LT - Breach Panel - Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & Geo

all right thanks everybody for attending this panel is here to talk about when's a breach not a breach or when is a breach a breach me get to know the audience a little bit better for our panelists so maybe you could give me a show of hands how many people are in the legal profession lawyers work with lawyers how many people are incident responders okay several people and how many people have been involved in a breach work with the breach directly all right great well let's have the panelists introduce themselves start at the far end there R you want to great um my name is Ray I'm probably the least recognized on this panel um I'm the

chief data Protection Officer for Fortune 500 uh what that means it sounds really sexy it's really not um I have three primary responsibilities one is security privy by design for in a product life cycle make sure we're ping those in um the other is awareness and communication within the organization and the last probably the most relevant for this panel is I handle and Lead our incident response or reach response as it relates so us as well as EU asan P Etc how do we respond to that how do we classify a reach and how do we do notifications so I'm Jack Daniel and I am uh one of the founders of the bides movement um relevant to this uh several

years ago in Massachusetts the TJX breach finally pushed our stalled uh breach notification law through um 93h and uh it actually went farther than most because it specified we had to have uh regulations to prevent a breach which is the infamous 2011 cmr17 which I became heavily involved in because I read two short articles that were written by people who had not read all four pages of the initial draft so um somebody was wrong on the internet and then I spent years uh involved in in breach disclosure breach law uh and that have not extric extricated myself from it plus having had to deal with a few small things in when I back when I

worked for a living now I'm in Vendor land so than Jack I'm Steve worby I'm currently a security architect at a fortune 200 and do security research outside of my day job previously I I'd worked as a ciso three different organizations Each of which uh I was involved in uh reportable data breaches so I have a lot of experience with data breach notifications and the laws around those both in the states of Texas and Virginia I'm David mortman I'm a former ceso uh recovering ciso if you will um never again I always say um I'm currently a chief security architect at a large hardware and software vendor you've all heard of and uh as a result

uh anything that might be related to the product that I work on have to work on do bre stuff in one way or another for the last since ever since CA 1386 came out which was 2004 something like that all right awesome my name is daver so I'm volunteering to moderate this crazy panel so I guess one of my first questions is going to be to the the group and I'll let you decide who answers first but if you remember the octomom Scandal you know Cur information got breached and if I remember correctly nobody actually saw the data the hospital just said that they discovered someone was trying to look at her records and they because they saw

someone trying to look at the records were fined for having a breach does this constitute a breach when someone gets caught trying to look at records of someone who's famous okay me so you know it's interesting because you brought an API example electronic personal health information which is probably the when you talk about PR patients that touch some subjects because it's one of those if if you GL sideways at personal health information it's it's you have to important you know um I think the interesting thing is is most State reach notification laws for those of you who don't know we'll just focus on the US because EU gets really more complicated there's 46 states that

have a data breach notification La they're all different there's four that don't Alabama Kentucky North Dakota one of the Dakotas in New Mexico but all the others have some sort of rectification most of them though say that there's a you know there's a clause in there that says you have to have a reasonable assumption that the data has been accessed or you know whatever unless it comes into bphi and then that goes into the yes you know if they even think about looking at it it is breach so that's an exception to the rule in most cases if you don't have a reasonable assumption that there's no access then you don't have what about possession so I think the example we had

was somebody gets a laptop with sensitive data on it they get hit by a bus never look at it is this still a BRI check this one's tricky and this one play this part this part of this came from uh the way the Attorney General's office in Massachusetts interprets um 93h and 2011 cmr17 which require these things to be encrypted and their um expectation or their assumption is that it's not that nothing has been properly encrypted and therefore there's no Safe Harbor for encryption and I'm really torn on this because being a pedantic security [ __ ] which I realize is a redundant phrase um I'm completely there cuz the past phrase is taped to the lid right we've

all seen that and therefore as soon as you lose control I have no faith and there's no way to prove that it hasn't been accessed but having worked with so that's out of control you know it's out of control it makes me crazy but in the real world where we dealing with real people I would much rather have much more relaxed interpretations because we need to give people a reason to move a little bit forward so I know I'm straddling defense here but the the state interpretation the Commonwealth interpretation Massachusetts is if you lose control of something encrypted unencrypted it doesn't matter um unless you have somebody to prove it wasn't access that's interesting CU in

California of course it's the opposite encryptions like I save haror Steve you identif off and Architects can we build safe enough so that they'll leave us alone I I I don't know if that's possible or not I there's no such thing as 100% security what I think is interesting is in this example though uh that led to this panel was a scenario where somebody who takes a laptop almost immediately is hit by a bus and the laptop's destroyed so we have very high assurance that the data was not accessed and regardless of what the law has to say my opinion is that should not be a reportable data reach because the affected individuals never had their

data access by somebody who's unauthorized so one quick comment and build on that I think it's important you know that is a breach of security it's not necessarily a breach of data and a lot of times we co-mingle that so something happens and it's like oh we have a security incident and we automatically certain data breach um that's a distinction that I don't think is is heavily weit in many organizations they kind of treat everything else as a single umbrella but I'm actually surprised in the 46 days that have data breach L they're very prescriptive about what constitutes a security breach and both you know is it unencrypted data is it uh encrypted data but the key has

been compromised those kind of things so this is why the question about how many of you deal with law and legal I I report to the general Council my organization which has been a learning experience for me um but the interesting thing is that interpretation drives the hearts and minds of your organization because that's going to be what your penalties are going to be whether or not you're going to disclose in the ethics behind it so if you don't know somebody in the legal profession or you don't deal with them on a regular basis and you're handling data breach instance find somebody talk to somebody and there's some good sides out there we can talk to them lat all right Dave so

you're covering CIO so maybe you can be frank with us tell us what it's really like but what's the point of reporting breaches does it help when you get these breaches reported you can change your policies you know you'll I think that the the goal of many of these was uh having talk to folks in a lot of States who we the process of building these laws is to give customers transparency into what may have happened to their data so that people could choose to go you know engage in a credit reporting service or just monitor their health records called you know if the physician lost it you know lost the records understand how they got lost so

you can say was you know not necessarily for the purpose of suing but like if my doctor is you know lost their files because well lost my records because they left their filing cabinet in front door unlocked that doesn't give me a great comfort about their General skills that's you know as a business person as a physician so I might want to make some choices about that on the other hand you know if it was you know the laptop was encrypted and you know someone broke into their house and cracked the safe it was in I'm like okay this person is trying really hard but I still want to might want to be monitoring other things

going on and start looking for you know my watch my insurance reports com in if make sure there's not suddenly like medications being ordered in my name or something like that I think it's more about transparency than than anything else I mean certainly most of these laws have the ability for a class action law student against organizations um and that's really what the Safe Harbor comes in is so like Indiana for instance um if the data is encrypted and and the key is not with the data there's Safe Harbor but that situation like where you know the pass phrase is written on the box of tapes or uh the secure ID token is in the laptop

bag then you have to you know therefore someone who has it can then you know uncry the laptop well developers are notorious for putting the key next to the encrypted file so easy and right and if you're dealing with like suit servers that need to Auto boot you end up in logical Loop problems about how do you manage that automatically without and without lots of software added on you just can't do that so either you have no passphrase on your key your key right there let's say transparency for second though so it's about the people I mean like California we have a five I believe it's a 5day notice now window because people need to know as soon as possible

that their information breached but do we really care I mean okay have to care that people need to know the information breach but isn't the purpose if we look at like the airline industry to really know what went wrong so we don't have planes flying around that are about to crash so is the point of the breach notification really about the victims or is it about protecting them well in my opinion I mean so one of the nice so for the state laws it started as a transparency victim protection thing if you look at high-tech which is the recent update to Hippa a couple years ago one of the things that was mandated as part of that is notification of the

ways things were breached to a central Authority and then you start getting into usable information like the ntsv gathers for the airlines so that way you can start as carriers of this data you can start understanding the ways in which other people are breached and you can be more effective is it weird that they require more than 500 to be the watermark well not so this I'm going to I'm going to differ a little bit on the on the consumer protection aspect of it and the reason I say that is because if you look at most of the notification laws the the notification the attorney general or the broader disclosure none of the triggers are the same some are

automatic some are before ification some are after notification in fact the notification event is what triggers the action some are 500 records some are a th000 records there's an inconsistency there the other thing is if you look at the states the statutes on the states and how many actually have a private right to action go back class action lawsuits 30 of those states have no private right to action so if you actually come forth with a data breach 30 States will not allow a civil case for class action because your data was compromised and only 25 of them are even prescriptive in any sort of you know $500 per record or anything like that most of them don't even you know 50%

don't even have that um so I think a lot of it is more about to your point if it's a specific agency or specific type of data that kind of thing is more protecting the industry itself and the consumer is almost second second that process so protecting industry is an excellent point are we really seeing harm of the consumers can they prove that they've been harmed when their data has been reached well I I don't know that they can and the kind of things we're talking about in terms of the action they would take in my opinion are the kinds of things they should be doing anyway everyone should be reviewing their credit reports monitoring their

their financial records individuals are seeing so many data breaches involving their data that I believe they're becoming quite numb to it and so I don't know that incrementally they are doing or should be doing anything differently if they get a data breach notification letter versus if they did not wouldn't it all or doesn't it also function as a punishment against an organization that allows the DAT reach account it depends on the level of exposure right so in some cases you're going to have a penalty depending on the type of data in most cases they those are going to be C for lar large organization if it's C like $50,000 and that's the maximum penalty that you can pay out

that's not a lot right um the other thing is is you know then you look at Brand reputation so I think if you ponymon has the statistics I think the average cost of the organization in US is 5 a. half million not counting the outliers 3 million lost business and that kind of thing for most of the large brands that are already established either they already have a kind of captive a audience it's not like you're going to suddenly care of your American Express card if you get the things in your card might if be compromised or they can they can handle it in a different way through different sales Channel and and recover I think that's

the that's the issue is the consumers are becoming desensitized but organizations are becoming more desensitized unless they stand to lose a lot like you know if it's an online startup and all you have is your reputation you're screwed but Fortune 500 companies Fortune companies probably not you pick up move on send out a few checks let's go back to the definition of a so if the cost of responding to a reach is significant and the reputational risk and the Damage I mean how much is this really about the definition so are people trying really hard to avoid being exposed avoid being found to violation of oh yeah AB so what are they doing to avoid breaches are they actually fixing

their systems or are they trying to find ways that they don't have to report breaches so they probably got to figure out this too but um I I think it's some people are actually trying to fix your systems now I don't want to think like evil corporations all out there all trying to get each other you know my company my role a lot of it is making sure we're building in the right controls from the start of the process um but I but I I think what's what's interesting about this though is there's just not enough compelling reason and you get stuck in the legal definition most of the exemptions and we talk about State harbor not actually called out in

the law itself or a notification it's called out in the definitional insecurity reaches so you start to split the language up and then it becomes a well what is our liability well it's all based on a few words in this definition and we can fight that anybody anybody remember what the cost of the breach was for South Carolina the man investigation how much that cost a lot $35 milon The Bridge cost $35 million all that cost add up together I got I got slide 35 million yeah estimated another 7 million of external cost OCC after the 25 million they already SP and what was the cost of avoiding that breach well that's a good question

nobody has dat weren't they trying to hire a CIO or a ceso or something wasn't that the they couldn't fill a position that was a security officer that was one of those after the fact uh ones that that came up you know some people that were in techn in it in the state had a very different view of what happened that's the I forget the exact quote but uh the governor made some fantastic clips about how hard it is to do security all right so she said math is hard is pretty much what she said about about crypto uh said nobody act you would you'd be amazed who doesn't encrypt Social Security numbers nobody does CU like math is hard um did

the state a great reputation but um question I'm poor unate lar State Texas the amount of money that our state spent just to basically portray have done something about the fact public records in sou Carolina's case everybody got to see the data Texas is not so much nobody really knows how much our Texas cost I do but not many people do the reality is no improvement in security how much how much did it cost around 25 it was 2 and half million just to send out the notification which under Texas law requires web notification but our aser decided that we going to every person Outsource that yeah notification a huge cost and sometimes you public channels

lost records that was2 in that so I want to focus focus back on the definition though so let me give you another example one of the largest breaches in history apparently was from the ba and the ba said that they had lost a raid Disc One dis when they sent it back for OEM repair or something no one could account for where it went and it was part of an Oracle database so when you have a disc that has you know just a piece of an entire puzzle and it's a piece of an or database is this a breached because they lost that piece of their environment no one can really reconstruct the data potentially maybe

yeah I think it depends on the so that gets back to me because definition is what we're talking about is that a it's encoded is that a breach of data I don't think so I mean did somebody can somebody get data from that of value no that doesn't doesn't matter the legal definition is actually what matters right cuz we can you know we can argue about what when we actually lose control but we're up against the legal definition and if the legal definition isn't clear enough and you know thankfully all laws are written clearly in plain English why people who are subject matter experts unbiased unbiased to uh not be holding to their wife's business or

one thing to build on that real quick one it's English it's not actually normal English um but I think it it's funny because the definition of personal information there's um a commonality across the the the 46 states that have that um but usually that commonality stops at first name first initial and last name in a combination of like some identifier right so that's how you identify data and one element by itself is not enough but then you start to all the exceptions at the different state levels of the now we are expanding the definition and some that's aroundi it's almost impossible to stay up on how what is personal information anymore the scope is expanded so greatly that it's

almost better to just say in the [ __ ] out of everything and just assume it's all personal information let's do a quick survey then um I believe Canada the Privacy commissioner there said email is part of your sensitive information you address sometimes so how many people agree email private sensitive information what three people come on how many people wish it were but no it's not all right so let let me update that example right so you have the raid drive and you have the oracal database and this was an old example some people call it the largest breach in history some people say it's not a breach what about in these new environments 40,000

clusters or nodes in a Hadoop environment one of them disappears it has some piece of data that was sent to it so it can do some processing in parallel is that a breach because was so to reate something you said earlier um the dbir is misinterpreted year after year after year and this year they made a big effort to try to reduce that but they also this year talked they focus on We Know Something Got Away not we lost the laptop everything and so they segregate those two out and that that's what we're talking about here is did it really get breached or did we just not have the control right and so I mean that that's like where The Insider

threat if you look at the big The Insider threat is devastating DB says for the ones that we know that somebody got our stuff that's but it's around the here um those the difference between like I misplaced my keys and someone stole my car right right right so that's a couple of week right before hopping in the car to drive out here I sto at Home Depot to grab a couple of things and um dropped my credit card and I was like uh This Home Depot looking at the sketchy people Home Depot and so I called the credit card company and it was used within 10 minutes right so I and Home Depot is one of those where

they they they'll take the risk of no signature up to about 75 bucks or something um so but you know they they got reversed the bank took care of it for me but there's there's what we're talking about I oh no I don't know where my credit card is I've rifled the truck in all the bags [ __ ] where where's where am I and that's the big undefined MH hello no I only made one purchase at Home Depot now we've got a confirmed breach but it's not that simple most of the time right it's like we can't call the PLA and say do you have the plans to the next generation of our bone scanner

um it turns out that they don't answer they don't speak English and they won't tell us the truth anyway oh they speak English well so I give you the opposite example this really weird thing happened to me I found a credit card and being the good citizen I am I called up the credit card company on the back and I said I found this card probably somebody jogging dropped in the park or something and they made me say my name they want my address they want my phone number they wanted to like contact me later call me back I was like I don't want to give you anything I want to tell you I have this card do I destroy it you know

now that you know that it's been lost they wanted me to stay on hold so for half an hour I sort of argued with them before I was like okay I'm destroying the car you can notify that person that their card wasn't used and you can close the account but let me go to the for me the most troubling example of all maybe we get a vote on this but I'm just I I shouldn't be surprised by that as bitter and jaded as I am but it's just like hey I'm I'm heading off a problem for you oh thanks yeah tear that up thank you very much sir click no B that what I expected but it turned into

and the fact they wanted my personal information I was so tempted to give them the name on the

card right well and if you expand the example because I think it's you know that's small scale right but the we go back to do Enterprises disclos breaches as rly as they should yeah in most cases they're going to find every nuances to not to disclose it because of the difficulty of dealing with it after the fact cuz then looking at okay the FTC comes involved is trying to fight whether or notc actually has Authority but now that okay am I going to get audited for 20 years you know what's the penalties they make it so difficult to be part of that process of hey we you know names and addresses were compromised we want to get this

information out there to help our consumers help us get that message and then it becomes more of a well world we want attribution and Punishment we're going to Lynch you in it that's a deterrent for a lot of organizations this is where I was going so in the case of UCLA breaches they thought they closed this is common of course the CEO responded back to The Regulators the Auditors I we took care of the problem we fired the person who was breaching the data and then it happened again okay we took care of the problem we fired the people we think were responsible and then it happened again so at what point is breach notification a cause for alarm

to really get down to the source of the problem as opposed to firing some random person or trying to cover it up ultimately that's what led to two new laws in California because they wanted to be more careful about what the investigate reaches well if you look at the data breaches and what's actually occurring in a lot of cases somebody inadvertently leaving a laptop in their car and an organization are as a policy against leaving laptops on attended or other things involve a human a human making a mistake or not following existing administrative policy or technical policy not being put in place so I believe it is quite commin for someone be made scapegoat in a case like

that but inside the organizations maybe for a short period of time there's some additional interest in security awareness and other things to Ure sure it will never happen again that's the sort of term that I'm used to hear it um but is that really doing any good and when we when we look at it from the standpoint of whether the data is actually at potential risk of being utilized in unauthorized way uh there was a case TR care it's insurance company for the government uh so it was in San Antonio while living there last year somebody parked their car with a backup tape in it two blocks from our house and someone stole the car or broke

into the car I don't believe they actually broke in to get access to the backup tape it's unlikely they're going to utilize that information to cause any harm but some large number of millions of people have be notified because of that did that really make a lot of sense so in my my opinion we're focusing on the wrong things with these data brief notification laws that we have no control over we have paper data that I believe in only seven states actually requires dat to reach notification the laws largely uh revolve around electronic data um I think if I asked anybody in the room if you'd be upset if an organization exposed your password you

you probably would be uh question for the rest of the panel is that a data breach in the United States password L password exposure just in general with no other criteria at the date breach a lot of organizations report it but is are they actually required so how many password well 499 Barracuda Labs right or Barracuda had their HD password exposed right the guy was Googling around found HD password all clear text is that a breach I from my perspective I'd say it is and the reason I said that is because it then enables the access right so it's losing the keys portion we go back to the unencrypted data where you lost the control mechanism that protects that

information in that case you want so I would call that a reach by my so so I would not based on how the data PR notification laws are worded but it might just be my misunderstanding of them if it doesn't involve my first initial or first name and last name in combination with social security number or financial information if it's my Google email address which doesn't not I have my name in it is that a data bre I don't believe it is in Most states according to the law but I'm more uncomfortable having that information compromised than I am my social security number or credit card because as a consumer I have pretty much zero

liability if my credit cards compromised it'll be a nuisance for me because I'll have to get a new card and change it with some organiz ations that do automatic billing and that type of thing and I just assume that my social security number has been breached so many times the important thing for me to do is to monitor my credit periodically and just check for um identity fraud involving my identity but there there are some states by the way that are now pushing for electronic IDs and become part of that personal information including email addresses for that very reason I think when you look at from an organization perspective how many of you more an

organization that does business in one state so usually what ends up happening is the most arous condition of or definition of personal information is when you have to buy but so I think more and more organizations going to have to start taking electronic IDs and other things that are typically viewed as high risk as part of that data breach you know schema so if my email address gets compromised and my password gets compromized it may not be personal information say wyomi by the way I can't remember wyomi off the top of my head so forgive me but if it is in one state then I have to send out a notification on those customers if I'm doing business

with anybody in that state so it it it it does become kind of a um an effective psycle of the most arduous always wins that's that's a choice Point Le yeah years ago was that choice Point got severely breached and they said we only need to notify in three states whatever it was they only had to notify in some states even though they had customers who were compromised in many more States they said the law says right we need to notify in these states so that's what they did and then it became quite clear the breach was much larger and they got raped over the calls by Congress and you know there were class action lawsuits

you that mostly went away because there was no grounds to sue in those States but they it was a valuable lesson in disaster management and business event management that's right the only reason they notified was because they had California customers who required exactly Ked it off so I mean it also could go the other way right so people might not want to do business with certain States or have customers I think people have talked about do they want to have Michigan customers in their databases because of the encryption requirement right michig no no Massachusetts well I but but it's funny because um that actually brings up another important point in verification and Jack you may correct me because I you've more

heavily invol on that but um I I maintain a spreadsheet of like all 46 States laws penalties and everything else and the encryption actually actually has specified is only for encryption of data in transit or on portable devices portable devices there's nothing actually prescriptive maches that move but there's nothing prescription about database level encryption if you B motion the virtual machine but as long as do the public yeah it's public n public network and there's there's this giant loophole uh in that which says we're we're practical or whatever we're reasonable and um I I got into a little heated discussion during one of the hearings on it because um people kept saying this is fine

because people will make a good faith ever and that finally that was the only privacy advocate in the room everybody else is from the business community so if the business Community had been making a good faith effort we would not be here right now public private space how how's that defined you know if you lose a laptop in your parking lot that's private space so yeah and uh and then there's the public private so in the Commonwealth the executive branch of government has e501 executive order which is corresponds to 2011 CMR 17 but other parts of state and municipal government don't have it so it's possible that an agency can make your day ugly because

you had a breach that themselves has no concern for your information as a corporate or personal entity of the state right so here's the most pring question for me what about the German argument that any system that has us access is breached because they assume us government's got super secret spy control I I'm in global right now because we do we do business we have business in EU we have business in asack and others and and now of course I think within the last week or two they're talking about reopening safe prop you know to investigate that because it's no longer Insurance of control and now now granted self assessment has never been a real Insurance of anything other than

I'm just telling you what I say I'm going to do um but it's becoming more of a challenge doing businesses doing business in those different countries if you're us-based entity so now there's a lot of focus on do we have to put data centers within the foreign Nation keep data contained you now of course you get into issues about no single view of customers I mean there's a whole bunch of things that go around that that's the extreme that I think at some point in time is going to hurt Commerce and business is going to have to well you have possession custody and control right so if an American has control of a system is that constitute

aach the argument there and and I'll I'll refer to David my observation on this because he's an actual Cloud expert I just play one I just play one on Twitter um I don't think it's a problem because no one would be stupid enough to store data in the cloud unencrypted or encrypted and Trust the cloud service provider with the encryption fees nobody would be that D so righte you dear God please dear God um okay so it depends on your level of skill right it's well I think part of the problem is that in a lot of organiz I don't actually have a specific example of provos doing this but in a lot of organizations people are like get

handed access to something and they don't ask where it is so like you know so they oh I need resource and they they have not personally launched the service on Amazon or Rackspace or Google or whatever they just have an application they're using they have no idea where it is and they shove data into it or they don't care so I was talking with the ciso of a very large UK based pharmaceutical firm and they discovered that their developers were doing well developers researchers really were doing highend computational modeling of new drugs they were getting ready to put to Market on Amazon because they put a request in and it told them well you'll get those computers in 6 months or 3

months whatever it was and the developers were like we have deadlines to me I have a credit card so they fired up a bunch of systems you know ran their models and took like you know 6 hours whatever and then shut the systems down right and that wasn't a VI there was no you know confidential information in terms of customers or clients or patients however it was just their you know their I for undeveloped drugs that were not yet to Market which is only worth you know billions of dollars so he's tearing his hair out perfect example so Amazon does not wipe your data when you decommission an instance they only wipe it when you

commission an instance so if you decommission your data is still sitting there on those servers is it a breach when someone else accesses that data they don't know what it is they just start accessing an instance without being if it doesn't get wiped properly when it gets commissioned in other words and this is hardly I mean this is true for most cloud service providers they don't WIP data volum transission only with Provisions they clean this not label the S3 violation part might found rough same explain what it is be accessed and let's just say he was in the process of seeing what he could get it was quite shocking Amazon ever took as dat even

though we had full access to we gave all the information gave all the information did they say why why is because there penalties I also don't so this brings control no possession well exactly so this this goes back to unauthorized Cloud providers and a lot of you are going to sit here and and if I ask how many of you have unauthorized Cloud running in your organizations everyone raise your hands if your developer has a credit card you probably have on author cloud or if they have a DropBox account right well does that constitute a breach when somebody starts running a cloud and puts data on well here's the issue because what you lose is visibility and

transparency so the Amazon example is a perfect example you may have already decommissioned that instance and to you that's gone right that's going to be re you know recommission for somebody else data may or may up to resident you're probably not going to know about that though so the visibility to be able to detect the breach which is just as important as anything that com but when you find out your data is on a cloud provider is that a breach maybe maybe so on related not uh so if you are if you fall under Hippa Hippa 2.0 whatever you want to call it if you have a business associate who processes data for you and what the

definition of a business associate is is a little unclear in some cases you are required to have that business associate sign an agreement that's saying that they will fully comply with IO and it's Associated requirements um at one end of the spectrum you have like the co-processor who actually takes your Healthcare information and generates pretty charts and graphs or stores your data for you with some sort of ealth record system that's clearly a business associate at the other end of the spectrum you have UPS they're shipping your backup tapes they are clearly not a business associate so for the purposes of if you're a healthcare provider you don't have to have UPS or FedEx or the US Postal

Service sign that document Amazon will not sign a business associates agreement with you they flat refuse to do that and their argument is we are a carrier much like when you get a circuit from AT&T or Verizon or Sprint or anyone else they're not signning the baa because they're just a carrier just like UPS just like FedEx they have no insight into your data and that is the argument and plenty of organizations will agree with that interpretation and as such if you have healthcare related information Amazon that gets breached in that situation you are solely responsible for an Amazon will say not our problem okay but if UPS loses that box it's a breach right if Amazon can't

account for your data right well and that's situation you as the healthcare provider are the one who has to still owns responsibility you have no ability to assign that blame to Amazon they

sign some people dat found I think I think they have an or a a uh an ethical responsibility and moral responsibility to notify them but in terms of rules like hit they're just a carrier they have no visibility into and they have no direct relationship with the consumer or the customer in this case and the other thing is is you the standard that we kind ofu in my organization because I just pushed for it was you know you can transfer responsibility for many different things that you do with your business you can't transfer accountability so at the end of the day what happens to that is going to fall on your shoulders and to your point

most providers are not going to sign up for anything that holds them liable for any of this and uh you have to be very careful when you're talking about the TOs because um how many of you done like a data flow analis cloud or we're understanding where geographies the data is going to go into right we're striping data across multiple data centers I'm noticing not a lot of hands are shooting up um and I think this goes back to a fundamental problem on reach detection especially when doing with Cloud Fighters most people we we do a crappy job of inventory data we do an even more crappy job of classifying data and we and we do the worst job of actually

assigning controls based on where the data is going you know and and most organizations just don't have a good handle on that and it takes a while to get there but until you do you really don't have enough visibility and and the notification conversation is almost premature all right so two tough examples on that don't get me start on beating up Amazon since we brought it up anybody from Amazon in the room okay good any Amazon perers but so one example is itar right the United States has a regulation that says only US citizens can touch this date at any time any other person who's not a US citizen touching it breach so Amazon provided an Nar compliant

facility in their Cloud by building a dedicated data center that was completely separate only certain people had access to it any one time so does that show responsibility for Brees because they're providing a more secure service to comply with it maybe uh so if you want to use gov Cloud which is what you're talking about you need to sign a beely heavy duty contract with Amazon stating that uh you will not allow any non US citizen or green carded because Green Card folks are allowed in this situation as well to have access to those systems or any to those systems that are hosted on Amazon you are not allowed to put anything rated higher than uh fsma medium fsma

moderate rather on those systems and if you do put the confidential information or fsma high or higher classified systems you will bear the cost of destroying those systems and the replacement systems as well so they are actually pushing back Amazon's pushing that stuff back onto you as the consumer guaranteeing that you will remain compliant with iar I think it's interesting because I don't think I think it's less about Amazon taking responsibility for breaches and still pay P back on the customer too much as just being able to sell to the company you know and it sounds very cynical but that's really yeah but you're also seeing the niche now I know there's like a layer Tech or something like you're

getting more of these compliant boosting providers to pop up ter Mark's doing that as well where it's a we'll sign up for a subset of controls let's say PCI that's a good example we'll take responsibility for things that we tradition be in your your boat but you're still ultimately accountable if we did something wrong so using the analogy of the UPS Vex truck you know one of my favorite examples is the guy who pulled up for a Starbucks went inside for a drink came back out the tapes were missing is the carrier responsible is that a breach that the carrier has to take some responsibility for like you no longer use that carrier right because you're stopping at

Starbucks leaving the doors unlocked or is that really the responsibility the person buying the service it's entirely their respons the penalties are going to fall to the person who want the service they're really going to fall to the car to what and again this is a tapes are missing not tapes were used right so that's going to depend on the contracts with the carrier that's that's true what the carrier is taking responsibility for so like getting back to Amazon because just because I know them well um they are certified PCI Compliant all what what this means is you can potentially build an application that you can certify as PCI Compliant on Amazon you still need to be assessed and

all that but Amazon will give you a document that says here are the physical security controls required by whatever six or seven whatever the require whatever whatever whichever the standard P subset of PCI required and we manage the portions of the patch management configuration management of the hypervisor layer because PCI mandates that you secure the entire step um in that situation if you have a breach and you can establish that it was a physical security breach or a hypervisor level issue that Amazon should have handled you probably you probably have an argument the Amazon has some responsibility there uh what the reality is there's not been a single breach in the history of PCI where the

PCI Council has said you are PCI Compliant at the time you were assessed at the time of your breach and therefore you're not uh in trouble right every single breach that's happened the PCI Council has decare that person not PCI complying at the time of the breach well look at Heartland right you know with the Heartland breach I the big thing was was the the push back inititive was always well our auditor said we were fine you know we're PCI compant and of course that calls into question the actual like the skill set of the Auditors who are doing the assessments and and the education around that so um it is funny because even most of the the

organizations that that do get brid to say their PR App point they aren't because they got breached well wasn't the point of the Breach definition that to be breached you're non-compliant well maybe well yeah because there are things that come outside of that like you could have all the controls in the world and there's always going to be the exceptions to that process go ahead D sorry no I was just saying is that you could I personally believe it's possibly compliant being compliant does not mean you're not vulnerable right and that's and the question of course the big argument is were you sufficiently meeting the letter of the law and if so I mean all PCI says at the

essence is if you if you are complying with all these things that then we cannot penalize you if you are breached so is very much in the PCI council's best interest financially for you not to be compliant at the time of the reach is it really binary or is it a sliding scale so the more compliant you are the lower the fines well I'm not I'm not who's a qsa I wouldn't admit it either it's okay yeah but I think I think it depends it depends on what the P I think it depends on who to the council who the qsa is and what happened and a but but I also date bring is a great point though compliance

doesn't have security yeah so we go back to you know Jack made comment about you know people are just going to do this face not good faith right you know and and I'm I'm almost exploding on this side because it's still laal how many of you saw the California attorney general which for dat breaches okay so 2.5 million breaches which I think represents a little over % of the population in California were exposed in 2012 1.5 1.4 so about 45% of those in the Attorney General's opinion but it's probably true could have been averted by just using basic security controls like encryption of data and those kind of things they're not counting wires out right they're not going to but but that

shows the level of you know concern and competence and other things of some of these organizations it's it's not a complicated problem to avert a a data incident you know we we can fuzz it with DTS and all this other wonderful stuff out there but in most cases it just comes down to practice and Common Sense and having good security people and good insurance officers and and a lot of organizations fall short the question I as they not ignoring cost look at sou Carolina they had no Texas we had no idea how much that would have cost right so like with C when when CA 1386 came out had this big meeting with our lawyers and we're discussing what what

do we need to do what changes do we need to make and the question the first question I asked is what if we don't do anything what is you know what is the cost to us and with ch 1386 there's no Financial penalties zero at the time for not being compliant if there was a breach the answer the only potential penalty is that the share that there could be a class action lawsuit against us um and the fact is before CA 1386 there could have been a class action lawsuit all it did was give us safe harbor um if things had been encrypted and we were planning it anyway so we did it but one of the big questions you need

to ask ask yourself as an organization is what is the potential cost you know what's the risk to me of not being compliant versus the cost of maintaining compliance and that's a question a lot of organizations say you know what we're willing to pay the P the fine which is why Hightech rate jacked up the cost of fines because a lot of healthcare organizations like maximum fine 50 Grand cost of compliance $10 million right well I had since 97 to move on St South Carolina they just reported that they hadli sign up for the credit check at a cost of $12 million for that alone that's okay now I'm sorry but you know much I can do with $1 million and

that's just in credit I have some stock in one of those credit reporting companies so I'm really happy right now might be good you know what's funny though none of the states require monitoring to be part mediation but it's it's political see our perspective and you know Myer her name out of it she's re so doesn't matter that it will never happen again should re it's the reputation it's the it's the irrational behavior that occurred after that I I agree with you but I think what my point was is it's not required at a state level but we're so readily doing it and costing millions of dollars to the organization where we would have done

something with that money upfront to protect the organization could aved the entire problem so that's the other thing about that risk reward kind of culture risk aversion those kind of things if you don't have foresight into what it's actually going to do and impact your organization you're going to pay for it at some point in time but then you're going to have greater impact on other consumers and your customers and your brand as much as this is um you know we're talking about our world here it's not just infos that has this issue we take our shoes off going through the an airport every time because of an overreaction you know we're we're chasing symptoms it's like you said

about UCLA it's like we fired the guy we fired the guy we fired the guy or um you know the the Army focusing on Manning it's like why the F didn't they have access you know my question about Snowden yeah we can argue politics that's fun to argue the politics and all that nonsense but why did Snowden have access to what he had access to why did Manning have access to what he had access to why did you know the fundamentals well we put Bradley in jail we're safe no wait no the the next kid that no so that's one of the toughest questions let me ask you in the security industry we often see

flaws and we don't think people are fixing them fast enough do we eror on the side of trying to announce breaches pointing to breaches do breaches help the security Community to the point where we maybe overemphasize them so so here's the conundrum here most people in security aren't going to be the ones responsible for making the call whether or not you actually announce the you know and and it's going to be one of like 20 different factors that the organization is considering when when they're making that determination so from our perspective it would be great if we had more visibility and transparency and the breaches that happen the root cause analysis behind those and and we learn from those you

know and the whole idea of like sharing information on the cyber security kind of infrastructure when you say don't have control you mean they don't actually they're not involved in like information they have no authority to sign off but they could leak information that would lead to a breach and then they're going to be out of a job and they have but this is the thing it's like the leaking of whistleblowers and most team people here want stay employed they probably have morges to pay gets to beat and and there comes that fin line of you know I have my personal thoughts on on when we should announce breaches but ultimately if the general counsil and

the CEO says we're not going to announce it we're not going to announce it and it's so I'm going to sleep well because I presented it but I'm also going to have my job next day so it's it's a challenging spot for us but are we secretly celebrating when we he another breach report because it makes our case stronger I don't think we are anymore I think for a while but now everybody's got fatigue and one of the things that we don't get out of breach report is is um forgive me for the phrase actionable intelligence right we're we're just getting simple raw numbers and uh at first that was kind of cool because it's it's like it's not

quite as much of a stigma stigma to get popped it happens to everybody wow it's depressing it happens to everybody oh look another breach and even where we get information it's like oh SQL injection oh a squal injection it was we're not getting the level of detail except from you know vendor reports granted granted DV is a lot more than a vendor report these days but it's still all this data is going out there and it's you know Annoying some customers because they keep getting you know consumers are getting too much stuff and well FP side does it make us look bad does security industry look like idiots because we have so many breaches we don't need

help yeah so I mean I love what you're saying because this is something that really like this is my my my we are just the average person in Al Bet ask 50% of the people they have had stuff that they wanted to report but they were not allowed to that is a huge problem so to derail this to a topic that's near and dear to my heart and has been around here that frustration is part of the burnout in this industry too the [ __ ] we know they can't say I mean I didn't take it I'll talk about Texas all day long I won't take it I'm going to go get happy at my job and I'm not expect

Happ decision but your personality disorders skew in a different direction than most personality disorders in our industry but look at tgx we've had this conversation they released coupons realize their stock went up because of that and didn't fix anything so TJ yeah having been from Texas and and having been I mean from massach having had TJX uh Head Hunters attempt to me repeatedly yeah I mean they they rolled out the the lipstick and you know they put it on both ends of the pig and work that's true I mean retail in general when they have problems they run a sale right everybody comes back Mar but it can't work for every industry no I think

I think it goes to show that people have a very short halflife with uh their information getting breached especially since they realize from a credit card perspective it has almost no impact again and so I I feel like we're we're putting too much focus on the wrong thing and we're constrained by the laws it's great it used to be great when we found out there's a data breach because it allowed us to get resources now you know our Executives already heard this we've all had data breaches so it doesn't really help if anything it it leads to us focusing on protecting the wrong kind of data in my opinion no actually a couple of things that that

have been I found really interesting one is that the retail space the organization needs to suffer three breaches before they have significant turnover so actually despite the publicity so from you know when I'm working with client that's in a retail industry I encourage them to report because people are like okay they're human that happens surely they fix the problem and then they go back until the third time um the other interesting thing is yeah pretty much um the other cool thing is that when you start looking at like you start start talking to folks like um deic I for what they Rebrand themselves uh and folks these credit monitoring folks who help um one things they found is the larger the

breach of like credit card information the the less likely it is that your information is going to be used so I don't really worry about those big breaches where they say 500,000 or 2 million credit cards were stolen like whatever it happens to be um yeah it just doesn't matter that's system six six cards stolen they're all of them are used within minutes right that's we have to worry about it um the other thing is like a high tech you said 500 right is the breach water marks I think that's 500 records um but the other thing is that I think anything less than 500 is probably targeted attack person one um is that the C the value of a stolen

credit card on the black market used to be hundreds of dollars and now it's like a buck 98 cents something like that it's really really low and so if anything all these breaches have been really good because the market view the black market by people are going to use these maliciously at any sort of scale is they're not worth anything right you're not suggesting we should look at the economic impacts and ramifications of the decisions we make I don't think we don't want to go there last I think this is going to be in in insightful or inciting so we keep uh talking about how we're going to keep banding all the problems that are out

there what about fixing all the underlying issues I mean like hey let's go all the way down there's good money to be made in selling uh SE say that's fine right there but then there's the whole psychological staff that goes on top of that from you know you've got a network and oh it's it's my secure internal Network and then your CIS admins act a certain way because it's the internal Network it's not on the it's not in the DMC or out in the public side and then you have people that are writing code that goes on top of those servers and they're going no that's a secure internal Network so I don't have to worry about this stuff and so you

have all these layers of like this extra psychology that's going on top of it that if you maybe eliminate some of those really really low but the database is encrypted like my nagio not mine personally but whoever had the idea that my nagio server didn't need https to log into the web interface because it's on the intranet and then came to a security con and has credentials on the other side of that awall right there on the doler box uh because they VPN or they didn't VPN they're open it to the internet probably hey just so I can do a little admin while I'm going right one comment to build because I just recently had an argument with a

developer it happens and unfortunately I got enough technical knowledge to make myself dangerous but you know the comment was you know I'm working on an on- premise application so if I'm going to deploy this application I'm not worried about security because that's the customer's responsibility because it's going to be inside their Fireballs on the internet we had a long talk after that and and I still think it goes down to the best way to prevent breaches in most organizations and getting back to what data you focus on is awareness and Education and Training and understanding you know a security architect that makes sense and resonates it's not just the perimeter and and all these other things

you know there's at least six logical layers in a superior model get people to start thinking about that and building it out um we just don't do enough of that so we have people that continue creating problems for the organization and they just don't know is it awareness or is it a stick so in a lot of organizations you're told is against the rules to leave your laptop unintended and log in or leave it in your car I know people work in organizations where they're clearly told if you do that you're termina and those types of incidents rarely occur in those types of organizations it's thew of the S awareness of the exactly really question add on somebody

often plays a developer role I always think of it like we already compromise how do I Le the least well so that's a point the last point I want to make here is a lot of this is um getting back to root causes if any of you mug me in the chill out room later you will not be able to take $2,000 in cash from me because I am not carrying $2,000 in cash 5,000 uh that's unforunate four nights in a row yeah it's in my socks four nights at Frankie I'm you know dwindling on the cash thing uh but if well as a contu we don't have we can't lose what we don't have so we

score but to the point making the question is if we Define everything as breached we're always breached what is the definition of a breach there's nothing there's nothing perimeter is alive all right so we're out of time thank you everybody thank you [Applause]