Copyright 2001 Brett J. Trout Security Concerns with e-Commerce Bretttrout.com.

Copyright 2001 Brett J. Trout

Security Security Concerns with e-Concerns with e-

CommerceCommerceBretttrout.comBretttrout.com


Electronic Communications Electronic Communications Privacy Act and Employers Privacy Act and Employers

(ECPA)(ECPA) Enacted in 1986Enacted in 1986 Amends Omnibus Crime Control ActAmends Omnibus Crime Control Act


ECPAECPA

Prohibits interception of e-mailProhibits interception of e-mail Prohibits access to stored e-mailProhibits access to stored e-mail Allows Employers to monitor Allows Employers to monitor

employeesemployees Applies to bothApplies to both

Accessing databaseAccessing database Capturing keystrokesCapturing keystrokes


ECPA Title IIECPA Title II

Prohibits intentional access of an Prohibits intentional access of an electronic communication service electronic communication service

Relates to any Relates to any storedstored electronic electronic communication communication

EmailEmailFaxFaxetc.etc.


ECPA Title II ExceptionsECPA Title II Exceptions

Provider of the service Provider of the service AOLAOL EmployerEmployer Etc.Etc.

Anyone with authorizationAnyone with authorization ExpressExpress Implied.Implied.


ECPA Title IIIECPA Title III

Prohibits intentional Prohibits intentional interceptioninterception of any electronic of any electronic communicationcommunication

Makes it a crime to capture Makes it a crime to capture email while enrouteemail while enroute


ECPA Title III ExceptionsECPA Title III Exceptions

Employee consented Employee consented impliedly impliedly expressly expressly employment agreement employment agreement email policyemail policy

Employer interception must be in Employer interception must be in the ordinary course of businessthe ordinary course of business


ECPA Take HomeECPA Take Home

Employer can Employer can Monitor stored e-mail Monitor stored e-mail Intercept e-mailIntercept e-mail

Give Employees express notice Give Employees express notice employment agreement employment agreement email policyemail policy

Monitor only in ordinary course of Monitor only in ordinary course of businessbusiness

Stop reading if e-mail is personalStop reading if e-mail is personal


Computer Fraud and Computer Fraud and Abuse ActAbuse Act

Enacted in 1984 to stem computer crimeEnacted in 1984 to stem computer crime Amended in 1996 (National Information Amended in 1996 (National Information

Infrastructure Protection Act) to Infrastructure Protection Act) to criminalize:criminalize: Threats to computer networksThreats to computer networks Release of viruses or wormsRelease of viruses or worms Hacking Hacking HijackingHijacking Destructive ecommerce activityDestructive ecommerce activity


CFAA Makes it Illegal CFAA Makes it Illegal

To knowingly access a computer To knowingly access a computer without authorization without authorization For fraudulent purposesFor fraudulent purposes To access confidential informationTo access confidential information To access financial informationTo access financial information To cause damage to a computer To cause damage to a computer

system system


Economic Espionage ActEconomic Espionage Act

Enacted in 1996Enacted in 1996 18 U.S.C. section 1831 et seq.18 U.S.C. section 1831 et seq. Makes it illegal to take or receive Makes it illegal to take or receive

trade secretstrade secrets Enacted to curb economic and Enacted to curb economic and

industrial espionageindustrial espionage


EEAEEA

Civil PenaltiesCivil Penalties InjunctionInjunction Forfeiture of profits and instrumentalities Forfeiture of profits and instrumentalities

to governmentto government Criminal PenaltiesCriminal Penalties

Injure or benefit - 10yr/250K/5MInjure or benefit - 10yr/250K/5M Benefit foreign power – 15yr/500K/10MBenefit foreign power – 15yr/500K/10M


HackingHacking

According to PriceWaterhouseCooper According to PriceWaterhouseCooper Hacking cost United States Hacking cost United States

companiescompanies$1.5 trillion in 2000$1.5 trillion in 2000

World Trade Center insurable loss World Trade Center insurable loss $50 billion$50 billion

One year of hacking equals 30 Trade One year of hacking equals 30 Trade Center attacks.Center attacks.


Types of HackingTypes of Hacking

Denial of Service AttackDenial of Service Attack Packet SniffingPacket Sniffing SpoofingSpoofing Keystroke Monitoring Keystroke Monitoring VirusesViruses CrackingCracking Exploiting HolesExploiting Holes DiddlingDiddling


Denial of Service AttackDenial of Service Attack

Any action to prevent server from Any action to prevent server from functioningfunctioning

Usually enlists unsecure computers Usually enlists unsecure computers to bombard server with requeststo bombard server with requests Floods serverFloods server Prevents normal functioningPrevents normal functioning Difficult to track down Difficult to track down


Packet SniffingPacket Sniffing

Internet information travels in packets Internet information travels in packets with “header”with “header”

Sniffer software searches for packets Sniffer software searches for packets containing these headerscontaining these headers

Used to audit and identify network packet Used to audit and identify network packet traffictraffic

Can uncover passwords and/or usernamesCan uncover passwords and/or usernames Easy to do Easy to do Difficult to detectDifficult to detect


SpoofingSpoofing

Pretending to be another userPretending to be another user IncludesIncludes

Deceptive sender information Deceptive sender information (spam)(spam)

Deceptive use of username Deceptive use of username and/or passwordand/or password


Keystroke Monitoring Keystroke Monitoring

Inexpensive softwareInexpensive software Installed on computerInstalled on computer Hardwired to computerHardwired to computer

Allows Allows Reconstruction of user’s activityReconstruction of user’s activity Identification of usernames/passwordsIdentification of usernames/passwords

Illegal Illegal


VirusesViruses

Software that Software that Modifies other softwareModifies other software Replicates itselfReplicates itself Sends itself on to other computersSends itself on to other computers

TypesTypes ReplicationReplication DOSDOS Data destruction Data destruction


Virus PreventionVirus Prevention

Virus protection softwareVirus protection software Only works if it is turned onOnly works if it is turned on Constantly updateConstantly update

Keep apprised of latest virusesKeep apprised of latest viruses Do not open attachments from Do not open attachments from

unknown sendersunknown senders


Virus PreventionVirus Prevention

Do not open files with extensions:Do not open files with extensions: .exe.exe .vbs.vbs .pif.pif

Use Eudora, rather than OutlookUse Eudora, rather than Outlook


CrackingCracking

Defeating copy-protectionDefeating copy-protection Determining passwords/usernamesDetermining passwords/usernames Typically illegalTypically illegal


Exploiting Security HolesExploiting Security Holes

Microsoft XP e-walletMicrosoft XP e-wallet Unauthorized users could get credit Unauthorized users could get credit

card informationcard information Microsoft OutlookMicrosoft Outlook

Vulnerable to virusesVulnerable to viruses Keep abreast of Keep abreast of

New developmentsNew developments PatchesPatches


DiddlingDiddling

Obtaining unauthorized access Obtaining unauthorized access totoModifyModifyDeleteDeleteSet time bomb Set time bomb


InsuranceInsurance

Typically very expensiveTypically very expensive Very good exercise to identify and Very good exercise to identify and

address problemsaddress problems


InsuranceInsurance

The number of companies who cited The number of companies who cited their Internet connection as a frequent their Internet connection as a frequent point of attack has increased steadily point of attack has increased steadily from 47% in 1998 to 70% in 2001.from 47% in 1998 to 70% in 2001.

Marsh Advantage AmericaMarsh Advantage America

Leisa FoxLeisa Fox

www.netsecuresite.comwww.netsecuresite.com


InsuranceInsurance

78% of companies acknowledged 78% of companies acknowledged financial losses due to computer financial losses due to computer breachesbreaches

37% of companies are willing or able to 37% of companies are willing or able to quantify their financial lossesquantify their financial losses

The most serious financial losses occur The most serious financial losses occur through theft of proprietary information.through theft of proprietary information.

Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox



MisconceptionsMisconceptions

I have staff in place who are keeping me I have staff in place who are keeping me safesafe

I have a firewall, so I’m protectedI have a firewall, so I’m protected Our network is password protected, so I’m Our network is password protected, so I’m

doing all I can.doing all I can. Our contracts transfer liability, so I have Our contracts transfer liability, so I have

nothing to worry aboutnothing to worry about My employees would never do anything to My employees would never do anything to

jeopardize my companies datajeopardize my companies data


RisksRisks

Legal RisksLegal Risks Credibility RisksCredibility Risks Security RisksSecurity Risks Financial RisksFinancial Risks




Legal RisksLegal Risks

Defense Costs - exaggerated because of the lack of Defense Costs - exaggerated because of the lack of current case lawcurrent case law

Inability to determine value of Intellectual PropertyInability to determine value of Intellectual Property Copyright/Trademark InfringementCopyright/Trademark Infringement Libel/Slander & DefamationLibel/Slander & Defamation PlagiarismPlagiarism D&O suit for insufficient security measuresD&O suit for insufficient security measures Regulatory CostsRegulatory Costs


Security RisksSecurity Risks

Digital TerrorismDigital Terrorism Internal CrimeInternal Crime External CrimeExternal Crime Virus AttacksVirus Attacks




Credibility RisksCredibility Risks

Organizations that experience security Organizations that experience security breaches keep them quiet.breaches keep them quiet.

A breach can do grave damage to a A breach can do grave damage to a company’s reputation.company’s reputation.




Financial RisksFinancial Risks

Prior risks translate into costs:Prior risks translate into costs: Business Income LossBusiness Income Loss Reconstruction of lost dataReconstruction of lost data Investor RelationshipsInvestor Relationships Defense CostsDefense CostsMarsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox



SolutionsSolutions

Identify & Prioritize the risksIdentify & Prioritize the risks Consider Technology SolutionsConsider Technology Solutions Consider Process/Policy SolutionsConsider Process/Policy Solutions Transfer or Eliminate Risks that are to costly Transfer or Eliminate Risks that are to costly

to retainto retainMarsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox



Key PeopleKey People

The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’sThe C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s Human ResourcesHuman Resources ITIT MarketingMarketing Legal CounselLegal Counsel Risk Manager/Insurance AgentRisk Manager/Insurance Agent




MisconceptionsMisconceptions

I have coverage under my package policyI have coverage under my package policy I have an E&O Policy that covers itI have an E&O Policy that covers it I have an EDP PolicyI have an EDP Policy




Policies CoverPolicies Cover

Policies may include coverage for:Policies may include coverage for: Virus AttacksVirus Attacks Data reconstructionData reconstruction Business Income LossBusiness Income Loss Disaster RecoveryDisaster Recovery Defense Costs, etc.Defense Costs, etc.




CostsCosts

Pricing varies greatly based on exposures.Pricing varies greatly based on exposures. Third party policies are vastly more affordable Third party policies are vastly more affordable

than First party policies. than First party policies. You can expect to pay anywhere from $7,500 to You can expect to pay anywhere from $7,500 to

$100,000 for a Cyber Risk Policy.$100,000 for a Cyber Risk Policy.Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox



Internet PrivacyInternet Privacy

You have zero privacy anyway Get over it.

Scott McNeally, Sun Microsystems CEO Wired News (March 11, 1999)


Internet Privacy PolicyInternet Privacy Policy

ComponentsComponents Notice of Data Collection – How, What, Notice of Data Collection – How, What,

Why Why Choice – Partial or total “opt out” Choice – Partial or total “opt out” Access to Data – Option to modify or Access to Data – Option to modify or

deletedelete SecuritySecurity


Internet PrivacyInternet Privacy

Privacy PolicyPrivacy Policy Develop one todayDevelop one today Follow itFollow it

Designate IT privacy czarDesignate IT privacy czar Audit your policy - regularlyAudit your policy - regularly


Consumer Privacy Consumer Privacy Protection ActProtection Act

Pending legislationPending legislation Mandates privacy collection Mandates privacy collection

proceduresprocedures Private Right of ActionPrivate Right of Action

$50,000 statutory damages$50,000 statutory damages Punitive damagesPunitive damages Attorney feesAttorney fees

Something like this will become lawSomething like this will become law


CookiesCookies

A computer science term A computer science term An opaque piece of data held by an An opaque piece of data held by an

intermediary intermediary


What is a Cookie?What is a Cookie?

HTTP headerHTTP header Text-only string Text-only string Associated with your browserAssociated with your browser Unique identifierUnique identifier

Cannot be used as a virusCannot be used as a virus Cannot access your hard drive. Cannot access your hard drive.


DoubleclickDoubleclick

Doubleclick used cookies to Doubleclick used cookies to aggregate user informationaggregate user information

Users suedUsers sued SDNY Court held 3/28/2001SDNY Court held 3/28/2001

No violationNo violation


Children’s Online Privacy Children’s Online Privacy Protection ActProtection Act

Requires the Federal Trade Requires the Federal Trade Commissioner to issue and Commissioner to issue and enforce regulations which enforce regulations which

regulate the ability of Websites regulate the ability of Websites to collect personal information to collect personal information from children under the age of from children under the age of

13.13.


COPPACOPPA

Passed into Law October 21, 1998Passed into Law October 21, 1998 Covers personal information Covers personal information

collected after April 21, 2000collected after April 21, 2000 COPPA applies to COPPA applies to

Web sites and online services Web sites and online services Targeted to, or know they areTargeted to, or know they are Collecting dataCollecting data From children under 13.From children under 13.


COPPA RequirementsCOPPA Requirements

Post a privacy policy Post a privacy policy ConspicuousConspicuous What data you collectWhat data you collect What you do with it. What you do with it.

Obtain verifiable consent from the child's Obtain verifiable consent from the child's parent parent Before you collect any data. Before you collect any data.

ImportantlyImportantly Change in policy requires new consentChange in policy requires new consent


COPPA RequirementsCOPPA Requirements

Give option to revoke consentGive option to revoke consent Allow parents to review data Allow parents to review data

collectedcollected Ensure security and integrity of the Ensure security and integrity of the

data you collect.data you collect.


Gramm-Leach BlileyGramm-Leach Bliley

Subjects “financial institutions” to Subjects “financial institutions” to certain reporting and disclosure certain reporting and disclosure requirements intended to ensure requirements intended to ensure

the personal and financial the personal and financial privacy of customersprivacy of customers


““Financial Institution”Financial Institution”

Lending, exchanging, transferring, Lending, exchanging, transferring, investing for others, or safeguarding investing for others, or safeguarding money or securities;money or securities;

Issuing or selling instruments Issuing or selling instruments representing interests in pools of representing interests in pools of assets which a bank can hold directly;assets which a bank can hold directly;

Engaging in any activity … so closely Engaging in any activity … so closely related to banking or managing … as related to banking or managing … as to be a proper incident thereto.to be a proper incident thereto.


GLB Data DisclosureGLB Data Disclosure

Opt out Opt out Prohibits disclosure by financial Prohibits disclosure by financial

institution, without allowing consumer institution, without allowing consumer to opt out. to opt out.

Third party disclosureThird party disclosure Allowed for the purpose of permitting Allowed for the purpose of permitting

third party to perform services for the third party to perform services for the financial institution. financial institution.


GLB Data DisclosureGLB Data Disclosure

Prohibits third party from disclosing Prohibits third party from disclosing nonpublic personal information nonpublic personal information Unless disclosure would be lawful if Unless disclosure would be lawful if

made directly to such other person by made directly to such other person by the financial institution.the financial institution.

Prohibits sharing of account number Prohibits sharing of account number information for marketing purposesinformation for marketing purposes

Different requirements for different Different requirements for different levels of relationships. levels of relationships.


Health Insurance Health Insurance Portability and Portability and

Accountability ActAccountability Act

Forces health providers and Forces health providers and insurers to use technology in a insurers to use technology in a more uniform, less proprietary more uniform, less proprietary

mannermanner


HIPPA GoalsHIPPA Goals

StandardizationStandardization SecuritySecurity PrivacyPrivacy


Areas of FocusAreas of Focus

Technical Security ServicesTechnical Security Services User authorization and authenticationUser authorization and authentication Access control and encryption Access control and encryption

Administrative ProceduresAdministrative Procedures Formal security planningFormal security planning Record maintenance and audits Record maintenance and audits

Physical SafeguardsPhysical Safeguards Security to buildingSecurity to building Privacy for workstations handling Privacy for workstations handling

patient information patient information


HIPPAHIPPA

Can apply to both health care and non-Can apply to both health care and non-health care entitieshealth care entities

Forces covered entities to uniformly Forces covered entities to uniformly transmit and receive certain data transmit and receive certain data electronically electronically

Requires the use of standard identifiers Requires the use of standard identifiers (rather than proprietary codes) to (rather than proprietary codes) to identify health care providers, identify health care providers, employers, health plans and patientsemployers, health plans and patients


EmployersEmployers

Must have written policies and notify Must have written policies and notify employees of HIPPA policiesemployees of HIPPA policies

Must get consents to the release of Must get consents to the release of certain information in certain certain information in certain circumstancescircumstances

Must give employees access to their Must give employees access to their medical recordsmedical records

Must have contacts in place with Must have contacts in place with providers to insure that they safeguard providers to insure that they safeguard informationinformation


EmployersEmployers

Identify stored health information Identify stored health information and who has access to it and who has access to it

Identify how the information is used Identify how the information is used and its flow and its flow

Correlate all privacy policies Correlate all privacy policies Standardize all relevant third-party Standardize all relevant third-party

provider contractsprovider contracts


European Union European Union Directive on PrivacyDirective on Privacy

Effective 25 October 1998Effective 25 October 1998 Every EU must enact national law Every EU must enact national law

consistent with the Directiveconsistent with the Directive Many EU countries had privacy laws Many EU countries had privacy laws

before the Directivebefore the Directive


EU DirectiveEU Directive World-wide standard World-wide standard Enforcement has begun in the U.S.Enforcement has begun in the U.S.


ComplianceCompliance

The Safe HarborThe Safe Harbor Specific contracts blessed by Specific contracts blessed by

European Data Protection European Data Protection AuthoritiesAuthorities

Exceptions or derogations to the Exceptions or derogations to the

DirectiveDirective


Safe HarborSafe Harbor

Seven privacy principles issued by Seven privacy principles issued by US Department of Commerce on July US Department of Commerce on July 21, 2000 for “personal data” 21, 2000 for “personal data” collectioncollection


Seven ProvisionsSeven Provisions

NoticeNotice Opt inOpt in Opt outOpt out SecuritySecurity Maintain Integrity of DataMaintain Integrity of Data Procedure for Data CorrectionProcedure for Data Correction Data TransferData Transfer


NoticeNotice

Clear LanguageClear Language Purpose of Collection Purpose of Collection Contact information for inquiries Contact information for inquiries

or complaintsor complaints To whom you disclose information To whom you disclose information Options for limiting use and Options for limiting use and

disclosure of the information.disclosure of the information.


Opt in/Opt outOpt in/Opt out

Opt outOpt out Disclosed to third partyDisclosed to third party Used for new purposeUsed for new purpose

Opt inOpt in Sensitive informationSensitive information

Race, health, union membership, sexual Race, health, union membership, sexual preferencepreference

If disclosed to third partyIf disclosed to third party If used for new purposeIf used for new purpose


SecuritySecurity

LossLoss MisuseMisuse Unauthorized accessUnauthorized access DisclosureDisclosure Alteration Alteration Destruction. Destruction.


Maintain Integrity of DataMaintain Integrity of Data

Reliable for intended useReliable for intended use AccurateAccurate CompleteComplete Current.Current.


Procedures For Procedures For CorrectionCorrection

Correct, amendCorrect, amend,, or delete inaccurate or delete inaccurate information information

Not necessary where:Not necessary where: Burden much greater than potential Burden much greater than potential

harmharm Would compromise confidential Would compromise confidential

information of othersinformation of others


Data TransferData Transfer

Must includeMust include Notice ProvisionsNotice Provisions Choice ProvisionsChoice Provisions

Agent mustAgent must Subscribe to the foregoing principles; or Subscribe to the foregoing principles; or Enter into a written agreement requiring Enter into a written agreement requiring

agent provide at least the same level of agent provide at least the same level of privacy protection as providerprivacy protection as provider


Safe HarborSafe Harbor

AccessAccess Individuals must have access to “their” Individuals must have access to “their”

informationinformation Ability to correct or remove inaccurate Ability to correct or remove inaccurate

informationinformation ““Disproportionate burden” exceptionDisproportionate burden” exception

EnforcementEnforcement Mechanisms for investigating and resolving Mechanisms for investigating and resolving

complaintscomplaints Procedures for verifying privacy statementsProcedures for verifying privacy statements Obligation to remedy problemsObligation to remedy problems


EU DirectiveEU Directive

Enforcement by competitorsEnforcement by competitors Failure to comply could lead to cut-Failure to comply could lead to cut-

off in data and actions against off in data and actions against European partnersEuropean partners


Falling Under Safe Falling Under Safe HarborHarbor

Self-certification on DOC websiteSelf-certification on DOC website Hard part - applying to business Hard part - applying to business

practicespractices

Financial services firms cannot join Financial services firms cannot join

Safe Harbor unless under the FTCSafe Harbor unless under the FTC



Over 40 countries now have Over 40 countries now have substantial privacy lawssubstantial privacy laws

Most either copy or comply with the Most either copy or comply with the EU Privacy DirectiveEU Privacy Directive



Compliance requirement is realCompliance requirement is real

Safe Harbor likely best but not only Safe Harbor likely best but not only optionoption

Don’t copy another company’s Don’t copy another company’s privacy policyprivacy policy


What To DoWhat To Do

Audit current privacy practiceAudit current privacy practice Develop EU Directive conforming Develop EU Directive conforming

policypolicy Comport practice with policy Comport practice with policy Require Warranties & Indemnities Require Warranties & Indemnities

from third parties using your datafrom third parties using your data Encrypt data transmissionsEncrypt data transmissions


Privacy Technology Privacy Technology

Establish FirewallEstablish Firewall Monitor Cookies – turn off as appropriateMonitor Cookies – turn off as appropriate Run Virus Detection SoftwareRun Virus Detection Software AnonymizerAnonymizer TRUSTe - will review your privacy policyTRUSTe - will review your privacy policy Asymmetric cryptographyAsymmetric cryptography Future technology Future technology

Platform For Privacy PreferencesPlatform For Privacy Preferences Defines exactly the level of information disclosedDefines exactly the level of information disclosed


Additional StepsAdditional Steps

Security PoliciesSecurity Policies Rotate passwordsRotate passwords Monitor access and file transferMonitor access and file transfer Implement network vulnerability Implement network vulnerability

studystudy Implement a disaster recovery planImplement a disaster recovery plan Limit modification of workstationLimit modification of workstation Obtain insuranceObtain insurance


Thank YouThank You

Copyright 2001 Brett J. Trout Security Concerns with e-Commerce Bretttrout.com.

Documents

trout ecpa title

computer system slide

personal slide

enroute slide

diddling slide

trout denial of service

trout computer fraud

trout cfaa