Data Security Begins With You

Chris Beresford

Executive Director, British Columbia

Maintenance Enforcement and Locate Services

Erin McDaniel

Performance, Budget, and Statistics Manager

Oregon Department of Justice, Division of Child Support

Presented by:

• What are we afraid of? Data security isn’t such a big deal! - Why data security is important - How is information compromised today - Common concerns

• The Regulations - When it comes to protecting data, everyone has an opinion…

- Governing regulations at national and local levels

• Working for Security, Discussion on “Better” practices - Privacy practices from Canada and Oregon - Ways to reduce concern

Overview

What are we afraid of?

In the Child Support Program, most data we access is regulated in some manner.

– Personally Identifiable Information (PII)

– Child Support Confidential Information

– Federal Tax Information (FTI)

– Automated Clearing House (ACH) information

– Criminal Justice Information (CJIS) and Law Enforcement Data (LEDS)

Child Support Regulated Data

• Much (not all) of the data that child support maintains is publicly obtainable one piece at a time from different public sources.

• Staff and partners can sometimes use this as an excuse. They hesitate to enforce strict security practices like encryption and authentication.

• All of the varied data collected in a child support file makes our records more valuable to thieves. Less work for more information.

It’s just a little bit of info…

Causing a whole lot of damage

Incidents happen, and worry us all

The Regulations

• Internal Revenue Service (IRS) publication 1075 – Tax information security guidelines for federal, state, and

local agencies

• The Office of Child Support Enforcement, State Child Support Agency Security Agreement – National Standard for security, designed to protect Federal

Parent Locator Service data and other confidential child support program information

USA Federal Regulations

• National Institute of Standards and Technology (NIST) Requirements 800-53 Rev 4 – National standard for security and privacy controls for U.S.

federal information systems and organizations

• Health Insurance Portability and Accountability Act (HIPAA) – National standard for the protection of personal health

information

USA Federal Regulations

• Oregon Consumer Theft Protection Act (ORS 646A.600 to 646A.628) – Notification of security breach to individuals

– Notification to consumer reporting agencies

• Oregon Information Systems Security

(ORS 182.122 & 182.124)

– Sets expectation for state agency information security

– Outlines required security policies and practices

Oregon Regulations

• Legislative regime in Canada similar to USA:

• Federal laws and rules for “federal” data

• Provincial (and territorial) laws and rules for “provincial” data

• Practically…

• Data becomes the responsibility of the holder

Canada/BC laws and rules

• Federal privacy and disclosure laws apply to income tax and other information from the Government of Canada

• Generally speaking:

• Can be used for consistent purposes

Canada/BC laws and rules

• Most provincial privacy and disclosure laws are similar:

• Can be used for consistent purposes;

• Can be accessed by the individual;

• Reasons for collection are defined;

• Disclosure is subject to rules and process.

Canada/BC laws and rules

Our challenge:

• We want everyone else’s information

• We don’t want to have to disclose it (except for enforcement purposes)

Canada/BC

Our solution:

• Legislative authority to obtain everyone else’s information

• Legislative authority that we don’t have to disclose it (except for enforcement purposes)

But it’s not always that easy…

Canada/BC

Collecting:

• A brief history of phones, paper, fax machines, going through databases, recording things, and automated data-matching applications…

• Our data providers are collecting less person data…

A brief Canadian history

• International Organization for Standardization (ISO)

ISO 27001 - Information security – ISO is an independent, non-governmental international

organization with a membership of 163 national standards bodies. Founded in 1947, the organization promotes worldwide proprietary, industrial, and commercial standards, and provides leading practice on information security management for implementing or maintaining Information security systems.

International Standards

Working for Security

Protecting and sharing:

• Where is it stored (a very brief history of the Patriot Act)

• How it is purposely shared

• How it is accidentally shared

Context

• Create and maintain a culture of security

Start with the foundation

– Develop business practices (like wearing picture badges or locking computers) that define the security culture of your agency

– Prohibit staff from piggybacking into secure work areas

– Remind staff of the expectations with computer warning banners and office signage

Create a secure work area

– Maintain secured areas to store regulated data:

• Secure mail rooms and file rooms

• Locking cabinets

– Establish clean desk guidelines

– Assign and monitor keys and combos that allow access to regulated data

• Clean work areas provide a second layer of security

Polk County

Provide training that is relevant

– Start training from day one

– Require it before any work commences and annually there after

– Ensure staff understand the types of regulated data and the risks if released

– Provide role based training that ensures everyone, no matter the complexity of their work, has the training they need to be protect our customers

Role based trainings in Oregon

• Regulated Data Overview (all)

• Child Support Confidentiality (all)

• Safeguarding Automated Clearing House Information

• Federal Tax Information

– FTI Overview (all)

– Daily Work Exposure

– Enhanced Exposure

– Information Systems Development

• Incident Response

– Staff

– Managers

– Contractors & Vendors

Secure Portable Electronic

• Agency owned devices

• Password protection

• Encryption

• Two-factor authentication

• Remote wipe

• Locking storage devices

Transport securely via postal mail

• Redact confidential information whenever possible

• Using Double Envelopes in Transit – Including when sending to other agency offices

• Clearly label confidential information

Encrypt electronic information

• Redact confidential information whenever possible

• Use encrypted email

• Send images or other case documents in encrypted password protected attachments

• Send passwords in separate encrypted messages

The Golden Rule

• Create an environment you would use to secure your own personal information

• When sharing files, send and receive with that same care

• Make an environment of information security your first priority

So what have we learned? • Allowed activities may still be high risk

• The biggest threat is often human error

• Come into the web (said the spider to the fly…)

• System-to-system sharing may be better than person-to-person, but it costs money and takes time

In Conclusion

Questions?

Chris Beresford Executive Director, British Columbia Maintenance Enforcement and Locate Services Chris.Beresford@gov.bc.ca

Erin McDaniel Performance, Budget, and Statistics Manager Oregon Department of Justice, Division of Child Support Erin.R.McDaniel@doj.state.or.us