CIS 438 Case Study 2 Data Breaches and Regulatory Requirements

Strayer Information Security Legal Issues Case Study 2: Data Breaches and Regulatory Requirements
Due Week 6 and worth 100 points
9 pages, 1801 Words
The National Institute of Standards and Technology (NIST) provides an extensive amount of information, resources, and guidance on IT and information security topics. The Federal Information Security Management Act (FISMA) provides standards and guidelines for establishing information security within federal systems. However, there have been, and continues to be, numerous security incidents including data breaches within federal systems. Review the information about FISMA at the NIST Website and review about the data breaches within government systems.
Select one of the data breaches mentioned to conduct a case analysis, or select another based on your research, and research more details about that incident to complete the following assignment requirements.
Write a three to five page paper on your selected case in which you:
1. Describe the data breach incident and the primary causes of the data breach.
2. Analyze how the data breach could have been prevented with better adherence to and compliance with regulatory requirements and guidelines, including management controls; include an explanation of the regulatory requirement (such as from FISMA, HIPAA, or others).
3. Assess if there are deficiencies in the regulatory requirements and whether they need to be changed, and how they need to be changed, to mitigate further data breach incidents.

Graded A : 9 pages, 1801 Words


Download Now
(sent via email)

Discussion one:

Describe the main elements of data breach notification laws.
Discuss the importance of breach notification for credit card
1 information, as it relates to PCI-DSS.
The foundation of data breach notification laws is the definition of personal
information, the unauthorized acquisition of which may trigger the notification
provisions. Personal information typically includes a combination of a person,s
name, address or phone number linked with: a) a social security number, b) a
drivers license or other state identification number, or c) account numbers
along with any security code or password required to access the account.
Another key factor is the definition of what constitutes a security breach.
Unauthorized acquisition of personal information almost certainly qualifies. In
some states, a reasonable belief of unauthorized access also qualifies.
Notification to consumer reporting agencies is also commonly required under
certain circumstances.
Data breach laws also address the timing of notification. When notification is
required, it must be given as soon as possible. Reasonable delay is permitted
insofar as necessary to investigate and restore the integrity of the system that
was breached.

Currently, 46 states, the District of Columbia, Guam, Puerto Rico, and the
Virgin Islands have notification requirements for breaches of “personal
information.” 4 The only four states without a data breach notification law are
Alabama, Kentucky, New Mexico, and South Dakota.
While most state notification statutes have similar elements, there are
important differences. In many cases, a one-size-fits-all approach to notification
will not suffice, particularly since states amend their laws over time. This article
highlights a number of variations in data breach notification laws across states
and the problems they present for companies with customers in multiple states,
making clear the need for companies to maintain a comprehensive and
regularly updated data breach response plan.
In the absence of a universally applicable federal law on the subject, varied
state data breach notification laws create a complicated patchwork of
requirements. As states amend their laws, the landscape continues to shift.
Companies that do business in multiple jurisdictions are at significant risk of
failing to comply with one or more state notification statutes should a breach
occur.

Describe the concept of a safe harbor and how that impacts an
organization when developing its security methods. Determine if
breach notification laws should define a minimum level of
encryption to qualify for safe harbor and describe why or why not.
Safe harbor provides members protection from Visa fines in the event its
merchant or service provider experiences a data compromise. To attain safe
harbor status:
1. A member, merchant, or service provider must maintain full compliance at
all times, including at the time of breach as demonstrated during a forensic
investigation.
2. A member must demonstrate that prior to the compromise their merchant
had already met the compliance validation requirements, demonstrating full
compliance.
3ยท It is important to note that the submission of compliance validation
documentation, in and of itself, does not provide the member safe harbor status.
The entity must have adhered to all the requirements at the time of the
compromise.

To effectively impose PCI DSS principles, the desire to prevent data breaches
must be balanced with the significant costs of prevention and the financial
limitations of companies. To accomplish such balance, this Note proposes that a
new data breach prevention statute should provide compliant businesses a safe
harbor from any increased liability. The question, therefore, is what businesses
must do to qualify for the safe harbor. Instead of an absolute standard to reach
the safe harbor, state legislatures should adopt a tiered system of requirements,
holding businesses with more personal data to higher security requirements
and merchants with less personal data to more minimal measures.

Safe Harbor clauses – encryption OR an appropriate certification under PCI
DSS within the past 12 months! This is in stark contrast to the situations where
organizations that suffered data breaches were found to not be in compliance ‘at
that moment’, and therefore paid associated fines.

There are numerous perks of employing data encryption in a business as it
provides protection in case there is information breach. Not only is it
convenient, but also guarantees peace of mind knowing that your data is
secure. You should always strive to employ reliable security measures to
prevent data breach or loss of important information. Encryption solutions
enable companies to operate efficiently while vital data is secured.

Discussion two:

Organizations often have to address the issue of IP ownership. This
can apply to potential conflicts of ownership between the
organization and individuals, or between organizations and
contractors.
Assess the potential issues associated with IP ownership in
organizations today.
Intellectual property (IP) is an intangible creation of the human mind, usually
expressed or translated into a tangible form, that is assigned certain rights of
property. Examples of intellectual property include an author’s copyright on a
book or article, a distinctive logo design representing a soft drink company and
its products, unique design elements of a web site, or a patent on a particular
process to, for example, manufacture chewing gum.
http: I I definitions. uslegal.complex intellectual-property I
The four areas covered by intellectual property are patents, copyrights,
trademarks and trade secrets.
Issues associated with IP ownership:
t.Theft
2.Copyright infringement
3.US patent office takes approximately 35 months or longer to “prosecute” the
application.
4.Patents obtained in the US are not acknowledged in foreign countries.
s.Patent applications in foreign countries are based on “first to file” which
means someone could patent your invention in a foreign country before your
patent in the US is approved.
6.Trademark infringement which is a violation of a person’s trademark rights.
Grama, J. L., (2011). Legal Issues in Information Security. Jones and Bartlett
Suggest the factors organizations should consider when
determining the ownership ofiP and including IP ownership
clauses into contracts.
t.Definitely include IP ownership clauses in contracts.
2.Employment agreements: Employees should be aware of and acknowledge
receipt of documentation pertaining to intellectual property.
Below is from where I work:
Subject: Rights to Intellectual Property resulting from work performed by or for
XXX under contract
It is essential that XXX obtains appropriate rights to any intellectual property,
such as patents, copyrights, mask works, trade secrets and/or confidential
information, resulting from services, research and/or development work
performed under contract by or for XXX.
Any such work shall be performed under a written agreement in accordance
with these instructions. The general manager of each operating unit or the
responsible manager(s) shall ensure that procedures have been established for
the review and approval of proposals and the negotiations of such agreement.
Appropriate provisions for any such agreement will be provided by the
responsible IP Law Department. Any such agreement must receive the prior
approval of the responsible General Legal and IP Law Departments, and in the
circumstances specified below, Intellectual Property & licensing. All patent
licenses and patent assignment agreements