CHAPTER 25
Data Security and Privacy Practices
In this chapter, you will
• Study data security practices
• Explore privacy practices
Data security and privacy practices are interrelated because of the basic premise that to have privacy, you must have security. Privacy is defined as the control you exert over your data, and security is a key element of control. Data privacy in an organization is the prevention of unauthorized use of data held by the organization. One method of ensuring privacy is the destruction of data after it is no longer needed. Elements that enable data privacy efforts include properly labeling and handling sensitive data, assigning responsibility for protecting data, and securely storing retained data, all of which are covered in this chapter.
Certification Objective This chapter covers CompTIA Security+ exam objective 5.8, Given a scenario, carry out data security and privacy practices.
This objective is a good candidate for performance-based questions, which means you should expect questions in which you must apply your knowledge of the topic to a scenario. The best answer to a question will depend upon specific details in the scenario preceding the question, not just the question. The questions may also involve tasks other than just picking the best answer from a list. Instead, you may be instructed to order things on a diagram, put options in rank order, match two columns of items, or perform a similar task.
Data Destruction and Media Sanitization
When data is no longer being used, whether it be on old printouts, old systems being discarded, or broken equipment, it is important to destroy the data before losing physical control over the media it is on. Many criminals have learned the value of dumpster diving to discover information that can be used in identity theft, social engineering, and other malicious activities. An organization must concern itself not only with paper trash, but also the information stored on discarded objects such as computers. Several government organizations have been embarrassed when old computers sold to salvagers proved to contain sensitive documents on their hard drives. It is critical for every organization to have a strong disposal and destruction policy and related procedures. This section covers data destruction and media sanitization methods.
Burning
Burning is considered one of the gold-standard methods of data destruction. Once the storage media is rendered into a form that can be destroyed by fire, the chemical processes of fire are irreversible and render the data lost forever. The typical method is to shred the material, even plastic disks and hard drives (including SSDs), and then put the shred in an incinerator and oxidize the material back to base chemical forms. When the material is completely combusted, the information that was on it is gone.
Shredding
Shredding is the physical destruction by tearing an item into many small pieces, which can then be mixed, making reassembly difficult if not impossible. Important papers should be shredded, and important in this case means anything that might be useful to a potential intruder or dumpster diver. It is amazing what intruders can do with what appears to be innocent pieces of information. Shredders come in all sizes, from little desktop models that can handle a few pages at a time, or a single CD/DVD, to industrial versions that can handle even phone books and multiple discs at the same time. The ultimate in industrial shredders can even shred hard disk drives, metal case and all. Many document destruction companies have larger shredders on trucks that they bring to their clients location and do on-site shredding on a regular schedule.
Pulping
Pulping is a process by which paper fibers are suspended in a liquid and recombined into new paper. If you have data records on paper, and you shred the paper, the pulping process removes the ink by bleaching, and recombines all the shred into new paper, completely destroying the physical layout of the old paper.
Pulverizing
Pulverizing is a physical process of destruction using excessive physical force to break an item into unusable pieces. Pulverizers are used on items like hard disk drives, destroying the platters in a manner that they cannot be reconstructed. A more modern method of pulverizing the data itself is the use of encryption. The data on the drive is encrypted and the key itself is destroyed. This renders the data non-recoverable based on the encryption strength. This method has unique advantages of scale; a small business can pulverize its own data, whereas they would either need expensive equipment or a third party to pulverize the few disks they need to destroy each year.
Degaussing
A safer method for destroying files on magnetic storage devices (i.e., magnetic tape and hard drives) is to destroy the data magnetically, using a strong magnetic field to degauss the media. Degaussing realigns the magnetic particles, removing the organized structure that represented the data. This effectively destroys all data on the media. Several commercial degaussers are available for this purpose.
Purging
Data purging is a term that is commonly used to describe methods that permanently erase and remove data from a storage space. The key phrase is “remove data,” for unlike deletion, which just destroys the data, purging is designed to open up the storage space for reuse. A circular buffer is a great example of an automatic purge mechanism. It stores a given number of data elements and then the space is reused. A circular buffer that holds 64 MB, once full, as new material is added to the buffer, it overwrites the oldest material.
Wiping
Wiping data is the process of rewriting the storage media with a series of patterns of 1’s and 0’s. This is not done once, but is done multiple times to ensure that every trace of the original data has been eliminated. There are data-wiping protocols for various security levels of data, with 3, 7, or even 35 passes. Of particular note are solid-state drives, as these devices use a different storage methodology and require special utilities to ensure that all the sectors are wiped.
Data wiping is non-destructive to the media, unlike pulping and shredding, and this makes it ideal for another purpose. Media sanitization is the clearing of previous data off of a media device before the device is reused. Wiping can be used to sanitize a storage device, making it clean before use. This can be important to remove old trace data that will later show up in free and unused space.
EXAM TIP This section covers several methods of data/media destruction, a couple of which are used together. Learn the details of each method and look for nonsense answer choices that narrow down the possible correct answers, such as options that refer to pulping non-paper items or degaussing non-magnetic media.
Data Sensitivity Labeling and Handling
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside an information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assists users in fulfilling their responsibilities. Training to ensure that labeling occurs and that it is used and followed is important for users whose roles can be impacted by this material.
Training plays an important role in ensuring proper data handling and disposal. Personnel are intimately involved in several specific tasks associated with data handling and data destruction/disposal and, if properly trained, can act as a security control. Untrained or inadequately trained personnel will not be a productive security control and, in fact, can be a source of potential compromise.
A key component of IT security is the protection of the information processed and stored on the computer systems and network. Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity. This requires classification of information into various categories, each with its own requirements for its handling. Factors that affect the classification of specific information include its value to the organization (what will be the impact to the organization if it loses this information?), its age, and laws or regulations that govern its protection. The most widely known system of classification of information is that implemented by the U.S. government (including the military), which classifies information into categories such as Confidential, Secret, and Top Secret. Businesses have similar desires to protect information and often use categories such as Confidential, Private, Public, Proprietary, PII, and PHI. Each policy for the classification of information should describe how it should be protected, who may have access to it, who has the authority to release it and how, and how it should be destroyed. All employees of the organization should be trained in the procedures for handling the information that they are authorized to access.
Confidential
Data is labeled Confidential if its disclosure to an unauthorized party would potentially cause serious harm to the organization. This data should be defined by policy, and that policy should include details regarding who has the authority to release the data. Common examples of confidential data include trade secrets, proprietary software code, new product designs, etc., as the release of these could result in significant loss to the firm.
Private
Data is labeled Private if its disclosure to an unauthorized party would potentially cause harm or disruption to the organization. Passwords could be considered private. The term private data is usually associated with personal data belonging to a person and less often with corporate entities. The level of damage typically associated with private data is lower than confidential, but still significant to the organization.
Public
Public data is data that can be seen by the public and has no needed protections with respect to confidentiality. It is important to protect the integrity of public data, lest one communicate incorrect data as being true. Public facing web pages, press releases, corporate statements—these are examples of public data that still needs protection, but specifically with respect to integrity.
Proprietary
Proprietary data is data that is restricted to a company because of potential competitive use. If a company has data that could be used by a competitor for any particular reason, say internal costs and pricing data, then it needs to be labeled and handled in a manner to protect it from release to competitors. Proprietary data may be shared with a third party that is not a competitor, but in labeling the data Proprietary, you alert the party you have shared with that the data is not to be shared further.
EXAM TIP Learn the differences between the data sensitivity labels so you can compare and contrast the terms confidential, private, public, and proprietary. The differences are subtle, but will be important to determine the correct answer.
PII
When information is about a person, failure to protect it can have specific consequences. Business secrets are protected through trade secret laws, government information is protected through laws concerning national security, and privacy laws protect information associated with people. A set of elements that can lead to the specific identity of a person is referred to as personally identifiable information (PII). By definition, PII can be used to identify a specific individual, even if an entire set is not disclosed.
CAUTION As little information as the ZIP code, gender, and date of birth can resolve to a single person.
PII is an essential element of many online transactions, but it can also be misused if disclosed to unauthorized parties. For this reason, it should be protected at all times, by all parties that possess it. And when PII is no longer needed, it should be destroyed in accordance with the firm’s data destruction policy in a complete, nonreversible manner.
PHI
The Health Insurance Portability and Accountability Act (HIPAA) regulations define Protected Health Information (PHI) as “any information, whether oral or recorded in any form or medium” that
“[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse”; and
“[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
HIPAA’s language is built upon the concepts of PHI and Notice of Privacy Practices (NPP). HIPAA describes “covered entities” including medical facilities, billing facilities, and insurance (third-party payer) facilities. Patients are to have access to their PHI, and an expectation of appropriate privacy and security associated with medical records. HIPAA mandates a series of administrative, technical, and physical security safeguards for information, including elements such as staff training and awareness, and specific levels of safeguards for PHI when in use, stored, or in transit between facilities.
EXAM TIP Know the difference between PII and PHI, and don’t jump to the wrong one on the exam.
Data Roles
Multiple personnel in an organization are associated with the control and administration of data. These data roles include data owners, stewards, custodians, and users. Each of these roles has responsibilities in the protection and control of the data. The leadership of this effort is under the auspices of the privacy officer.
Owner
All data elements in an organization should have defined requirements for security, privacy, retention, and other business functions. It is the responsibility of the designated data owner to define these requirements.
Steward/Custodian
A data custodian or data steward is the role responsible for the day-to-day caretaking of data. The data owner sets the relevant policies, and the steward or custodian ensures they are followed.
Privacy Officer
The privacy officer is the C-level executive who is responsible for establishing and enforcing data privacy policy and addressing legal and compliance issues. Data minimization initiatives are also the responsibility of the privacy officer. Storing data that does not have any real business value only increases the odds of disclosure. The privacy officer is responsible for determining the gap between a company’s privacy practices and the required actions to close the gap to an approved level. This is called a privacy impact analysis and is covered in Chapter 22.
The privacy officer also plays an important role if information on European customers is involved, for the EU has strict data protection (privacy) rules. The privacy officer who is accountable for the protection of consumer data from the EU must ensure compliance with EU regulations.
Data Retention
Data retention is the storage of data records. One of the first steps in understanding data retention in an organization is the determination of what records require storage and for how long. Among the many reasons for retaining data, some of the most common are for purposes of billing and accounting, contractual obligation, warranty history, and compliance with local, state, and national government regulations, such as IRS rules. Maintaining data stores for longer than is required is a source of risk, as is not storing the information long enough. Some information is subject to regulations requiring lengthy data retention, such as PHI for workers who have been exposed to specific hazards. Some data elements, such as the CVC/CV2 element in a credit card transaction, are never stored. They are used and destroyed to prevent loss after the transaction is concluded.
Failure to maintain the data in a secure state can also be a retention issue, as is not retaining it. In some cases, destruction of data, specifically data subject to legal hold in a legal matter, can result in adverse court findings and sanctions. Even if the data destruction is unintentional or inadvertent, it is still subject to sanction as the firm had a responsibility to protect it. Legal hold, discussed in depth in Chapter 24, can add significant complexity to data retention efforts, as it forces almost separate store of the data until the legal issues are resolved. Once data is on the legal hold track, its retention clock does not expire until the hold is lifted. This makes identifying, labeling, and maintenance of data subject to a legal hold an added dimension to normal storage considerations.
Legal and Compliance
Many data security and privacy practices are guided by legal requirements and regulatory compliance. Different sectors have differing requirements concerning the use of personal information. The most heavily regulated sectors are medical, finance, and banking. The Health Insurance Portability and Accountability Act (HIPAA), as amended by the HITECH Act, covers PHI and PII associated with medical records. HIPAA has provisions for safeguarding the information in any form, electronic or paper. Administrative, technical, and physical controls are mandated by HIPAA, including workforce training and awareness, encryption of data transfers, and physical barriers to records (locked storage rooms).
In banking, the Fair Credit Reporting Act and its Disposal Rule cover consumer information and its disposal with respect to credit. The Disposal Rule requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule.
The Federal Trade Commission issues regulations and findings with respect to data privacy. The FTC’s Disposal Rule applies to consumer reporting agencies as well as to any individuals and businesses that use consumer reports, such as lenders, insurers, employers, and landlords. The FTC has adopted a set of red flag rules that are invoked to assist entities in determining when extra precautions must be taken concerning PII records. The following are some examples of red flags that should prompt an organization to initiate additional, specific data handling steps to protect data:
• Change of address request. This is a common tool for identity thieves, and as such, firms should provide protection steps to verify change of address requests.
• Sudden use of an account that has been inactive for a long time, or radical changes in use of any account.
• A suspicious address or phone number. Many fraudulent addresses and numbers are known, and repeated applications should be quickly noted and stopped.
• Request for credit on a consumer account that has a credit freeze on a credit reporting record.
Whenever a red flag issue occurs, the business must have special procedures in place to ensure that the event is not fraudulent. Calling the customer and verifying information before taking action is one example of this type of additional action.
In the finance sector, the Gramm-Leach-Bliley Act and its Safeguards Rule and Privacy of Consumer Financial Information Rule require significant protections. The Safeguards Rule requires institutions to have measures in place to keep customer information secure, including taking steps to ensure that their affiliates and service providers also safeguard customer information in their care. The Financial Privacy Rule prohibits the sharing of information with third parties unless a bona fide business relationship and reason for the sharing exists.
Some other interesting information privacy laws include the U.S. Privacy Act of 1974 and the Freedom of Information Act of 1996. The Privacy Act of 1974 was an omnibus act designed to affect the entire federal information landscape. This act has many provisions that apply across the entire federal government, with only minor exceptions for national security (classified information), law enforcement, and investigative provisions. This act has been amended numerous times, and you can find current, detailed information at the Electronic Privacy Information Center (EPIC) website, http://epic.org/privacy/laws/privacy_act.html.
The Freedom of Information Act is one of the most widely used privacy acts in the United States, so much so that its acronym, FOIA (pronounced “foya”), has reached common use. FOIA was designed to enable public access to U.S. government records (federal government records only), and “public” includes the press, which purportedly acts on the public behalf and widely uses FOIA to obtain information. FOIA carries a presumption of disclosure; the burden is on the government, not the requesting party, to substantiate why information cannot be released. Upon receiving a written request, agencies of the U.S. government are required to disclose those records, unless they can be lawfully withheld from disclosure under one of nine specific exemptions in FOIA. The right of access is ultimately enforceable through the federal court system.
When things go wrong and data disclosures occur, a myriad of state regulations take center stage. There is not a single national data disclosure law in the United States, and the current list of U.S. states and territories that require disclosure notices is up to 48, with only Alabama, Mississippi, New Mexico, and South Dakota without bills. Each of these disclosure notice laws is different, making the case for a unifying federal statute compelling, but currently it is low on the priority lists of most politicians. California Senate Bill 1386 (SB 1386) was a landmark law concerning information disclosures. It mandates that Californians be notified whenever PII is lost or disclosed. Since the passage of SB 1386, numerous other states have modeled legislation on this bill, and although national legislation has been blocked by political procedural moves, it will eventually be passed.
Privacy is not a U.S.-centric phenomenon, but it does have strong cultural biases. Legal protections for privacy tend to follow the socio-cultural norms by geography; hence, there are different policies in European nations than in the United States. In the United States, the primary path to privacy is via opt-out, whereas in Europe and other countries, it is via opt-in. What this means is that the fundamental nature of control shifts. In the United States, a consumer must notify a firm that they wish to block the sharing of personal information; otherwise, the firm has permission by default. In the EU, sharing is blocked unless the customer specifically opts in to allow it. The Far East has significantly different cultural norms with respect to individualism versus collectivism and this is reflected in their privacy laws as well. Even in countries with common borders, distinct differences exist, such as the United States and Canada; Canadian laws and customs have strong roots to their UK history, and in many cases follow European ideals as opposed to U.S. ones. One of the primary sources of intellectual and political thought on privacy has been the Organisation for Economic Co-operation and Development (OECD). This multinational entity has for decades conducted multilateral discussions and policy formation on a wide range of topics, including privacy.
Chapter Review
In this chapter, you became acquainted with the issues surrounding data security and privacy practices. The chapter opened with methods of data destruction and media sanitization. These methods include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping. Data sensitivity labeling and handling practices were addressed next. The chapter then examined the corporate personnel who are involved in data privacy, the data owner, data steward/custodian, and the privacy officer. The chapter concluded with an examination of data retention and legal and compliance issues.
Questions
To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the list of correct answers at the end of the chapter.
1. The Freedom of Information Act applies to which of the following?
A. All federal government documents, without restrictions
B. All levels of government documents (federal, state, and local)
C. Federal government documents, with a few enumerated restrictions
D. Only federal documents containing information concerning the requester
2. HIPAA requires which of the following controls for medical records?
A. Encryption of all data
B. Technical controls only
C. Physical controls only
D. Administrative, technical, and physical controls
3. Which of the following is not PII?
A. Customer name
B. Customer ID number
C. Customer Social Security number or taxpayer identification number
D. Customer birth date
4. A privacy impact assessment:
A. Determines the gap between a company’s privacy practices and required actions
B. Determines the damage caused by a breach of privacy
C. Determines what companies hold information on a specific person
D. Is a corporate procedure to safeguard PII
5. Which of the following is an acceptable PII disposal procedure?
A. Shredding
B. Burning
C. Electronic destruction per military data destruction standards
D. All of the above
6. In the United States, company responses to data disclosures of PII are regulated by:
A. Federal law, the Privacy Act
B. A series of state statutes
C. Contractual agreements with banks and credit card processors
D. The Gramm-Leach-Bliley Act (GLBA)
7. The U.S. Privacy Act of 1974 applies to which of the following?
A. Corporate records for U.S.-based companies
B. Records from any company doing business in the United States
C. Federal records containing PII
D. All levels of government records containing PII
8. Data privacy as applicable to organizations is defined as:
A. The control the organization exerts over its data
B. The organization being able to keep its information secret
C. Making data-sharing illegal without consumer consent
D. No longer important in the Internet age
9. All but which of the following are items associated with privacy of health records?
A. Protected Health Information
B. Personal Health Information
C. Notice of Privacy Practices
D. HITECH Act extension of HIPAA
10. The FTC Disposal Rule applies to which of the following?
A. Small businesses using consumer reporting information
B. Debt collectors
C. Individuals using consumer reporting information
D. All of the above
11. Who is responsible for determining what data is needed by the enterprise?
A. Data owner
B. Privacy officer
C. Data custodian
D. Data steward
12. Data that is labeled “Private” typically pertains to what category?
A. Proprietary data
B. Confidential information
C. Legal data
D. Personal information
13. Data that is labeled “Proprietary” typically pertains to what category?
A. Information under legal hold
B. Information to be safeguarded by business partners because it contains business secrets
C. Personal data
D. PHI and PII together
14. What is the best method to destroy sensitive data on DVDs at a desktop?
A. Shredding
B. Burning
C. Wiping
D. Pulping
15. Information that could disclose the identity of a customer is referred to as?
A. Customer identity information (CII)
B. Personally identifiable information (PII)
C. Privacy protected information (PPI)
D. Sensitive customer information (SCI)
Answers
1. C. Nine groups of documents are exempt from FOIA requests.
2. D. Administrative, technical, and physical controls are mandated by HIPAA, including workforce training and awareness, encryption of data transfers, and physical barriers to records (locked storage rooms).
3. B. A customer ID number generated by a firm to track customer records is meaningful only inside the firm and is generally not considered to be personally identifiable information (PII). It is important not to use the SSN for the customer ID number, for obvious purposes.
4. A. A PIA determines the gap between what a company is doing with PII and what its policies, rules, and regulations state it should be doing.
5. D. Although using electronic destruction per military data destruction standards might seem excessive (and in many cases it is), all of the options comply with FTC-mandated disposal procedures for PII.
6. B. No overarching federal disclosure statute exists, so company responses to data disclosures of PII are regulated by individual statutes in most states and territories.
7. C. The Privacy Act is a federal law, affecting federal records only.
8. A. The control the organization exerts over its data is the definition of data privacy in an enterprise.
9. B. The correct term per HIPAA is Protected Health Information.
10. D. All are listed by FTC as responsible for following the Disposal Rule.
11. A. The data owner determines the business need. The privacy officer ensures that laws and regulations are followed, and the custodian/steward maintains the data.
12. D. Private data frequently refers to personal data.
13. B. Proprietary data may be shared with a third party that is not a competitor, but in labeling the data Proprietary, you alert the party you have shared with that the data is not to be shared further.
14. A. A desktop shredder can destroy DVDs and CDs. Burning is not wise at a desk. Wiping and pulping don’t work on DVDs.
15. B. Any information that can be used to determine identity is referred to collectively as personally identifiable information (PII).