"The book was written to help attorneys and policy-makers understand the complexities and root causes of data breaches," Thomson says, "as well as to demystify encryption and provide practical solutions that can be used to future prevent data breaches."
The 19-chapter handbook examines information security; the aftermath of data breaches; potential liability and damages; the law and its implications; encryption technology; and methods of resolving and addressing a breach. The book also examines some of the financial and healthcare industries' major data breach incidents, including the Heartland Payments System breach, from a variety of legal and technology perspectives.
"We chose those breaches because each one of those organizations had encrypted records," Thomson says. "But at the point where the hackers intercepted the records, they were not encrypted. ... The lesson there is that the security solution must be implemented correctly and encryption must be end-to-end, so that all the records are encrypted and there are no vulnerable points in the system."
The book also reviews state and international data breach laws, as well as the HITECH Act breach notification rule for healthcare.
During this interview [transcript below], Thomson discusses:
- Security challenges;
- End-to-end encryption of sensitive data; and
- Comprehensive security.
Lucy L. Thomson, J.D., M.S., CIPP/G, focuses her practice at the intersection of law and technology. As a senior principal engineer, information security, and privacy advocate at CSC, a global technology company, she has addressed a wide range of legal, technical and policy issues in major IT and information-sharing programs. She works on teams building modernized information systems for very large organizations and has developed strategies to safeguard sensitive information at the nation's ports, as well as for the government's key financial systems.
Thomson is vice chair of the ABA Section of Science & Technology Law and is a member of its Section Council and serves in the ABA House of Delegates. She founded and co-chairs the e-Discovery and Digital Evidence Committee. Thomson was the editor of the Symposium on Homeland Security in Jurimetrics: The Journal of Law Science and Technology (2007) and is the author of Critical Issues in Identity Management --Challenges for Homeland Security and Cybercrime Across Borders. She organized and moderated a panel on the state and federal data breach laws at the RSA Conference 2010.
She holds a master's degree from Rensselaer Polytechnic Institute and a juris doctorate from the Georgetown University Law Center.
TRACY KITTEN: What challenges are current cyber security risks posing for economy stability and national security? I'm here today with Lucy Thomson, author of the American Bar Association's Data Breach and Encryption Handbook.
Lucy, the Data Breach and Encryption Handbook published by the American Bar Association's Section of Science and Technology Law closely examines the state of cybersecurity in the U.S. and the world. Can you provide our audience with some highlights from the handbook and tell us a bit about how information for the handbook was collected?
Risks of Data BreachesLUCY THOMSON: The Data Breach and Encryption Handbook was a two-year project that the Science and Technology Law section worked on, and we looked at data breaches from a wide variety of perspectives. What we were trying to accomplish was to create a level playing field for policymakers, lawyers and technology experts to understand the risks posed by data breaches, and also understand that there are many practical solutions available to prevent data breaches. We certainly looked closely at the harm that data breaches are doing and see that they are really a manifestation of the larger problem of cybersecurity. We also paid careful attention to the large amounts of sensitive individual and corporate information that are being comprised in data breaches and leading to the risk of identity theft and fraud for millions and millions of people. So, there are certainly a lot of issues and problems there to address.
We looked at information from as many sources as we could find. We looked at reports on national security and cybersecurity risks from every place, from the White House to the Carnegie Mellon Response Center. We looked at the SANS Institute, Verizon. We looked at all the individual records of data breach incidents that have been reported as a result of the data breach statutes, and we looked at cases brought by the enforcement agencies, such as the Justice Department and the Federal Trade Commission. And, finally, we looked at a variety of technical reports and analysis by organizations such as the National Institute of Standards and Technology.
KITTEN: And can you tell us, Lucy, what and how many industries did the Bar Association review or poll for the handbook, and how many experts provided input for the handbook's development?
THOMSON: There were 15 authors who contributed to the book and those authors are among the nation's leading lawyers and technology experts, all of whom specialize in information security and privacy. We looked at all the industry sectors that have reported data breaches. So, chapter 2 of the book provides a detailed analysis of the data breach trends, and we found that the business retail sector had the largest number of breaches, because of the amount of records that some of the companies kept. Next was government, with some huge cyberbreaches, followed by educational institutions and universities. Finally, the financial sector was next. Overall, the healthcare sector had a large number of breaches and their rate of breaches is actually increasing by about 50 percent a year.
Protecting the Wrong Things?KITTEN: In the financial space, we often talk about security, especially as it relates to authentication and encryption. The problem, experts say, is not that we lack adequate technology to fight cyberattacks but, rather, that we focus on encrypting and authenticating the wrong things. Does that perspective jibe with the ABA's findings, and do you see consistent concerns, as they relate to protecting the wrong types of information across numerous industries that go beyond just financial?
THOMSON: Well, we found that there certainly isn't a lack of technology, but how it's implemented and used is critical. And as technology becomes more complicated, with the use of smart phones, mobile phones, PDAs, iPads and other devices, the difficulty of properly implementing and protecting those types of devices is going to become even more complicated, and cloud computing will add another layer of complexity to the problem. But we did find that most of the data breaches are caused by fairly obvious problems that can be addressed by organizations that are committed to doing that. In the financial sector, for example, there were instances of data being encrypted, but then it was sent to banks in unencrypted form and that's when the hackers were able to intercept it. In the healthcare sector, many breaches occurred because laptops and backup tapes were lost or stolen. So, all those things can be addressed and those systems can be protected, if people are ready to provide appropriate security.
KITTEN: The handbook was written to provide a general overview of data breach causes and encryption solutions. How deep does the overview goes, and do you feel that it provides the technical layers of understanding today's attorneys, global executives and IT professionals, as well as policymakers and industry regulators, must grasp in order to operate in today's cyber environment?
THOMSON: Well, the book was written to be understandable to policymakers and lawyers and it was written to demystify some of the technical concepts, such as encryption, so that everybody would be able to delve into the topic of data breaches and be able to collaborate to figure out ways to solve the problem. We started out with a discussion of the laws, all the applicable laws, and then we have another large section of the book on technology. Anyone can read the technology section and find things there that they can understand, but there are also some chapters that provide quite a bit of technical detail for security professionals who need to know more. We've also put together an extensive resource list, so that when people understand the right questions to ask, they can read more and delve into the topic in as much detail as they need to.
KITTEN: Lucy, the handbook also takes an in-depth look at some of the major data breach incidents that have affected the financial, healthcare and government sectors, providing legal and technical insights. Can you tell us about some of those high-level insights and the findings that the handbook delves into?
THOMSON: Yes, we devoted a chapter to look at some of the major data breaches, some of the most highly publicized data breaches that have occurred over the past four years. Among those we included in the financial sector were two of the payment card processor breaches, which are RBS WorldPay and Heartland Payment Systems; and then we looked at the retail companies that were involved in massive breaches, including TJX, DSW and Hanover. We chose those breaches because each one of those organizations had encrypted records and some of them publicly said, "Yes, our records were encrypted." But at the point where the hackers intercepted the records, they were not encrypted. So, the interesting thing is that some of the records were encrypted, but some of them weren't, and the lesson there is that the security solution must be implemented correctly and encryption must be end-to-end, so that all the records are encrypted and there are no vulnerable points in the system.
KITTEN: And before we close, Lucy, what final thoughts about the handbook would you like to share with our audience.
THOMSON: The data breach book was written to stimulate a dialogue about the best ways to prevent data breaches, and we hope that people will want to commit themselves to finding solutions to data breaches, which is very important for the healthcare sector. Individuals' healthcare records are some of the most sensitive records. It only takes one breach in order to have those records compromised, and once they're compromised, you can't take them back. So, it's very important that these records be protected, and there are many practical steps that people can take to ensure sure that the records are protected. The final thought is that security needs a comprehensive approach, and it requires discipline on the part of organizations and collaboration among many individuals in the organization in order to create a truly comprehensive security solution.