the environment, we're asking service providers to demonstrate that twice a year," Leach says. Perform at least quarterly reviews of the personnel who are responsible for ensuring that the organization is adhering to security policies and procedures. "They need to make sure that there's evidence in place that there's not a degradation that's slowly moving away from the expectations around processes and controls that the PCI standard lays out." Establish responsibility for protecting the card data environment through an executive/management level process. Provide more documentation and evidence that service providers are aware of and are properly managing the type of cryptography that is being used by the organizations they service.

Authentication Requirement

In addition to the new requirements for service providers, the update also calls for more widespread use of multifactor authentication, Leach points out. The update is designed to help ensure that any individual who is accessing a network that is connected to payment data is using multifactor authentication.

"There needs to be some accountability for the administrators," he says, especially those whose credentials can be used to directly or indirectly access payment card data. "I think it's a significant change from an operations perspective, but a necessary change based on recent data breaches that we've heard about."

During this interview (see audio player below photo), Leach also discusses:

Why version 3.2 is being issued just one year after the last PCI-DSS update, version 3.1; Why the PCI-DSS is now considered a "mature" security standard; and New expiration dates for Secure Sockets Layer and early Transport Layer Security encryption.

As part of his role with the council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee. Before joining the PCI Council, Leach held various positions in IT management, software development, systems administration, network engineering, security assessment, forensic analytics and incident response for data compromise.

The most important lesson from the lawsuit Epic Systems filed against Tata Consultancy Services is that data security controls must extend beyond protecting personally identifiable information to include intellectual property, says attorney Ron Raether.

"It's now important to lock down your trade secrets and make certain that whatever controls that you've determined are the appropriate level [for PII] are equally applied to your trade secrets," he says in an in-depth interview with Information Security Media Group.

"Data segregation is key - making sure you've classified and given levels of importance to your trade secrets and the information that you truly consider your secret sauce."

Raether, a technology attorney who was not involved in the case, stresses that organizations must use "the most robust security controls that allow your business and company to still function properly while likewise providing the security benefits needed to protect that information from being stolen or exfiltrated."

Epic vs. TCS

The theft of trade secrets and intellectual property - such as was alleged in the lawsuit filed by Epic, one of the largest U.S. electronic health records software vendors, against India-based TCS - is more common than many companies realize, Raether says.

A jury recently awarded Epic $940 million in its trade secrets theft case, but TCS plans to appeal. At the center of the lawsuit are allegations that TCS consultants - who under a contract between the two companies were permitted limited access to and use of Epic's software - inappropriately downloaded thousands of confidential Epic documents to benefit "in the development or enhancement" of TCS's EHR software, Med Mantra, according to court documents.

Epic claims that a TCS consultant who was working for Epic's customer, Kaiser Hospital Foundation in Portland, Ore., transferred his credentials to at least two other TCS employees in India. Using those credentials, Epic alleges, the other TCS workers downloaded, via Epic's UserWeb web portal, "at least 6,477 documents accounting for 1,687 unique files."

Epic said the documents downloaded by TCS personnel included, among other things, "confidential, proprietary and trade secret documents detailing over 20 years of development of Epic's proprietary software and database systems."

The EHR vendor says it first learned about the alleged unauthorized downloading of documents by TCS through an "informant" - another TCS consultant assigned to manage "all aspects of TCS's contract with Kaiser to provide consulting services and report directly to TCS executive management."

Intrusion Detection

It's unclear why Epic's data security team didn't discover the alleged inappropriate downloading of sensitive intellectual property by two unauthorized users located across the globe who were using credentials borrowed from an individual with supposedly limited access rights (see: Epic vs. Tata: Key Security Questions).

"The compromised credentials were used to [allegedly] download over 7,000 documents and files - so the exfiltration could have created a red flag to indicate to Epic that its systems were being misused - and not consistent with the rights granted under the terms of use or the non-disclosure agreement," Raether notes.

"I'm not faulting Epic, but I do believe there are information security controls ... with respect to personally identifiable information and preventing consumer harm that likewise could provide useful benefits in companies protecting their trade secrets."

In this in-depth interview (see audio player below photo), Raether also discusses:

Steps companies can take to help prevent user credentials from being misused or shared with unauthorized individuals; Measures organizations can implement to prevent intellectual property from being stolen by remote outsiders, as well as insiders, including former employees; Potential ways experts might analyze whether allegedly stolen trade secrets are inappropriately applied for the software products of a competitor; Why the damages awarded by the jury to Epic were so substantial, and whether those damages could be reduced.

Raether is a partner at the law firm Troutman Sanders LLP. His experience with technology-related issues spans an array of legal areas, including patents; anti-trust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.

Denise Hayman, vice president at Neustar, an information services company that offers distributed-denial-of-service mitigation services, has had a long career in information security, having previously worked at Symantec, Tripwire, Zscaler and Norse, among other companies.

How can other women follow in her footsteps? In an interview with Information Security Media Group, she stresses the importance of networking and building relationships with female role models.

"The great news is there are so many amazing programs out there today to help not only from a schooling perspective but also to help women in the community extend their appetite for this [kind of work]," she says.

And many industries, including banking, have shown great interest in diversifying their IT and cybersecurity workforce, Hayman says. "The financial industry embraces bringing in different types of perspectives."

Groups such as the Executive Women's Security Forum, which brings female executives in cybersecurity together with women who are just starting their careers in the field, are helping women develop mentoring relationships, she says.

"It's become a place where young women who are interested in the cybersecurity world can come and network and form a group with other women that are involved in the field who can assist them along the way," Hayman says. "There are scholarships and other sorts of opportunities that are available through these networks of women that have been created over the years as well."

In this interview (see audio player below photo), Hayman also discusses:

Why the financial services industry is ahead of the curve when it comes to cybersecurity opportunities; Why more organizations are interested in hiring individuals from different backgrounds for their security and IT departments; and Why early education programs in IT fields still are not attracting women.

Before joining Neustar as vice president of global security sales, Hayman held executive global positions with cyberthreat defense firm Cyphort, data analytics firm Vendavo and cybersecurity firm Norse Corp, among others. Over the course of her more than two-decade career, Hayman has focused on solutions that range from data-loss prevention and encryption to software-as-a-service and the cloud. At Neustar, she focuses her attention on global security services that include DNS protections and DDoS attack mitigation.