The US District Court of California (Eastern district) has issued an order requiring the California Department of Education (CDE) to produce data to the plaintiffs in a lawsuit involving allegations that the CDE failed to provide adequate services to children with disabilities. The data in question will include information on all children, kindergarten through high school, who have attended any California school since January 2008. The court ordered the CDE to produce information, some of it sensitive, to the plaintiffs—including each child’s name, home address, social security number, behavior and discipline information, special education data, health records, and demographic information.
Discovery requests are commonplace in American lawsuits and are recognized as legitimate instruments in gathering information and evidence as part of legal proceedings. The details of the lawsuit are not what I care about. As a security professional, I am far more interested in the disclosure of massive amounts of children’s data to the plaintiff.
The discovery request was approved by the judge with certain protective data requirements. Diving into the details of the court’s order uncovers something disturbing. The last two pages of the court’s order details the mandatory security controls and oversight for the data. In my opinion, it is woefully insufficient for the scope and sensitivity of this information.
The controls lack comprehensiveness of a good data protection plan and do not satisfy industry best practices for personally identifiable, health, or private information. I am concerned that a weak level of security will significantly increase the risk of this data being compromised by a party with malicious intent, to the detriment of millions of California schoolchildren.
Other privacy groups agree. The Identity Theft Resource Center has published an alert to parents on this matter as well.
The security control details
Pages 18–19 of the court’s e-discovery order outline the required safeguards to secure the data.
- Carrying out a risk assessment of the IT infrastructure that will store, transmit, and use the data.
- Confer with the Special Master to review the risk assessment and proposed safeguards.
- Safeguards must be implemented and the Special Master will verify.
- Additionally, records must be kept of:
- All devices used to store or access the data.
- All persons granted access to the data, their position, the level of access, and period of time.
- An identified person who must assume responsibility of the confidentiality of personally identifiable information.
- Sensitive data must be transmitted via encrypted hard drives, with keys transmitted separately.
- The group must confirm deletion of the data provided to them at the conclusion of the litigation.
At first glance, this seems reasonable to an everyday person, perhaps even to a legal professional. The terms assessment, access, and encryption sound about right. But information security is a deep field, requiring experts to weigh in. Even at a cursory level, I see glaring holes.
Let’s take a look at a quick dozen issues that are readily apparent. These refer to the shortcomings of the security requirements in the official disclosure document and are listed in no particular order.
- No requirement for continuous risk assessment or auditing of controls. A one-time assessment is a snapshot in time. If this data is to be held and used for any period, then audits (preferably annually) should be conducted to identify new vulnerabilities, risks, or exploitations.
- Lack of authentication controls. Specific technical and process controls should be named. Do people need a login and password? How long a password and how should they protect it? Second-factor authentication would be better. Authentication controls can be very complex, especially when accessing encrypted files across networks.
- Lack of authorization process. This is the process to determine if someone should have the right to access, use, store, transmit, or process data (that is, the determination of legitimate need). Such a process must also be auditable. Simply keeping records of who has access does not justify whether they should.
- Lack of compartmentalization and oversight. This is a tenet of security. Several issues arise, but I will touch on only a couple. Controls should be in place to ensure authorization is revoked in a timely manner from people who no longer need access or leave the organization. Separation of duties of users and the auditing of authentication, authorization, and data usage is also a best practice.
- Lack of usage specifications. The order does not limit how the data can be used, published, aggregated with external data, and shared. Such stipulations should also apply to any third party the data is given to.
- Lack of data longevity/purging/deletion while the litigation is still active. Even for short-term use, data deletion requirements should be established. Files, copies, reports, screen-captures, images, data exports, etc. should be properly destroyed if not needed.
- Lack of secure disposal/destruction requirements. The disclosure notice requires “confirm deletion” of files at the conclusion of the litigation. The problem is that no technically secure deletion process is specified. For digital files, simply selecting “delete” or putting them in the trash folder on the desktop is ineffective. Not all deletion methods are the same. In fact, most don’t actually erase the data. To be sure, many organizations actually physically destroy the drive that contained sensitive information.
- Logging of access is required by users and the systems, but an active review of that data is not required. Additionally, there is no requirement to monitor security events on the systems, which could alert to a data breach or loss. This is crucial to understand if inappropriate access is occurring, and in a timely manner.
- No specifications for contractor vetting, which should include continuous risk assessments (Type 2) and auditing.
- Insecure computers. No security requirements are specified for computers used to store or access the sensitive data. All systems that access, store, or process the data should also be properly secured and protected, including antimalware, firewalls, patched software, and login controls. These include both physical and logical security measures.
- Identification of a “responsible party” is required, but lacks any penalties if the job is ignored or future security controls deemed necessary are not properly funded. Responsibility without resources or support is just a scapegoat.
- No digital key management. The order specifies disk encryption (storage) but does not specify any controls for key management security, which is the weakest part of any good encryption system.
If a court is going to set forth specific requirements for protecting sensitive data, it should take into account the advice of industry professionals. Otherwise those responsible under the ruling are obligated to satisfy only what is specified. In this case, I think it would have been better for the judge to simply state the plaintiff, who will receive the data, must follow industry best practices as followed by CDE, NIST data security guidelines, or some other comprehensive security framework. But because they decided to state required controls, how can other areas that are missed be dutifully enforced?
On a positive note, in its notice of disclosure, the court provides parents who don’t wish their children’s information shared with the plaintiffs an opportunity to object to the disclosure. The objection form is available at the CDE.
I hope that other courts don’t use this ruling as a precedent for sufficient data security controls. Further, I would like to see more expertise made available to ruling bodies, such as courts, to help them craft requirements that are consistent, comprehensive, and sufficient to protect sensitive data to the level intended.
As a parent of children in the California school system, I have opted my kids out.
The post Sensitive California Student Information to Be Released to Nonprofit appeared first on McAfee.