http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf
http://csrc.nist.gov/publications/nistpubs/800-16/Appendix_E.pdf
http://csrc.nist.gov/groups/SMA/fasp/documents/security_ate/SOW-exe.doc
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstraining.html
http://www.txdps.state.tx.us/SecurityReview/secAwarenessTraining.pdf
http://www.uh.edu/legal-affairs/general-counsel/OGC%20Website%20FERPA%20-%20ISAT%20Training.pdf
Security Awareness Training Framework (SATF) http://www.satframework.org/
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013
https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
http://www.sans.org/reading-room/whitepapers/awareness/?cat=awareness
http://www.iwar.org.uk/comsec/resources/ia-awareness-posters/index.htm
https://www.trustedsec.com/downloads/social-engineer-toolkit/
About the Security Awareness Training Framework
The Security Awareness Training Framework (“SATF”) is a cross-disciplinary program that seeks to provide the guiding principles to establish a common practice for creating and using components within the security awareness domain hierarchy. The SATF seeks to redefine the failed approaches to security awareness by producing a reusable, community-driven, technology-agnostic, and vendor-neutral approach to educating the widest base of stakeholders possible, regardless of role, learning style, experience, or personality type. The SATF mission is to focus solely on the context of security awareness and provide aligned stakeholders and content providers a reusable and standard schema to produce the appropriate content, at the appropriate time, and to the appropriate audience.
The SATF will focus on a series of initial deliverables, to which failure and success will be measured and adjusted as necessary. The following items are considered to be core deliverables of the SATF program:
A series of vendor-agnostic “how-to guides” based on community-driven research and best practices that will assist interested stakeholders in shaping a security awareness campaign for their organization.
A formal taxonomy of security awareness topics, arranged in a multitier tree structure.
A formal taxonomy of stakeholder roles and occupations, arranged in a multitier tree structure.
A formal taxonomy of regulations and legislation to which security awareness activities are affected, arranged in a multitier tree structure.
A formal taxonomy of learning styles and learning models, arranged in a multitier tree structure.
A formal taxonomy of personality types and personality models, arranged in a multitier tree structure.
A Document Type Definition (DTD) that defines the legal building blocks and hierarchy of an XML or similar markup document for describing and consuming security awareness entities and attributes. The SATF DTD will allow content providers the ability to consume the research of the SATF, identify the characteristics of the specific consumer(s) needing security awareness, and produce content that aligns with the SATF through a consistent and personalized experience.
An algorithm or other methodology to produce a unique permutation from the dimensions of the taxonomies by which security awareness activities will be personalized and delivered.
A series of standardized metrics that reach beyond the current state of security awareness metrics to provide a closed-loop system at various levels of a hierarchy to measure consistently the effectiveness of the security awareness activities and campaigns.
An end user browsable, community-driven wiki site that provides the core components and aspects of security awareness activities within the security awareness domain.
To effectively manage the large scope of the effort, subteams and committees will need to be established. Participants may join as many subteams as they wish; however, it is generally recommended to commit to no more than two (2) subteams at any given time. Members of subteams are generally expected to be in attendance to the majority of the subteam functions unless where extenuating circumstances prohibit occasional nonparticipation. Each subteam should nominate one or more members to participate in the general steering meetings, where information is shared among all of the teams.
The following subteams are being proposed to achieve the program deliverables and should be considered fluid as needs dictate:
Documentation/artifact team
Research/outreach team
Communications/social media team
The taxonomy/classification team will be primarily responsible for establishing the classification of security awareness entities into an ordered system that indicates natural relationships. Borrowed primarily from biological concepts, the purpose of a taxonomy will provide the entity to be consistently classified, facilitating the ease of communicating between two or more parties. The following taxonomies have been identified in the program charter deliverables:
Security awareness topics (e.g., phishing, pharming, and tailgating)
Stakeholder roles and occupations (e.g., teacher, accountant, and grandmother)
Legal, regulatory, and legislative objectives (e.g., PCI DSS, HIPAA, and SOX)
Learning models and styles (Kolb's, VAK/VARK, and Honey and Mumford's)
Personality models and styles (Big Five, Myers–Briggs, and DISC)
The documentation/artifact team plays a key role in authoring, formatting, and delivering documentation on behalf of the SATF. As part of the program deliverables, the documentation/artifact team will author the how-to guides, white papers, and other artifacts central to the scope of the SATF program.
The research/outreach team plays a dual role on behalf of the SATF. First, the research team is chartered with searching and collecting artifacts related to security awareness from around the Internet and through scholarly literature. Secondly, the outreach team is chartered with using the information gathered through research and presenting documentation as part of the overall SATF message. The end goal is to rally support for the SATF through factual dissemination of information through various in-person delivery channels.
The communications/social media team is largely responsible for evangelizing the SATF through social media outlets including Facebook, Twitter, and reddit. By actively engaging in dialog in alignment with the SATF goals, the mission of the SATF is reinforced through virtual channels and online presence.
The Security Awareness Training Framework officially began during the inaugural DerbyCon conference in 2011. Boris Sverdlik (@jadedsecurity) was presenting “Your Perimeter Sucks” to a packed auditorium of security practitioners.
As is the case in many security presentations, the importance of security awareness and end user training was discussed. However, rather than the typical nod and agreement to the statements, a light bulb went off, causing KC Yerrid (@K0nsp1racy) to ask Boris and the audience on how to fix security awareness training. A brief discussion ensued, and Boris challenged KC to fill the gap. KC accepted, and the Security Awareness Training Framework was born.
Over the course of the next couple of months, a handful of practitioners gathered to take this impulsive project and really define the parameters of the effort. On 3 November 2011, Bill Brenner (@BillBrenner70), managing editor of CSO magazine, published a news article about our project, its mission, and goals. The concept was widely accepted and well received, giving credence to the mission of the project.
Throughout 2012, many members have participated and contributed to the project. Despite the temptation to evangelize the project at security conferences, the core group decided to hold off until DerbyCon 2012 as our first official presentation for our work to date. At DerbyCon, we have our sights set very high on what we have been up to for the past 12 calendar months, setting the vision and truly launching this ambitious program into an organic growth opportunity for its members and beneficiaries. We look forward to driving this program forward and hope that people of all walks and experience levels will latch on and help us bring the initiative to fruition.
The mission of the Security Awareness Training Framework (SATF) revolves around the following themes: Primarily, the SATF seeks to create a free and open-source framework that can be used and advanced by practitioners and stakeholders responsible for the information security of sensitive data. We believe this will occur if we can successfully complete three primary goals:
We want to define the components necessary to deliver an effective security awareness program, including scenarios for specialized functions such as developer training and home user education.
We want to study and leverage the delivery mechanisms and various learning styles of individuals to maximize effectiveness of information security awareness.
We want to develop feedback mechanisms and establish candidate metrics to measure the effectiveness of security awareness programs at various levels of granularity.
In order to gain an understanding of these three goals, let's take a look and dissect each of them individually:
If one looks across the spectrum, there are companies in business to deliver information security to organizations and people. However, the content is typically delivered (on a best-case scenario) via the 80/20 rule. What we mean is that about 80% of the content will be on target to a certain extent, and about 20% will be extraneous or not applicable to the audience member. The content is stale and/or presented annually to satisfy an external party. While we are not trying to criticize these companies, we feel that if we clearly delineate the need for watching profit margin, and focus on determining how to maximize the types of content that should be delivered, the end result is a win–win solution for both the trainer and the trainee. This project does not include any provisions that would result in a conflict of interest by offering and/or endorsing a product solution that would benefit the project at large.
It is a big initiative, and those that have participated realize the magnitude and the scope of our efforts. To effectively deliver on this project's mission, the project participants need to define what combination of topics is appropriate for people in all geographic areas, within all types of people, with all roles and responsibilities for information security. Examples of questions that we seek to answer are as follows:
What does a home computer user need to know about securing their wireless networks?
Does an accountant in the US automobile industry need to know about PCI DSS?
What should an elementary school teacher be teaching his or her 3rd grade classroom?
By borrowing a page from education and academia, the Security Awareness Training Framework seeks to study how people learn security awareness the best. We suspect that people have a preferred learning style; some are visual learners, while some are tactile or kinesthetic learners. There are a number of academic models that attempt to categorize learning styles. The SATF seeks to add a dimension that is often overlooked, particularly in the corporate sector: customized delivery to maximize effectiveness of the program. Many of us have participated in training sessions, whether computer-based training or instructor-led, that made us feel bored, distracted, or not very interested in learning.
The SATF will add that specific dimension to the content that is defined by providing recommendations, materials, and empirical data to support why a one-size-fits-all training solution is inefficient. The bottom line is that if the stakeholder is engaged with applicable content that is tailored to his or her individual learning style, the chances of knowledge retention are increased significantly, while the residual risk is lowered dramatically.
Examples of some of the questions the project seeks to answer include the following:
For visual learners, what font family and size text is best for an audience of 25 people?
For kinesthetic learners, does an e-mail sent by a manager increase or decrease the chance of a successful phishing attempt?
How does voice inflection affect training efficacy?
In the spirit of ensuring the Security Awareness Training Framework is a living and perpetual endeavor, the project team is seeking to define the appropriate feedback mechanisms that ensure confidentiality and integrity of reporting the effectiveness of the security awareness program as it is deployed via the various use cases. Historically, very few metrics have existed to accurately identify the effectiveness of a security awareness program. Our goal is to provide the clarity and transparency necessary to allow a person, a group of people, an organization, or a collective industry to measure how the framework is working over time. Based on the information collected in metrics, the stakeholders can make actionable decisions based on the effectiveness of the security awareness program. Examples of questions that we seek to answer are as follows:
Is my organization more aware of appropriate security measures than they were last month?
What percentage of targets clicked on a specific phishing message during a simulation?
How satisfied are the people with the security awareness program compared to a baseline?
In so many ways, it sometimes feels as though we are trying to boil the ocean with lofty and impossible goals. However, as the famous saying goes, the best way to eat an elephant is to take 1 bite at a time. The more people that we have contributing to our program wiki, the more we can collectively accomplish. Want to get involved? Contact us!
Source: http://www.satframework.org/
• What is security awareness training?
• Why does your organization need a security awareness program?
• Getting management buy-in
Policy enforcement
Cost savings
Production increases
• In order to properly train users, they must first understand the threats.
Motivations of cyber criminals
Money
Industrial espionage/trade secrets
Hacktivism
Cyber war
Bragging rights
• Costs of cleaning up after a breach (Ponemon Institute)
Nation-states
Hacking gangs
Hacktivist
Cyber war
• Most attacks are targeted.
Targeted by OS targeted via phishing, 0day, and ports
Targeted as an industry
• Everyone is responsible for security.
• Countermeasures
Locking computers
Attachments
Phishing
Social engineering
• Security awareness is the only known defense to social engineering.
Not all security breaches are the result of technical attack.
In information security, people are the weakest link.
• No tech hacking
Tailgating
Shoulder surfing
Google hacking
P2P hacking
• Insecure third-party software
Instant messaging
Adware
Spyware
Web attacks
• Recent examples of web attacks
• Data leakage
• Metadata awareness
• Training cycle
Quarterly
Yearly
Continual
• Training types
Online
Classroom
Formal
Informal
• Building engaging training
Social engineering management
One-on-one interaction
Penalty cards
Reward-based interaction
Continual message
Awareness posters
Desktop backgrounds
E-mail campaigns
Using Security Awareness Month
Organization-wide intensive training
Special events
Must be engaging
• Metrics
Measuring training effectiveness
– Incident response
– Are using asking better questions?
• Why most security awareness programs suck?
Canned programs are the worst.
Overly complicated.
Expensive.
One size does not fit all.
Messages must be targeted.
State | Citation |
Alaska | Alaska Stat. § 45.48.010 et seq. |
Arizona | Ariz. Rev. Stat. § 44-7501 |
Arkansas | Ark. Code § 4-110-101 et seq. |
California | Cal. Civ. Code §§ 1798.29, 1798.80 et seq. |
Colorado | Colo. Rev. Stat. § 6-1-716 |
Connecticut | Conn. Gen Stat. § 36a-701b |
Delaware | Del. Code tit. 6, § 12B-101 et seq. |
Florida | Fla. Stat. § 817.5681 |
Georgia | Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 |
Hawaii | Haw. Rev. Stat. § 487N-1 et seq. |
Idaho | Idaho Stat. §§ 28-51-104 to -107 |
Illinois | 815 ILCS §§ 530/1 to 530/25 |
Indiana | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. |
Iowa | Iowa Code §§ 715C.1, 715C.2 |
Kansas | Kan. Stat. § 50-7a01 et seq. |
Kentucky | 2014 H.B. 5, H.B. 232 |
Louisiana | La. Rev. Stat. § 51:3071 et seq. |
Maine | Me. Rev. Stat. tit. 10 § 1347 et seq. |
Maryland | Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308 |
Massachusetts | Mass. Gen. Laws § 93H-1 et seq. |
Michigan | Mich. Comp. Laws §§ 445.63, 445.72 |
Minnesota | Minn. Stat. §§ 325E.61, 325E.64 |
Mississippi | Miss. Code § 75-24-29 |
Missouri | Mo. Rev. Stat. § 407.1500 |
Montana | Mont. Code § 2-6-504, 30-14-1701 et seq. |
Nebraska | Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807 |
Nevada | Nev. Rev. Stat. §§ 603A.010 et seq., 242.183 |
New Hampshire | N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21 |
New Jersey | N.J. Stat. § 56:8-163 |
New York | N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208 |
North Carolina | N.C. Gen. Stat §§ 75-61, 75-65 |
North Dakota | N.D. Cent. Code § 51-30-01 et seq. |
Ohio | Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192 |
Oklahoma | Okla. Stat. §§ 74-3113.1, 24-161 to -166 |
Oregon | Oregon Rev. Stat. § 646A.600 et seq. |
Pennsylvania | 73 Pa. Stat. § 2301 et seq. |
Rhode Island | R.I. Gen. Laws § 11-49.2-1 et seq. |
South Carolina | S.C. Code § 39-1-90, 2013 H.B. 3248 |
Tennessee | Tenn. Code § 47-18-2107 |
Texas | Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5) |
Utah | Utah Code §§ 13-44-101 et seq. |
Vermont | Vt. Stat. tit. 9 § 2430, 2435 |
Virginia | Va. Code § 18.2-186.6, § 32.1-127.1:05 |
Washington | Wash. Rev. Code § 19.255.010, 42.56.590 |
West Virginia | W.V. Code §§ 46A-2A-101 et seq. |
Wisconsin | Wis. Stat. § 134.98 |
Wyoming | Wyo. Stat. § 40-12-501 et seq. |
District of Columbia | D.C. Code § 28-3851 et seq. |
Guam | 9 GCA § 48-10 et seq. |
Puerto Rico | 10 Laws of Puerto Rico § 4051 et seq. |
Virgin Islands | V.I. Code tit. 14, § 2208 |
States with no security breach law: Alabama, New Mexico, and South Dakota
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers, pursuant to Section 13407 of the HITECH Act.
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that protected health information has been compromised based on a risk assessment of at least the following factors:
1. The nature and extent of protected health information involved, including the types of identifiers and the likelihood of reidentification
2. The unauthorized person who used protected health information or to whom the disclosure was made
3. Whether protected health information was actually acquired or viewed
4. The extent to which the risk to protected health information has been mitigated
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the secretary in guidance.
This guidance was first issued in April 2009 with a request for public comment. The guidance was reissued after consideration of public comment received and specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to the affected individuals, the secretary, and, in certain circumstances, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Covered entities must notify the affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail or, alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or by other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the secretary of breaches of unsecured protected health information. Covered entities will notify the secretary by visiting the HHS website (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html) and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that protected health information has been compromised by the impermissible use or disclosure or (2) the application of any other exceptions to the definition of “breach.”
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
The breach notification rule requires covered entities to provide the secretary with notice of breaches of unsecured protected health information (45 CFR 164.408). All notifications must be submitted to the secretary using the OCR submission portal below. The number of individuals affected by the breach determines when the notification must be submitted to the secretary. Please review the instructions below for submitting breach notifications.
If a breach affects 500 or more individuals, a covered entity must provide the secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.
If a covered entity that has submitted a breach notification form to the secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission. If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For questions regarding the completion and submission of this form, please e-mail [email protected].
For breaches that affect fewer than 500 individuals, a covered entity must provide the secretary with notice of breaches within 60 days of the end of the calendar year in which the breaches were discovered. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form. A separate form must be completed for every breach that was discovered during the calendar year.
If a covered entity that has submitted a breach notification form to the secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission. If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For questions regarding the completion and submission of this form, please e-mail [email protected].
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records—say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?
The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.
Under the FTC rule, companies that have had a security breach must
1. notify everyone whose information was breached;
2. in many cases, notify the media; and
3. notify the FTC.
The FTC has designed a standard form for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it received notice under the rule. A brochure for businesses, complying with the FTC Health Breach Notification Rule, explains who's covered by the rule and offers guidance on what to do in case of a breach. FTC enforcement began on 22 February 2010.
The FTC Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with the HHS Breach Notification Rule.
Source: http://business.ftc.gov/privacy-and-security/health-privacy/health-breach-notification-rule
More and more, personal medical information is online. For most hospitals, doctors' offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. But many web-based businesses that collect people's health information aren't covered by HIPAA. These include online services people use to keep track of their health information and online applications that interact with those services.
The Federal Trade Commission (FTC), the nation's consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there's a breach of unsecured, individually identifiable electronic health information. FTC enforcement began on 22 February 2010.
Is your business covered by the Health Breach Notification Rule? Do you know your legal obligations if you experience a security breach?
The rule applies if you are
a vendor of personal health records (PHRs),
a PHR-related entity, or
a third-party service provider for a vendor of PHRs or a PHR-related entity.
Vendor of personal health records. For the purposes of the rule, your business is a vendor of personal health records if it “offers or maintains a personal health record.” A personal health record is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” For example, if you have an online service that allows consumers to store and organize medical information from many sources in one online location, you're a vendor of personal health records.
PHR-related entity. Your business is a PHR-related entity if it interacts with a vendor of personal health records either by offering products or services through the vendor's website—even if the site is covered by HIPAA—or by accessing information in a personal health record or sending information to a personal health record. Many businesses that offer web-based apps for health information fall into this category. For example, if you have an app that helps consumers manage their medications or lets them upload readings from a device like a blood pressure cuff or pedometer into a personal health record, your business is a PHR-related entity. However, if consumers can simply input their own information on your site in a way that doesn't interact with personal health records offered by a vendor—for example, if your site just allows consumers to input their weight each week to track their fitness goals—you're not a PHR-related entity. You're not a PHR-related entity if you're already covered by HIPAA.
Your business is a third-party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR-related entities. For example, if a vendor of personal health records hires your business to provide billing, debt collection, or data storage services related to health information, you're a third-party service provider and covered by the rule.
The rule requires that you provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record. How those terms are defined is important:
Unauthorized acquisition. If the health information that you maintain or use is acquired by someone else without the affected person's approval, it's an unauthorized acquisition under the rule. For example, a thief steals an employee's laptop containing unsecured personal health records or someone on your staff downloads personal health records without approval. Those are probably unauthorized acquisitions that trigger the rule's notification requirement.
PHR-identifiable health information. The notification requirements apply only when you've experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone. For example, someone hacks into a company database that contains zip codes, dates of birth, and medication information. Even though the database didn't contain names, it would be reasonable to believe the information could be used to identify people in the database. But what if a hacker gains access to a database that contains only city and medication data and finds out that ten anonymous individuals in New York City have been prescribed a widely used drug? That probably wouldn't be considered PHR-identifiable health information because it couldn't reasonably be used to identify specific people.
Unsecured information. The rule applies only to unsecured health information, defined by the US Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn't be required to provide notification.
Personal health record. A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records—not electronic records—the FTC rule doesn't require any notification. However, because many states have notification laws that might apply, it's wise to consult your attorney.
If your business is a vendor of personal health records or a PHR-related entity and there's a security breach, the rule spells out your next steps. You must notify
each affected person who is a citizen or resident of the United States;
the Federal Trade Commission; and,
in some cases, the media.
Here are the details of the rule's main requirements about who you must notify and when you must notify them, how you must notify them, and what information to include.
People: If you experience a breach of unsecured personal health information, you must notify each affected person “without unreasonable delay” and within 60 calendar days after the breach is discovered. The countdown begins the day the breach becomes known to someone in your company—or the day someone should reasonably have known about it. Although the rule requires you to notify people within 60 calendar days, it also requires you to act without unreasonable delay. That means if a company discovers a breach and gathers the necessary information within, say, 30 days, it is unreasonable to wait until the 60th day to notify the people whose information was breached.
The FTC: The rule requires you to notify the FTC, but the timing depends on the number of people affected.
If the breach involves the information of 500 people or more, you must notify the FTC as soon as possible and within 10 business days after discovering the breach. To report the breach to the agency, you must use the form at www.ftc.gov/healthbreach.
If the breach involves the information of fewer than 500 people, you have more time. Indeed, you must send the same standard form to the FTC—along with forms documenting any other breaches during the same calendar year involving fewer than 500 people—within 60 calendar days following the end of the calendar year. So, if your company experiences one breach in April affecting the records of 100 people and a second breach in September affecting the records of 50 people, the 60-day countdown begins January 1st of the next year.
The media: When at least 500 residents of a particular state, the District of Columbia, or a US territory or possession are affected by a breach, notification takes on an extra dimension. Without unreasonable delay—and within 60 calendar days after the breach is discovered—you must notify prominent media outlets serving the relevant locale, including Internet media where appropriate. This media notice is a supplement to your notice to people whose information was breached, not a substitute for individual notices.
If your company is a third-party service provider to a vendor of personal health records or a PHR-related entity, you have notice requirements under the rule, too. As a preliminary matter, the rule requires those clients to tell you up front that they're covered by the rule. If you experience a breach, you must notify an official designated in your contract with your client—or if there is no designee, a senior official of the company—without unreasonable delay and within 60 calendar days of discovering the breach. You must identify for your client each person whose information may be involved in the breach. But it isn't sufficient to simply send the notice and assume the ball is in your client's court. You must get an acknowledgment that they received your notice. They, in turn, must notify the people affected by the breach, the FTC, and, in certain cases, the media.
The best practice in notifying people is to find out from your customers in advance—perhaps when they sign up for your service—if they'd prefer to hear about a security breach by e-mail or by first-class mail. If you collect only e-mail addresses from your customers, you can send them a message—or let new customers know when they sign up—that you intend to contact them by e-mail about any security breaches. However, remember that if you plan to use e-mail as your default method, you must give your customers the opportunity to choose first-class mail notification instead and that option must be clear and conspicuous. If e-mail is a customer's preference, explain how to set up any spam filters so they will get your messages.
What if you've made reasonable efforts to reach people affected by the breach, but you haven't been able to contact each of them? If you fail to contact 10 or more people because of insufficient or out-of-date contact information, you must provide substitute notice through
a clear and conspicuous posting for 90 days on your home page or
a notice in major print or broadcast media where those people likely live.
Both of these forms of substitute notice must include a toll-free phone number that has to be active for at least 90 days so people can call to find out if their information was affected by the breach.
Regardless of the form of notification, your notice to individuals must be easy to understand and must include the following information:
A brief description of what happened, including the date of the breach (if you know) and the date you discovered the breach and the kind of PHR-identifiable health information involved in the breach—insurance information, Social Security numbers, financial account data, dates of birth, medication information, etc.
If the breach puts people at risk for identity theft or other possible harm, suggest steps they can take to protect themselves. Your advice must be relevant to the kind of information that was compromised. In some cases, for example, you may want to refer people to the FTC identity theft website, www.ftc.gov/idtheft.
In addition, if the breach involves health insurance information, you might suggest that people contact their healthcare providers if bills don't arrive on time in case an identity thief has changed the billing address, pay attention to the Explanation of Benefits forms from their insurance company to check for irregularities, and contact their insurance company to notify them of possible medical identity theft or to ask for a new account number.
If the breach includes Social Security numbers, you might suggest that people get a free copy of their credit report from www.annualcreditreport.com, monitor it for signs of identity theft, and place a fraud alert on their credit report. If they spot suspicious activity, they should contact their local police and, if appropriate, get a credit freeze.
If the breach includes financial information—for example, a credit card or bank account number—you might suggest that people monitor their accounts for suspicious activity and contact their financial institution about closing any accounts that may have been compromised.
A brief description of the steps your business is taking to investigate the breach, protect against future breaches, and mitigate the harm from the breach.
How people can contact you for more information. Your notice must include a toll-free telephone number, e-mail address, website, or mailing address.
Here are answers to some questions businesses have asked about the FTC Health Breach Notification Rule:
Why did the FTC implement the Health Breach Notification Rule?
As part of the American Recovery and Reinvestment Act of 2009—which advances the use of health information technology—Congress directed the FTC and HHS to study potential privacy, security, and breach notification requirements and make recommendations. In the meantime, Congress directed the FTC to implement a temporary rule—the Health Breach Notification Rule—that non-HIPAA businesses must follow if there's a security breach. FTC enforcement began on 22 February 2010.
It looks like someone accessed our database without our consent. We don't know if they downloaded anything. Is that the kind of “unauthorized acquisition” that would trigger the rule's notification requirements?
It should trigger an examination on your part to determine your obligations under the rule. There may be unauthorized access to data, but it's not always clear at first blush whether the data also have been “acquired”—that is, downloaded or copied. In these cases, the rule has a rebuttable presumption: Where there has been unauthorized access, unauthorized acquisition is presumed unless you can show that it hasn't—or couldn't reasonably have—taken place. For example, if one of your employees accesses a customer's personal health record without authorization, the rule presumes that because the data was accessed, it has been “acquired,” and you must follow the breach notification provisions of the rule. But you can overcome that presumption by establishing and enforcing a company policy—one that says if an employee inadvertently accesses a health record, he or she must not read or share the information, must log out immediately, and then must report the access to a supervisor right away. If the employee says he or she didn't read or share the information and you conduct a reasonable investigation that corroborates the employee's version of events, you may be able to overcome the presumption.
Consider another situation involving a lost laptop that contains personal health records. You could rebut the presumption of unauthorized acquisition if the laptop is recovered and forensic analysis shows that files were not opened, altered, transferred, or otherwise compromised.
Our business is in the “HIPAA business associate” category. Does the FTC rule apply to us?
If your business acts solely as a “HIPAA business associate”—that is, if you handle only protected health information of HIPAA-covered entities—the FTC rule does not apply. Nor does it apply to HIPAA-covered entities, like a hospital, doctor's office, or health insurance company. If you are an HIPAA-covered entity or act only as an HIPAA business associate, your responsibilities are in the HHS Breach Notification Rule.
The HHS rule requires HIPAA-covered entities to notify people whose unsecured health information is breached. If you are a business associate of an HIPAA-covered entity and you experience a security breach, you must notify the HIPAA-covered entity you're working with. Then, they must notify the people affected by the breach.
If your company is an HIPAA business associate that also offers personal health record services to the public, you may be subject to both the HHS and the FTC breach notification rules. For example, you have your own website that offers individual customers an online service to collect their health information and you sign an HIPAA business associate agreement with an insurance company to maintain the electronic health records of its customers. In the case of a breach affecting all your users, both the FTC rule and the HHS rule would apply. Under the FTC rule, you must notify the people who use the service on your website. In addition, you must notify the insurance company so that it can notify its customers.
If you have a direct relationship with all the people affected by the breach—your customers and the customers of the insurance company—you should contact the insurance company to notify both your clients and theirs. People are more likely to pay attention to a notice from a company they recognize.
What's the relationship between the FTC Health Breach Notification Rule and the state breach notification laws?
The FTC rule preempts contradictory state breach notification laws, but not those that impose additional—but noncontradictory—breach notification requirements. For example, some state laws require breach notices to include advice on monitoring credit reports or contact information for consumer reporting agencies. While these content requirements are different from the FTC rule requirements, they're not contradictory. In this example, you could comply with both federal and state requirements by including all the information in a single breach notice. The FTC rule doesn't require you to send multiple breach notices to comply with state and federal law.
The FTC will treat each violation of the rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation. Businesses that violate the rule may be subject to a civil penalty of up to $16,000 per violation.
If law enforcement officials determine that notifying people would impede a criminal investigation or damage national security, the rule allows you to delay notifying them, as well as the FTC and, if required, the media.
The FTC works to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the United States and abroad.
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.
April 2010
Source: http://business.ftc.gov/documents/bus56-complying-ftcs-health-breach-notification-rule.
The number of information security conferences has grown in recent years. These conferences can be great resources to network with others who are building or have built their own security awareness programs.
Below is a short list of conferences where the authors have spoken or have attended:
DEF CON https://www.defcon.org/
Black Hat https://www.blackhat.com/
ShmoonCon http://www.shmoocon.org/
HOPE http://www.hope.net/
DerbyCon https://www.derbycon.com/
BSidesLV http://www.bsideslv.org/
BSides Charlotte http://bsidesclt.org/
B-Sides Cindy http://bsidescincy.org/
B-Sides DC http://www.bsidesdc.org/
BSides Raleigh http://bsidesraleigh.org/
BSides Asheville http://www.bsidesasheville.com/
BSides Nashville http://www.bsidesnash.org/
BSidesPR http://bsidespr.org/
BSides Austin http://www.BSidesAutin.com
BSides Delaware http://www.securitybsides.com/w/page/28563447/BSidesDelaware
BSidesROC http://www.bsidesroc.com/
BSides Huntsville http://www.bsideshuntsville.org/
BSidesCT http://www.securitybsides.com/w/page/73989383/BSidesCT2014
BSidesNOLA http://www.securitybsides.com/w/page/62741761/BsidesNola
BSidesChicago http://www.securitybsides.com/w/page/70187476/BSidesChicago
Hack3rCon http://hack3rcon.org/
THOTCON http://thotcon.org/
Circle City Con http://circlecitycon.com/
CarolinaCon http://carolinacon.org/
A Fool's Game: Building an Awareness and Training Program DerbyCon 2012—Brandon Miller and Bill Gardner: http://www.irongeek.com/i.php?page=videos/derbycon2/3-2-5-branden-miller-bill-gardner-building-an-awareness-and-training-program
AIDE 2013: Building an Engaging and Effective Information Security Awareness Program—Bill Gardner http://www.irongeek.com/i.php?page=videos/aide2013/building-an-engaging-and-effective-information-security-awareness-and-training-program-bill-gardner-oncee
Building An Information Security Awareness Program from Scratch—Bill Gardner and Valerie Thomas: DerbyCon 2013 http://www.irongeek.com/i.php?page=videos/derbycon3/5101-building-an-information-security-awareness-program-from-scratch-bill-gardner-valerie-thomas
BSides Cincinnati Bill Gardner—Building A Security Awareness Program https://www.youtube.com/watch?v=zlVHoV1YqGA
How to Offer Security Awareness Training That Works http://www.esecurityplanet.com/network-security/how-to-offer-security-awareness-training-that-works.html?utm_source=dlvr.it&utm_medium=twitter
How Law Firms Can Defend Against Social Engineering http://apps.americanbar.org/litigation/committees/technology/articles/fall2012-1012-how-law-firms-can-defend-against-social-engineering.html