Data Loss Prevention Data and the Law

This is a legal question.  DLP solutions will collect data such as state, HIPAA, PCI, Bank routing numbers, etc.  I was told that one is REQUIRED to have the compliance model of anything you collect.  This seems wrong.  There is storage of data.  There is transmit of data within the DLP system, but it seems like just to monitor for possible data means you are bound by it - that it is better to put your head in the sand and not know about it.  It seems wrong to me to take this approach, but I have little legal background to argue this.  The amount of data (hopefully) would be very low.  Such instances are not used in transactions (hopefully).  It just sits in the DLP system.  Thoughts are appreciated.
awakeningsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

awakeningsAuthor Commented:
Oh...  Reference sources are appreciated!
0
Steven CarnahanNetwork ManagerCommented:
Data Loss Prevention (DLP), is also known as Data Leak Prevention.

GLBA, HIPAA and others are government regulations dealing with the protection of non-public information to assist in preventing identity theft as well as other potential issues.

There are heavy fines and possible incarceration imposed for non-compliance.

HIPAA:   https://www.truevault.com/blog/what-is-the-penalty-for-a-hipaa-violation.html
GLBA:    http://communications-media.lawyers.com/privacy-law/gramm-leach-bliley-act-and-financial-privacy.html
0
awakeningsAuthor Commented:
Thank you.  I know there are fines for non-compliance.  The question is whether or not using DLP and capturing one or two instances donotes requirement to meet the whole set of compliance's.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Steven CarnahanNetwork ManagerCommented:
Not knowing what field you work in and what size organization it is difficult to answer that question.  Working in the financial industry we are required by law to comply. The federal government audits us for this compliance on a regular basis. I also have family that works in the medical field and they are closely monitored for compliance as well.  

Basically speaking, the cost of implementing DLP protection is minimal compared to what can happen if one instance of "leak" were sent to the legal system. With the potential for both criminal (the government) and civil (the party whose information was leaked) to file suit you could be out millions and perhaps spend years in jail not to mention the business could be shut down causing loss of income.

There are many companies that provide this service at a reasonable amount.

Trend Micro
Symantic
SafeNet
Shophos

to name a few of the more well known names.

If you are protecting your systems with virus/malware/spyware software (which I hope your are) don't you think spending a little more to help protect your customers is worth your peace of mind as well as your customers?

It is surprising how often, and by what means, data leaks can occur.  Cisco has a nice article:

http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html
0
awakeningsAuthor Commented:
Anyone else?
0
awakeningsAuthor Commented:
Anyone else?
0
awakeningsAuthor Commented:
Anyone else?
0
Rich RumbleSecurity SamuraiCommented:
DLP is an authorized system that you employ to better secure and or understand your network. As long as AUTHORIZED personnel are possibly looking at the data, it's ok in the eyes of the law. DLP is in fact encouraged: (page 31: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf)
Information System Monitoring (SI-4).  
Organizations can employ automated tools to monitor PII internally or at network boundaries for unusual or suspicious transfers or events.  An example is the use of data loss prevention technologies.
page 3 question 19: http://www.hhs.gov/sites/default/files/pia/os-eas.pdf
Discovery is never out of the question, but revealing that data to the unauthorized is. So perhaps your network admin's should have no rights to view, but can still administer the DLP. I've used many and most have or had this ability for a very long time.
-rich
0
awakeningsAuthor Commented:
Rich,

    I know DLP is encouraged and I understand the separation of duties angle (and authorization), but this is what I was told;

1. If you happen upon 1 piece of ePHI, you must now follow ALL of the HIPAA regulations.
2. If you find one credit card, you must follow all of PCI.
3. If you find one PII, you must follow all of the privacy regulations.
Etc.

     That starts to become absurd to me.  You could have someone who put their health information out to a web site (on a personal level) when they shouldn't, then we have to follow all of the PHI regulations.  That seems a bit much to me.  One might inform the person they should not do something like that, but to say that a non PHI organization must now follow all the HIPAA regulations seems silly.  The same holds true for credits cards if an organization does not follow PCI or take credit cards in any other context.  It was just someone buying something on Amazon (for example).  There has to be a way to be more reasonable about this, but I am not sure where to draw the line.

Thoughts?
0
Rich RumbleSecurity SamuraiCommented:
There is, and it's not as you've been told. PCI applies to companies or organizations that store CC + User data. A company can take a CC over the phone and not be obligated by PCI if it's not stored or written down electronically. Ironically you can take CC impressions (remember those carbon paper slidy things?) and you are not bound by PCI if you shred them after your done using them and if they were stored in a locked location, such as a filing cabinet or cash drawer. PCI/DSS SAQ's are available to help merchants understand such questions https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
PCI is mostly concerned with PIN, PAN and User data. If you store those, then you are probably bound to PCI compliant. If you encounter someones CC you are not bound by PCI, that is happenstance and what you do when you encounter that is up to you and or your company. If your company stores that data deliberately then it should be protected and PCI compliance should be achieved.
If you encounter PII data, such as patient records, those too are happenstance and it's up to you to report or what have you. If you work at a datacenter, and you are a DC employee, and you find HIPAA data in the network during maintenance or happenstance, your DC does not have to be HIPAA compliant, but the colocated persons should probably do a better job of protecting the data.
Think about it, if you find a Top Secret document, you don't have to become a FED...
Amazon is bound to several laws and regulations amoung them is SOX (publicly traded company) and PCI (they hold your CC data). That doesn't make AWS PCI compliant: http://aws.amazon.com/compliance/pci-dss-level-1-faqs/ If amazon find's CC data in your AWS they aren't likely to do anything about it, could be fake or test data, and there is no place to really report it to except back to you... If you want to store patient data in AWS, you can, as long as your controls pass the HIPAA audit, even though AWS is not itself HIPAA certified. It wouldn't be an easy audit to pass, but it can be done.
-rich
0
Steven CarnahanNetwork ManagerCommented:
Rich is correct.  

DLP is simply a tool to help prevent unwanted information from getting sent out of your organization. Just having DLP does even mean that you are HIPPA or SOX compliant.  It can be used to prevent corporate espionage or just about any other type of information you don't want being sent out of the organization.

While those organizations certainly suggest/require you have DLP if you work in a field that they govern it does not mean that DLP is strictly tied to those fields.  

Let's say I am an inventor and want to work with a manufacturing company. I may want  that manufacturing company to provide DLP so that information about my inventions doesn't fall into the hands of someone that may use that information to "beat me to market" or obtain a patent before I do.

Just showing how DLP might be cost justified. Perhaps read what SANS has to say:  http://www.sans.org/reading-room/whitepapers/dlp/data-loss-prevention-32883
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awakeningsAuthor Commented:
Rich and Pony10us those are the answers I was looking for.  The answer I heard before was just crazy and did not make sense to me.  I appreciate the extra effort and citing sources I can take back to management.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Miscellaneous

From novice to tech pro — start learning today.