TrueDLP

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands now have laws in place that require notification when an individual’s confidential information has been compromised.  Mishandled medical records, social security numbers, credit card numbers and the like trigger mandatory notification.  The National Conference of State Legislatures (NCSL) has a listing of all the State Security Breach Notification Laws on their Web site.

To safeguard personal or sensitive data, whose transmission could activate the security breach notification laws, companies should deploy security systems that will adequately identify personal information in any electronic transmission and, if necessary, block or encrypt the transmission.  In evaluating and deploying such security systems, consideration should be given to systems that can perform the following actions:

• Registration and discovery – Companies should be able to devise and implement a set of rules that identify whether or not data is sensitive or personal. This is done with network-based appliances and/or software that allows companies to define policies identifying the data (using techniques such as database fingerprinting, file fingerprinting, exact file matching, pattern matching, regular expressions, and lexicons/dictionaries), and then safely import that data in a way that provides high-speed data inspection and confirmation of a “match” when sensitive data transmissions are detected.

• Data inspection – The system should be able to inspect data in storage, on servers, as it travels over the network, and as it is used on desktop systems. This requires the system to be able to identify data even when it is enclosed within a compressed archive, part of a PDF file, part of a document such as a spreadsheet, presentation, word processor document, or transmitted via e-mail, webmail, and even a “Web 2.0” application.

• Data blocking – The system should be able to block the transmission of sensitive data whenever necessary. This is especially important for web-based e-mail systems and “Web 2.0” applications, which are often encrypted and a rapidly growing conduit for data loss.

• Data encryption – The system should be able to encrypt sensitive data before it is transmitted to outside recipients via approved corporate email solutions.  The method used to encrypt the email message should be easy for the recipient to comprehend, and the process for securely decrypting the message should be straightforward.

• User notification – Users should be notified when they are attempting to send sensitive or personal data and the violation is deemed to be minor. Most sensitive data transmissions are inadvertent, so notification helps users understand why their transmission was blocked and modify their behavior going forward to comply with corporate policy.  For more severe violations, the solution should be able to block the transmission and alert administrators immediately.

• Logging and reporting – IT administrators should be able to generate detailed logs and reports on encryption and transmission blocking-related activities in order to prove compliance with the statute.

These data loss prevention (DLP) requirements can be met today with Code Green Network TrueDLP.  Companies considering DLP and email encryption solutions should look for holistic systems that not only offer a comprehensive feature set, but which can be deployed relatively easily and quickly at a reasonable cost.

Next week, March 1, 2010, Massachusetts will implement the most stringent data protection law in the nation.

Massachusetts Data Protection Law 201 CMR 17.00 will require businesses, engaged in commerce, to adopt written security polices and encrypt personal data, of any Massachusetts resident, stored or transmitted through the Internet or wirelessly.  Personal information includes a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers.   The key to this new law is that regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information.

This is the first data privacy law that allows a court to impose a $5,000 civil penalty for each violation—if a ‘violation‘ is interpreted by a judge to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous.  In addition to fines, failure to comply may risk your company to expensive audits and costly civil litigation.

If your organization owns or licenses personal information then you need to ensure that this information does not get transmitted and is not stored in clear text.

Check out the Boston Herald article, “State to firms: Protect data”.