Evidence quality matters
When assessing risks faced by an organization, auditors use the combination of the probability of an event in conjunction with the potential impact to the organization to communicate the appropriate level of exposure to that risk.
(Global Information Assurance Certification Paper - SANS 2016 - "Data Breach Impact Estimation" (Paul Hershberger and Stephen Northcutt))
Incident Response policies and guidelines should involve topics, such as assessing the quality of evidence (of a successful intrusion which led to a data breach) and likelihood of harm. In order to subsequently do this the company needs a risk management strategy, which can handle this.
Mandatory breach disclosure and the contrarian schools of thought
Let's start with a short quote from the COMMISSION REGULATION (EU) No 611/2013 on "the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications".
It mentions "personal data" which I read as Personally Identifiable Information (PII). What exactly PIIs are, seems to depend on national laws in the EU. But there is Directive 95/46/EC, which will be superseded by GDPR (General Data Protection Regulation) starting from the 25th of Mai 2018. A key quote for me is in section 26 of GDPR:
The principles of data protection should apply to any information concerning an identified or identifiable natural person.
For me that appears to be comparable to what is happening in the USA in so far, that once a breach is detected and the lost data contains "information concerning an identified or identifiable person" there is a likelihood of harm.
If you take a look at HIPAA as a US standard you can also see that CFR part 164 has definitions similar to this. The likelihood of re-identification is important.
The Gramm-Leach-Bliley Act (GLBA) Section 5 of the US Federal Trade Commission Act for me adds to this perspective:
What happens if I’m the target of an FTC investigation involving data security?” We understand – no one wants to get that call.
Correct Sir, I don't want this.
If a company is subject to certain statutes, like the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, we may consider additional company policies to evaluate compliance with those requirements.
If we open an investigation following a breach, we’ll probably ask for information to help us understand the circumstances surrounding the breach: what happened, what protections were in place at the time, and how the company responded. In addition, we’ll often ask companies to provide information about the consumer harm – or likely harm – that flowed from a breach or about consumer complaints relating to security issues. When we do that, keep in mind that as a consumer protection agency we’re focused on the security of consumer information entrusted to the company – not its IP portfolio, trade secrets, or the loss of other company information that doesn’t concern consumers.
Summary: likelihood of harm is not not a buzz word. As the data holder you need to perform a Risk Assessment to account for this. However there are still contrarian schools of thought, because GDPR is not in effect yet. And as far as I know national laws in the EU and in certain US states can be relevant in conjunction with federal law. The overall tendency seems to be that contrarian schools of thought get united under acts such as HIPAA, GLBA or GDPR.
Risk Assessment strategies to include data-privacy and likelihood of harm
In the following I follow up on the requirement to incorporate the "likelihood of harm" to the consumer / customer into information security risk management processes. I take a look at ISO 27005. Can it help?
First steps: know your variables
With variables I do not only refer to the factors, which add to the scoring of the risk of harm. I also mean that some of the risk factors cannot be subsequently determined.
- What information were stolen? PIIs? Credit card holder data? Health data? Finance data?
- what is the categorization of data?
- what is the data sensitivity profile?
- How many records? How many affected customers? Can an independent 3rd party attest this? Is this part of the IR guideline? Has this guideline been followed?
- what is the quantity of data?
- how is the data protected?
- have strong means of protection been adapted?
- How good is the evidence?
- what is the certainty of the technical analysis?
- have the Indicators of Compromise been defined and are they applicable to the systems?
- what are the systems in scope?
- has the root cause of the data breach been determined and has it been addressed?
- Is the event, which led to the breach, over?
- are the attackers still there?
- have the factors from past Risk Assessments been incorporated into the security strategy?
- are there mitigating means, such as masking which reduce the amount of disclosed information?
- do you have any potentially misrepresenting policies which say "We will take steps to ensure your data is treated securely"?
It is not easy to quantify the amount of stolen records. - That is a job for a forensics investigator. Not all breached companies have proper security monitoring and controls. Which means that there might be limits to the trace-ability, which create issues with the quantification of a breach. A very common problem.
The general rule of thumb is, that in case of uncertainty the worst case is assumed. That means a company, which is not able to quantify the amount of stolen records due to a lack of monitoring, has to assume all of them were lost. The reason for that is not pessimism. It's that it is impossible to proof otherwise.
Risk and harm in one model
Many information security risk assessment methodologies focus on risks with strategic relevance the company. But data theft is not only a risk to the company. Data theft can lead to identity theft. That is a risk for the company and the consumers / customers.
In the context of this assessment harm simply constitutes a threat, because we don't concern ourselves with a legal analysis directly.
We want three things in our model
- a threat model,
- likelihood (of identity theft, which constitutes a situation where a consumer gets harmed) and
Is ISO 27005 a good methodology to model risk of harm to customers?
The value of information assets in ISO / IEC 27005 based Risk Assessments is determined based on the organization, and not with a focus on the risk of harm to the customer. That can be seen in the definition of impact in the ISO norm:
adverse change to the level of business objectives achieved
(ISO-IEC 27005 Information technology — Security techniques — Information security risk management - 2007)
Risks are modeled from the perspective of the business and its objectives here. Now I say: it's a business objective to reduce the likelihood of harm to the consumer / customer. Do I need to redefine impact?
Of course. It's not just about impact to the business. The business is the data holder. The data holder at some point is prune to data theft. Data theft means harm to the customers. I need to have this in my risk context at least.
But ISO 27005 defines Context Establishment with the following risk assessment process input:
Input: All information about the organization relevant to the information security risk management context establishment.
Summary: In ISO 27005 it's "about the organization". Is that a good methodology for data-privacy and to handle mandatory breach disclosure laws? To introduce a process based re-evaluation of the likelihood of harm to information security risk management? As a method to rate the quality of evidence. In my opinion the answer to all these questions is: No, in the raw form of the norm, if you go by the book.
But using ISO 27005 is promising, and in my experience it's extremely common to encounter variations. For example in the context of ISO 31000.
Threat modeling with the "likelihood of harm" in mind
- What are the possible ways for a consumer to be a victim of identity theft, due to a breach?
- What do the attackers need to do? Do they need to crack salted SHA256 hashes or is it just MD5?
- How many records do they have to go through to render the stolen records data, which can be used to re-identify a consumer? Is one enough?
I think changes to data-privacy regulation motivate to incorporate the risk of harm to the consumer into Risk Assessment processes. GDPR, HIPAA and GLBA point into this direction in 2017.
If we start to incorporate the risk of harm it's easier to determine what to do in case of a data-breach and to develop profound Incident Response guidelines.
Risk Assessments are used to make changes to the security strategy. They affect how policies and guidelines are designed and implemented. But ISO 270005 as a common Risk Assessment norm needs to be adapted to include a consumer / customer perspective with this risk of harm in mind. Identity theft or privacy violations are issues data holders need to assess from the consumer / customer perspective as well.