Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)
Bill Gardner, Marshall University, Huntington, WV, USA
Appendix A: Government Resources
NIST Special Publication 800-16
NIST Special Publication 800-16 Appendix A-D
NIST Special Publication 800-16 Appendix E
Statement of Work Computer Security Awareness and Training: April 2000
NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program
US Department of Health and Human Services: Security Awareness and Training
National Initiative For Cybersecurity Careers and Studies
NIH Information Security Awareness Course
National Cyber Security Awareness Month
Cyber Security Tips: US-CERT
Cyber Security Alerts: US-CERT
Information Security Awareness Training for Texas
Florida Department of Children and Families
Information Security Awareness Training Family Educational Rights and Privacy Act (FERPA)
Appendix B: Security Awareness Tips
Appendix C: Sample Policies
SANS: Information Security Policy Templates
Open-Source Security Awareness Training Resources
Security Awareness Training Framework (SATF) http://www.satframework.org/
Appendix D: Commercial Security Awareness Training Resources
SANS: Securing The Human
The Security Awareness Company
Kevin Mitnick Security Awareness Training: KnowBe4
The Roer Group: The Security Culture Company
Appendix E: Other Web Resources and Links
SANS: The Importance of Security Awareness Training
Schneier on Security: Security Awareness Training
Building a Security Awareness Program: CyberGuard
Security Awareness Toolbox: The Information Warfare Site
SANS Reading Room: Security Awareness Section
Security Awareness Posters
Cyber Security Awareness Challenge 2.0
Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs
Appendix G: The Security Awareness Training Framework
About the Security Awareness Training Framework
The Security Awareness Training Framework (“SATF”) is a cross-disciplinary program that seeks to provide the guiding principles to establish a common practice for creating and using components within the security awareness domain hierarchy. The SATF seeks to redefine the failed approaches to security awareness by producing a reusable, community-driven, technology-agnostic, and vendor-neutral approach to educating the widest base of stakeholders possible, regardless of role, learning style, experience, or personality type. The SATF mission is to focus solely on the context of security awareness and provide aligned stakeholders and content providers a reusable and standard schema to produce the appropriate content, at the appropriate time, and to the appropriate audience.
The SATF will focus on a series of initial deliverables, to which failure and success will be measured and adjusted as necessary. The following items are considered to be core deliverables of the SATF program:
A series of vendor-agnostic “how-to guides” based on community-driven research and best practices that will assist interested stakeholders in shaping a security awareness campaign for their organization.
A formal taxonomy of security awareness topics, arranged in a multitier tree structure.
A formal taxonomy of stakeholder roles and occupations, arranged in a multitier tree structure.
A formal taxonomy of regulations and legislation to which security awareness activities are affected, arranged in a multitier tree structure.
A formal taxonomy of learning styles and learning models, arranged in a multitier tree structure.
A formal taxonomy of personality types and personality models, arranged in a multitier tree structure.
A Document Type Definition (DTD) that defines the legal building blocks and hierarchy of an XML or similar markup document for describing and consuming security awareness entities and attributes. The SATF DTD will allow content providers the ability to consume the research of the SATF, identify the characteristics of the specific consumer(s) needing security awareness, and produce content that aligns with the SATF through a consistent and personalized experience.
An algorithm or other methodology to produce a unique permutation from the dimensions of the taxonomies by which security awareness activities will be personalized and delivered.
A series of standardized metrics that reach beyond the current state of security awareness metrics to provide a closed-loop system at various levels of a hierarchy to measure consistently the effectiveness of the security awareness activities and campaigns.
An end user browsable, community-driven wiki site that provides the core components and aspects of security awareness activities within the security awareness domain.
Components and Subteams
To effectively manage the large scope of the effort, subteams and committees will need to be established. Participants may join as many subteams as they wish; however, it is generally recommended to commit to no more than two (2) subteams at any given time. Members of subteams are generally expected to be in attendance to the majority of the subteam functions unless where extenuating circumstances prohibit occasional nonparticipation. Each subteam should nominate one or more members to participate in the general steering meetings, where information is shared among all of the teams.
The following subteams are being proposed to achieve the program deliverables and should be considered fluid as needs dictate:
Communications/social media team
The taxonomy/classification team will be primarily responsible for establishing the classification of security awareness entities into an ordered system that indicates natural relationships. Borrowed primarily from biological concepts, the purpose of a taxonomy will provide the entity to be consistently classified, facilitating the ease of communicating between two or more parties. The following taxonomies have been identified in the program charter deliverables:
Security awareness topics (e.g., phishing, pharming, and tailgating)
Stakeholder roles and occupations (e.g., teacher, accountant, and grandmother)
Legal, regulatory, and legislative objectives (e.g., PCI DSS, HIPAA, and SOX)
Learning models and styles (Kolb's, VAK/VARK, and Honey and Mumford's)
Personality models and styles (Big Five, Myers–Briggs, and DISC)
The documentation/artifact team plays a key role in authoring, formatting, and delivering documentation on behalf of the SATF. As part of the program deliverables, the documentation/artifact team will author the how-to guides, white papers, and other artifacts central to the scope of the SATF program.
The research/outreach team plays a dual role on behalf of the SATF. First, the research team is chartered with searching and collecting artifacts related to security awareness from around the Internet and through scholarly literature. Secondly, the outreach team is chartered with using the information gathered through research and presenting documentation as part of the overall SATF message. The end goal is to rally support for the SATF through factual dissemination of information through various in-person delivery channels.
Communications/Social Media Team
The communications/social media team is largely responsible for evangelizing the SATF through social media outlets including Facebook, Twitter, and reddit. By actively engaging in dialog in alignment with the SATF goals, the mission of the SATF is reinforced through virtual channels and online presence.
The History of The Security Awareness Training Framework
The Security Awareness Training Framework officially began during the inaugural DerbyCon conference in 2011. Boris Sverdlik (@jadedsecurity) was presenting “Your Perimeter Sucks” to a packed auditorium of security practitioners.
As is the case in many security presentations, the importance of security awareness and end user training was discussed. However, rather than the typical nod and agreement to the statements, a light bulb went off, causing KC Yerrid (@K0nsp1racy) to ask Boris and the audience on how to fix security awareness training. A brief discussion ensued, and Boris challenged KC to fill the gap. KC accepted, and the Security Awareness Training Framework was born.
Over the course of the next couple of months, a handful of practitioners gathered to take this impulsive project and really define the parameters of the effort. On 3 November 2011, Bill Brenner (@BillBrenner70), managing editor of CSO magazine, published a news article about our project, its mission, and goals. The concept was widely accepted and well received, giving credence to the mission of the project.
Throughout 2012, many members have participated and contributed to the project. Despite the temptation to evangelize the project at security conferences, the core group decided to hold off until DerbyCon 2012 as our first official presentation for our work to date. At DerbyCon, we have our sights set very high on what we have been up to for the past 12 calendar months, setting the vision and truly launching this ambitious program into an organic growth opportunity for its members and beneficiaries. We look forward to driving this program forward and hope that people of all walks and experience levels will latch on and help us bring the initiative to fruition.
The Mission of the Security Awareness Training Framework
The mission of the Security Awareness Training Framework (SATF) revolves around the following themes: Primarily, the SATF seeks to create a free and open-source framework that can be used and advanced by practitioners and stakeholders responsible for the information security of sensitive data. We believe this will occur if we can successfully complete three primary goals:
We want to define the components necessary to deliver an effective security awareness program, including scenarios for specialized functions such as developer training and home user education.
We want to study and leverage the delivery mechanisms and various learning styles of individuals to maximize effectiveness of information security awareness.
We want to develop feedback mechanisms and establish candidate metrics to measure the effectiveness of security awareness programs at various levels of granularity.
In order to gain an understanding of these three goals, let's take a look and dissect each of them individually:
Define the Components
If one looks across the spectrum, there are companies in business to deliver information security to organizations and people. However, the content is typically delivered (on a best-case scenario) via the 80/20 rule. What we mean is that about 80% of the content will be on target to a certain extent, and about 20% will be extraneous or not applicable to the audience member. The content is stale and/or presented annually to satisfy an external party. While we are not trying to criticize these companies, we feel that if we clearly delineate the need for watching profit margin, and focus on determining how to maximize the types of content that should be delivered, the end result is a win–win solution for both the trainer and the trainee. This project does not include any provisions that would result in a conflict of interest by offering and/or endorsing a product solution that would benefit the project at large.
It is a big initiative, and those that have participated realize the magnitude and the scope of our efforts. To effectively deliver on this project's mission, the project participants need to define what combination of topics is appropriate for people in all geographic areas, within all types of people, with all roles and responsibilities for information security. Examples of questions that we seek to answer are as follows:
What does a home computer user need to know about securing their wireless networks?
Does an accountant in the US automobile industry need to know about PCI DSS?
What should an elementary school teacher be teaching his or her 3rd grade classroom?
Understand how people learn information security awareness
By borrowing a page from education and academia, the Security Awareness Training Framework seeks to study how people learn security awareness the best. We suspect that people have a preferred learning style; some are visual learners, while some are tactile or kinesthetic learners. There are a number of academic models that attempt to categorize learning styles. The SATF seeks to add a dimension that is often overlooked, particularly in the corporate sector: customized delivery to maximize effectiveness of the program. Many of us have participated in training sessions, whether computer-based training or instructor-led, that made us feel bored, distracted, or not very interested in learning.
The SATF will add that specific dimension to the content that is defined by providing recommendations, materials, and empirical data to support why a one-size-fits-all training solution is inefficient. The bottom line is that if the stakeholder is engaged with applicable content that is tailored to his or her individual learning style, the chances of knowledge retention are increased significantly, while the residual risk is lowered dramatically.
Examples of some of the questions the project seeks to answer include the following:
For visual learners, what font family and size text is best for an audience of 25 people?
For kinesthetic learners, does an e-mail sent by a manager increase or decrease the chance of a successful phishing attempt?
How does voice inflection affect training efficacy?
Develop feedback mechanisms and standardized reporting metrics
In the spirit of ensuring the Security Awareness Training Framework is a living and perpetual endeavor, the project team is seeking to define the appropriate feedback mechanisms that ensure confidentiality and integrity of reporting the effectiveness of the security awareness program as it is deployed via the various use cases. Historically, very few metrics have existed to accurately identify the effectiveness of a security awareness program. Our goal is to provide the clarity and transparency necessary to allow a person, a group of people, an organization, or a collective industry to measure how the framework is working over time. Based on the information collected in metrics, the stakeholders can make actionable decisions based on the effectiveness of the security awareness program. Examples of questions that we seek to answer are as follows:
Is my organization more aware of appropriate security measures than they were last month?
What percentage of targets clicked on a specific phishing message during a simulation?
How satisfied are the people with the security awareness program compared to a baseline?
In so many ways, it sometimes feels as though we are trying to boil the ocean with lofty and impossible goals. However, as the famous saying goes, the best way to eat an elephant is to take 1 bite at a time. The more people that we have contributing to our program wiki, the more we can collectively accomplish. Want to get involved? Contact us!
Appendix H: Building A Security Awareness Training Program Outline
• What is security awareness training?
• Why does your organization need a security awareness program?
• Getting management buy-in
• In order to properly train users, they must first understand the threats.
Motivations of cyber criminals
Industrial espionage/trade secrets
• Costs of cleaning up after a breach (Ponemon Institute)
• Most attacks are targeted.
Targeted by application
Targeted by OS targeted via phishing, 0day, and ports
Targeted as an industry
• Everyone is responsible for security.
Education is key to security.
• Security awareness is the only known defense to social engineering.
Not all security breaches are the result of technical attack.
In information security, people are the weakest link.
• No tech hacking
• Insecure third-party software
P2P file sharing
• Recent examples of web attacks
• Data leakage
• Metadata awareness
• Training cycle
• Training types
• Building engaging training
Social engineering users
Social engineering management
Using Security Awareness Month
Organization-wide intensive training
Must be engaging
Measuring training effectiveness
– Help desk tickets
– Incident response
– Are using asking better questions?
• Why most security awareness programs suck?
Don't engage the user.
Canned programs are the worst.
One size does not fit all.
Messages must be targeted.
Appendix I: State Security Breach Notification Laws
Alaska Stat. § 45.48.010 et seq.
Ariz. Rev. Stat. § 44-7501
Ark. Code § 4-110-101 et seq.
Cal. Civ. Code §§ 1798.29, 1798.80 et seq.
Colo. Rev. Stat. § 6-1-716
Conn. Gen Stat. § 36a-701b
Del. Code tit. 6, § 12B-101 et seq.
Fla. Stat. § 817.5681
Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Haw. Rev. Stat. § 487N-1 et seq.
Idaho Stat. §§ 28-51-104 to -107
815 ILCS §§ 530/1 to 530/25
Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.
Iowa Code §§ 715C.1, 715C.2
Kan. Stat. § 50-7a01 et seq.
2014 H.B. 5, H.B. 232
La. Rev. Stat. § 51:3071 et seq.
Me. Rev. Stat. tit. 10 § 1347 et seq.
Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
Mass. Gen. Laws § 93H-1 et seq.
Mich. Comp. Laws §§ 445.63, 445.72
Minn. Stat. §§ 325E.61, 325E.64
Miss. Code § 75-24-29
Mo. Rev. Stat. § 407.1500
Mont. Code § 2-6-504, 30-14-1701 et seq.
Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
N.J. Stat. § 56:8-163
N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208
N.C. Gen. Stat §§ 75-61, 75-65
N.D. Cent. Code § 51-30-01 et seq.
Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Okla. Stat. §§ 74-3113.1, 24-161 to -166
Oregon Rev. Stat. § 646A.600 et seq.
73 Pa. Stat. § 2301 et seq.
R.I. Gen. Laws § 11-49.2-1 et seq.
S.C. Code § 39-1-90, 2013 H.B. 3248
Tenn. Code § 47-18-2107
Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5)
Utah Code §§ 13-44-101 et seq.
Vt. Stat. tit. 9 § 2430, 2435
Va. Code § 18.2-186.6, § 32.1-127.1:05
Wash. Rev. Code § 19.255.010, 42.56.590
W.V. Code §§ 46A-2A-101 et seq.
Wis. Stat. § 134.98
Wyo. Stat. § 40-12-501 et seq.
District of Columbia
D.C. Code § 28-3851 et seq.
9 GCA § 48-10 et seq.
10 Laws of Puerto Rico § 4051 et seq.
V.I. Code tit. 14, § 2208
States with no security breach law: Alabama, New Mexico, and South Dakota
Appendix J: West Virginia State Breach Notification Laws, W.V. Code §§ 46A-2A-101 et seq
Chapter 46A. West Virginia Consumer Credit and Protection Act
Article 2a. Breach of Security of Consumer Information
As used in this article:
(1) “Breach of the security of a system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.
(2) “Entity” includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not for profit.
(3) “Encrypted” means transformation of data through the use of an algorithmic process to into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable.
(4) “Financial institution” has the meaning given that term in Section 6809(3), US Code Title 15, as amended.
(5) “Individual” means a natural person.
(6) “Personal information” means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:
(A) Social Security number
(B) Driver's license number or state identification card number issued in lieu of a driver's license
(C) Financial account number, or credit card, or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.
The term does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public.
(7) “Notice” means the following:
(A) Written notice to the postal address in the records of the individual or entity
(B) Telephonic notice
(C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, set forth in Section 7001, US Code Title 15, Electronic Signatures in Global and National Commerce Act
(D) Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed fifty thousand dollars or that the affected class of residents to be notified exceeds one hundred thousand persons or that the individual or the entity does not have sufficient contact information or to provide notice as described in paragraph (A), (B), or (C). Substitute notice consists of any two of the following:
(i) E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents
(ii) Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website
(iii) Notice to major statewide media
(8) “Redact” means alteration or truncation of data such that no more than the last four digits of a Social Security number, driver's license number, state identification card number, or account number are accessible as part of the personal information.
§46A-2A-102. Notice of breach of security of computerized personal information
(a) An individual or entity that owns or licenses computerized data that include personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection (e) of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay.
(b) An individual or entity must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.
(c) An individual or entity that maintains computerized data that include personal information that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person.
(d) The notice shall include the following:
(1) To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including Social Security numbers, driver's licenses, or state identification numbers and financial data
(2) A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn the following:
(A) What types of information the entity maintained about that individual or about individuals in general
(B) Whether or not the entity maintained information about that individual
(3) The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze
(e) Notice required by this section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.
(f) If an entity is required to notify more than one thousand persons of a breach of security pursuant to this article, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined by 15 U.S.C. §1681a (p), of the timing, distribution, and content of the notices. Nothing in this subsection shall be construed to require the entity to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to an entity who is subject to Title V of the Gramm Leach Bliley Act, 15 U.S.C. 6801, et seq.
(g) The notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practice Act in 15 U.S.C. §1692a.
§46A-2A-103. Procedures deemed in compliance with security breach notice requirements
(a) An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that is consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system.
(b) A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article.
(c) An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the entity's primary or functional regulator shall be in compliance with this article.
(a) Except as provided by subsection (c) of this section, failure to comply with the notice provisions of this article constitutes an unfair or deceptive act of practice in violation of section one hundred four, article six, chapter forty-six-a of this code, which may be enforced by the attorney general pursuant to the enforcement provisions of this chapter.
(b) Except as provided by subsection (c) of this section, the attorney general shall have exclusive authority to bring action. No civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article. No civil penalty shall exceed one hundred fifty thousand dollars per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.
(c) A violation of this article by a licensed financial institution shall be enforceable exclusively by the financial institution's primary functional regulator.
This article shall apply to the discovery or notification of a breach of the security of the system that occurs on or after the effective date of this article.
Appendix K: HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers, pursuant to Section 13407 of the HITECH Act.
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that protected health information has been compromised based on a risk assessment of at least the following factors:
1. The nature and extent of protected health information involved, including the types of identifiers and the likelihood of reidentification
2. The unauthorized person who used protected health information or to whom the disclosure was made
3. Whether protected health information was actually acquired or viewed
4. The extent to which the risk to protected health information has been mitigated
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Unsecured Protected Health Information and Guidance
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the secretary in guidance.
This guidance was first issued in April 2009 with a request for public comment. The guidance was reissued after consideration of public comment received and specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.
Breach Notification Requirements
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to the affected individuals, the secretary, and, in certain circumstances, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Covered entities must notify the affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail or, alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or by other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the secretary of breaches of unsecured protected health information. Covered entities will notify the secretary by visiting the HHS website (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html) and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Notification by a Business Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Administrative Requirements and Burden of Proof
Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that protected health information has been compromised by the impermissible use or disclosure or (2) the application of any other exceptions to the definition of “breach.”
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Instructions for Submitting Notice of a Breach to the Secretary
The breach notification rule requires covered entities to provide the secretary with notice of breaches of unsecured protected health information (45 CFR 164.408). All notifications must be submitted to the secretary using the OCR submission portal below. The number of individuals affected by the breach determines when the notification must be submitted to the secretary. Please review the instructions below for submitting breach notifications.
Breaches Affecting 500 or More Individuals
If a breach affects 500 or more individuals, a covered entity must provide the secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.
If a covered entity that has submitted a breach notification form to the secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission. If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For questions regarding the completion and submission of this form, please e-mail OCRPrivacy@hhs.gov.
Breaches Affecting Fewer than 500 Individuals
For breaches that affect fewer than 500 individuals, a covered entity must provide the secretary with notice of breaches within 60 days of the end of the calendar year in which the breaches were discovered. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form. A separate form must be completed for every breach that was discovered during the calendar year.
If a covered entity that has submitted a breach notification form to the secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission. If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For questions regarding the completion and submission of this form, please e-mail OCRPrivacy@hhs.gov.
Federal Trade Commission (FTC) Health Breach Notification Rule
Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records—say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?
The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.
Under the FTC rule, companies that have had a security breach must
1. notify everyone whose information was breached;
2. in many cases, notify the media; and
3. notify the FTC.
The FTC has designed a standard form for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it received notice under the rule. A brochure for businesses, complying with the FTC Health Breach Notification Rule, explains who's covered by the rule and offers guidance on what to do in case of a breach. FTC enforcement began on 22 February 2010.
The FTC Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with the HHS Breach Notification Rule.
Appendix L: Complying with the FTC Health Breach Notification Rule
More and more, personal medical information is online. For most hospitals, doctors' offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. But many web-based businesses that collect people's health information aren't covered by HIPAA. These include online services people use to keep track of their health information and online applications that interact with those services.
The Federal Trade Commission (FTC), the nation's consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there's a breach of unsecured, individually identifiable electronic health information. FTC enforcement began on 22 February 2010.
Is your business covered by the Health Breach Notification Rule? Do you know your legal obligations if you experience a security breach?
Who's Covered by the Health Breach Notification Rule
The rule applies if you are
a vendor of personal health records (PHRs),
a PHR-related entity, or
a third-party service provider for a vendor of PHRs or a PHR-related entity.
Vendor of personal health records. For the purposes of the rule, your business is a vendor of personal health records if it “offers or maintains a personal health record.” A personal health record is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” For example, if you have an online service that allows consumers to store and organize medical information from many sources in one online location, you're a vendor of personal health records.
You're Not a Vendor of Personal Health Records If You're Covered by HIPAA
PHR-related entity. Your business is a PHR-related entity if it interacts with a vendor of personal health records either by offering products or services through the vendor's website—even if the site is covered by HIPAA—or by accessing information in a personal health record or sending information to a personal health record. Many businesses that offer web-based apps for health information fall into this category. For example, if you have an app that helps consumers manage their medications or lets them upload readings from a device like a blood pressure cuff or pedometer into a personal health record, your business is a PHR-related entity. However, if consumers can simply input their own information on your site in a way that doesn't interact with personal health records offered by a vendor—for example, if your site just allows consumers to input their weight each week to track their fitness goals—you're not a PHR-related entity. You're not a PHR-related entity if you're already covered by HIPAA.
Third-Party Service Provider
Your business is a third-party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR-related entities. For example, if a vendor of personal health records hires your business to provide billing, debt collection, or data storage services related to health information, you're a third-party service provider and covered by the rule.
What Triggers the Notification Requirement
The rule requires that you provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record. How those terms are defined is important:
Unauthorized acquisition. If the health information that you maintain or use is acquired by someone else without the affected person's approval, it's an unauthorized acquisition under the rule. For example, a thief steals an employee's laptop containing unsecured personal health records or someone on your staff downloads personal health records without approval. Those are probably unauthorized acquisitions that trigger the rule's notification requirement.
PHR-identifiable health information. The notification requirements apply only when you've experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone. For example, someone hacks into a company database that contains zip codes, dates of birth, and medication information. Even though the database didn't contain names, it would be reasonable to believe the information could be used to identify people in the database. But what if a hacker gains access to a database that contains only city and medication data and finds out that ten anonymous individuals in New York City have been prescribed a widely used drug? That probably wouldn't be considered PHR-identifiable health information because it couldn't reasonably be used to identify specific people.
Unsecured information. The rule applies only to unsecured health information, defined by the US Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn't be required to provide notification.
Personal health record. A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records—not electronic records—the FTC rule doesn't require any notification. However, because many states have notification laws that might apply, it's wise to consult your attorney.
What to do If a Breach Occurs
If your business is a vendor of personal health records or a PHR-related entity and there's a security breach, the rule spells out your next steps. You must notify
each affected person who is a citizen or resident of the United States;
the Federal Trade Commission; and,
in some cases, the media.
Here are the details of the rule's main requirements about who you must notify and when you must notify them, how you must notify them, and what information to include.
Who You Must Notify and When You Must Notify Them
People: If you experience a breach of unsecured personal health information, you must notify each affected person “without unreasonable delay” and within 60 calendar days after the breach is discovered. The countdown begins the day the breach becomes known to someone in your company—or the day someone should reasonably have known about it. Although the rule requires you to notify people within 60 calendar days, it also requires you to act without unreasonable delay. That means if a company discovers a breach and gathers the necessary information within, say, 30 days, it is unreasonable to wait until the 60th day to notify the people whose information was breached.
The FTC: The rule requires you to notify the FTC, but the timing depends on the number of people affected.
If the breach involves the information of 500 people or more, you must notify the FTC as soon as possible and within 10 business days after discovering the breach. To report the breach to the agency, you must use the form at www.ftc.gov/healthbreach.
If the breach involves the information of fewer than 500 people, you have more time. Indeed, you must send the same standard form to the FTC—along with forms documenting any other breaches during the same calendar year involving fewer than 500 people—within 60 calendar days following the end of the calendar year. So, if your company experiences one breach in April affecting the records of 100 people and a second breach in September affecting the records of 50 people, the 60-day countdown begins January 1st of the next year.
The media: When at least 500 residents of a particular state, the District of Columbia, or a US territory or possession are affected by a breach, notification takes on an extra dimension. Without unreasonable delay—and within 60 calendar days after the breach is discovered—you must notify prominent media outlets serving the relevant locale, including Internet media where appropriate. This media notice is a supplement to your notice to people whose information was breached, not a substitute for individual notices.
If your company is a third-party service provider to a vendor of personal health records or a PHR-related entity, you have notice requirements under the rule, too. As a preliminary matter, the rule requires those clients to tell you up front that they're covered by the rule. If you experience a breach, you must notify an official designated in your contract with your client—or if there is no designee, a senior official of the company—without unreasonable delay and within 60 calendar days of discovering the breach. You must identify for your client each person whose information may be involved in the breach. But it isn't sufficient to simply send the notice and assume the ball is in your client's court. You must get an acknowledgment that they received your notice. They, in turn, must notify the people affected by the breach, the FTC, and, in certain cases, the media.
How to Notify People
The best practice in notifying people is to find out from your customers in advance—perhaps when they sign up for your service—if they'd prefer to hear about a security breach by e-mail or by first-class mail. If you collect only e-mail addresses from your customers, you can send them a message—or let new customers know when they sign up—that you intend to contact them by e-mail about any security breaches. However, remember that if you plan to use e-mail as your default method, you must give your customers the opportunity to choose first-class mail notification instead and that option must be clear and conspicuous. If e-mail is a customer's preference, explain how to set up any spam filters so they will get your messages.
What if you've made reasonable efforts to reach people affected by the breach, but you haven't been able to contact each of them? If you fail to contact 10 or more people because of insufficient or out-of-date contact information, you must provide substitute notice through
a clear and conspicuous posting for 90 days on your home page or
a notice in major print or broadcast media where those people likely live.
Both of these forms of substitute notice must include a toll-free phone number that has to be active for at least 90 days so people can call to find out if their information was affected by the breach.
What Information to Include
Regardless of the form of notification, your notice to individuals must be easy to understand and must include the following information:
A brief description of what happened, including the date of the breach (if you know) and the date you discovered the breach and the kind of PHR-identifiable health information involved in the breach—insurance information, Social Security numbers, financial account data, dates of birth, medication information, etc.
If the breach puts people at risk for identity theft or other possible harm, suggest steps they can take to protect themselves. Your advice must be relevant to the kind of information that was compromised. In some cases, for example, you may want to refer people to the FTC identity theft website, www.ftc.gov/idtheft.
In addition, if the breach involves health insurance information, you might suggest that people contact their healthcare providers if bills don't arrive on time in case an identity thief has changed the billing address, pay attention to the Explanation of Benefits forms from their insurance company to check for irregularities, and contact their insurance company to notify them of possible medical identity theft or to ask for a new account number.
If the breach includes Social Security numbers, you might suggest that people get a free copy of their credit report from www.annualcreditreport.com, monitor it for signs of identity theft, and place a fraud alert on their credit report. If they spot suspicious activity, they should contact their local police and, if appropriate, get a credit freeze.
If the breach includes financial information—for example, a credit card or bank account number—you might suggest that people monitor their accounts for suspicious activity and contact their financial institution about closing any accounts that may have been compromised.
A brief description of the steps your business is taking to investigate the breach, protect against future breaches, and mitigate the harm from the breach.
How people can contact you for more information. Your notice must include a toll-free telephone number, e-mail address, website, or mailing address.
Answers to Questions About the Health Breach Notification Rule
Here are answers to some questions businesses have asked about the FTC Health Breach Notification Rule:
Why did the FTC implement the Health Breach Notification Rule?
As part of the American Recovery and Reinvestment Act of 2009—which advances the use of health information technology—Congress directed the FTC and HHS to study potential privacy, security, and breach notification requirements and make recommendations. In the meantime, Congress directed the FTC to implement a temporary rule—the Health Breach Notification Rule—that non-HIPAA businesses must follow if there's a security breach. FTC enforcement began on 22 February 2010.
It looks like someone accessed our database without our consent. We don't know if they downloaded anything. Is that the kind of “unauthorized acquisition” that would trigger the rule's notification requirements?
It should trigger an examination on your part to determine your obligations under the rule. There may be unauthorized access to data, but it's not always clear at first blush whether the data also have been “acquired”—that is, downloaded or copied. In these cases, the rule has a rebuttable presumption: Where there has been unauthorized access, unauthorized acquisition is presumed unless you can show that it hasn't—or couldn't reasonably have—taken place. For example, if one of your employees accesses a customer's personal health record without authorization, the rule presumes that because the data was accessed, it has been “acquired,” and you must follow the breach notification provisions of the rule. But you can overcome that presumption by establishing and enforcing a company policy—one that says if an employee inadvertently accesses a health record, he or she must not read or share the information, must log out immediately, and then must report the access to a supervisor right away. If the employee says he or she didn't read or share the information and you conduct a reasonable investigation that corroborates the employee's version of events, you may be able to overcome the presumption.
Consider another situation involving a lost laptop that contains personal health records. You could rebut the presumption of unauthorized acquisition if the laptop is recovered and forensic analysis shows that files were not opened, altered, transferred, or otherwise compromised.
Our business is in the “HIPAA business associate” category. Does the FTC rule apply to us?
If your business acts solely as a “HIPAA business associate”—that is, if you handle only protected health information of HIPAA-covered entities—the FTC rule does not apply. Nor does it apply to HIPAA-covered entities, like a hospital, doctor's office, or health insurance company. If you are an HIPAA-covered entity or act only as an HIPAA business associate, your responsibilities are in the HHS Breach Notification Rule.
The HHS rule requires HIPAA-covered entities to notify people whose unsecured health information is breached. If you are a business associate of an HIPAA-covered entity and you experience a security breach, you must notify the HIPAA-covered entity you're working with. Then, they must notify the people affected by the breach.
We’re an HIPAA Business Associate, But We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?
If your company is an HIPAA business associate that also offers personal health record services to the public, you may be subject to both the HHS and the FTC breach notification rules. For example, you have your own website that offers individual customers an online service to collect their health information and you sign an HIPAA business associate agreement with an insurance company to maintain the electronic health records of its customers. In the case of a breach affecting all your users, both the FTC rule and the HHS rule would apply. Under the FTC rule, you must notify the people who use the service on your website. In addition, you must notify the insurance company so that it can notify its customers.
If you have a direct relationship with all the people affected by the breach—your customers and the customers of the insurance company—you should contact the insurance company to notify both your clients and theirs. People are more likely to pay attention to a notice from a company they recognize.
What's the relationship between the FTC Health Breach Notification Rule and the state breach notification laws?
The FTC rule preempts contradictory state breach notification laws, but not those that impose additional—but noncontradictory—breach notification requirements. For example, some state laws require breach notices to include advice on monitoring credit reports or contact information for consumer reporting agencies. While these content requirements are different from the FTC rule requirements, they're not contradictory. In this example, you could comply with both federal and state requirements by including all the information in a single breach notice. The FTC rule doesn't require you to send multiple breach notices to comply with state and federal law.
What’s The Penalty for Violating the FTC Health Breach Notification Rule?
The FTC will treat each violation of the rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation. Businesses that violate the rule may be subject to a civil penalty of up to $16,000 per violation.
Law Enforcement Officials Have Asked us to Delay Notifying People About the Breach. Whatshould we Do?
If law enforcement officials determine that notifying people would impede a criminal investigation or damage national security, the rule allows you to delay notifying them, as well as the FTC and, if required, the media.
Where Can I Learn More ABout the FTC Health Breach Notification Rule? Visit www.ftc.gov/healthbreach.
The FTC works to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the United States and abroad.
Your Opportunity to Comment
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.
Appendix L: Information Security Conferences
The number of information security conferences has grown in recent years. These conferences can be great resources to network with others who are building or have built their own security awareness programs.
Below is a short list of conferences where the authors have spoken or have attended:
DEF CON https://www.defcon.org/
Black Hat https://www.blackhat.com/
BSides Charlotte http://bsidesclt.org/
B-Sides Cindy http://bsidescincy.org/
B-Sides DC http://www.bsidesdc.org/
BSides Raleigh http://bsidesraleigh.org/
BSides Asheville http://www.bsidesasheville.com/
BSides Nashville http://www.bsidesnash.org/
BSides Austin http://www.BSidesAutin.com
BSides Delaware http://www.securitybsides.com/w/page/28563447/BSidesDelaware
BSides Huntsville http://www.bsideshuntsville.org/
Circle City Con http://circlecitycon.com/
Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program
A Fool's Game: Building an Awareness and Training Program DerbyCon 2012—Brandon Miller and Bill Gardner: http://www.irongeek.com/i.php?page=videos/derbycon2/3-2-5-branden-miller-bill-gardner-building-an-awareness-and-training-program
AIDE 2013: Building an Engaging and Effective Information Security Awareness Program—Bill Gardner http://www.irongeek.com/i.php?page=videos/aide2013/building-an-engaging-and-effective-information-security-awareness-and-training-program-bill-gardner-oncee
Building An Information Security Awareness Program from Scratch—Bill Gardner and Valerie Thomas: DerbyCon 2013 http://www.irongeek.com/i.php?page=videos/derbycon3/5101-building-an-information-security-awareness-program-from-scratch-bill-gardner-valerie-thomas
BSides Cincinnati Bill Gardner—Building A Security Awareness Program https://www.youtube.com/watch?v=zlVHoV1YqGA
Appendix N: Articles on How to Build an Information Security Awareness Program
How to Offer Security Awareness Training That Works http://www.esecurityplanet.com/network-security/how-to-offer-security-awareness-training-that-works.html?utm_source=dlvr.it&utm_medium=twitter
How Law Firms Can Defend Against Social Engineering http://apps.americanbar.org/litigation/committees/technology/articles/fall2012-1012-how-law-firms-can-defend-against-social-engineering.html