ePrivacy Directive: EU to tighten up on Data Breach Notifications

You may be aware that the EU recently put into force the updated ePrivacy Directive (2002/58/EC).  As of May 2011, the use of cookies to track website visitor information is now strictly prohibited.  Cookies which were previously used to track visitor behaviour and personal details may now only be used with the express permission of the visitor. Interesting website based outside of the EU, do not have to operate with the same constraints.  The enforcement and technical implementation of the directive may take some time to filter through to every cookie using site on the web, and penalties for not doing so are yet to be seen.

Work continues on the ePrivacy Directive in the coming months. One InfoSec concept which the EU are looking to tighten up control of through the directive is “disclosure”.  Whereas in the past, companies or organisations may have been a little shy about publicising their information security breaches, it’s soon going to be come a strictly enforced legal requirement to do so. Under the ePrivacy Directive disclosure requirements will be covered under Data Breach Notification rules.  A public consultation is currently underway and is sue to conclude in September:

ePrivacy Consultation

The consultation will cover the mechanisms for categorising. assessing and reporting breaches.

The hacker groups Anonymous and Lulzsec have made a mockery of the security controls of some major organisations in recent months.  Data loss and it’s prevention continues to be a major challenge for infromation security managers.  It’s time for organisations of all sizes to get serious about InfoSec, and this legislation could help push for that.

Data Loss Prevention – Content Awareness: Human vs Computer Classification

Data Loss Prevention (DLP) is a newer area of information security and assurance  which has arrived in recent years.  There are a host of software products, controls and solutions which have found there way onto the market to help facilitate DLP, whether those losses be malicious or inadvertent.  This market seems fledgling but is maturing as time goes on.  People are just starting to understand the effects of losing data, most of which is lost by mistake. Around 77% of data loss is “inadvertent” and unintended. Basically, people make mistakes. A much lower percentage of data loss is malicious.  Compliance seems to be a major driver for the implementation of the solutions and many key security players are positioning DLP as a core element of ongoing strategy.  The question I have is, at this stage is are we ready to effectively apply AI(Artificial Intelligence) based systems, where the intended objective is for those AI systems to scan, analyse and more important classify information as sensitive or unimportant?

The DLP market does seem to be a slow starter with a very small percentage of companies intending to deploy, with a further fraction of that minority actually having a deployed system.  The bulk of these solutions are what Gartner terms “content aware”.  They generally monitor network/email traffic and at the same time deploy agents which can scan internal network resources (file shares, etc) for sensitive data which is available where it shouldn’t be.  The idea is, that when sensitive information is located, it should be either removed, quarantined, blocked in transit or authorised to remain in place or be distributed.  The problem is, that while it is easy enough to recognize information like credit card numbers, it becomes exponentially more difficult for these systems to understand more qualitative content. Qualitative content (e.g. information that is expressed in verbose literal wording and not distinctive formats or patterns) is difficult for an AI system match up against a particular pattern or template for it to effectively classify the information.  Examples of this type of information may include, a new product idea for an investment bank, a ground breaking formula for a new medicine in a pharmaceutical company or perhaps even a world cup winning team strategy for a national football team.  Information of this nature is usually specific on a company-by-company basis and also a case-by-case basis. One sports team strategy may not look anything like another.

 It is for this reason, the term “False Positive” is becoming widely used in the market and anyone who’s worked with DLP systems (or tried to deploy one) will Continue reading