Advice re network compromise and "law enforcement" (PCI certification)
Hi all, I figure there's probably some folks on the list that have hands in environments that touch credit cards. Unlike HIPAA compliance, or even social security numbers, PCI is very ambiguous about what must occur if a network/systems breach occurs that exposes credit card data. PCI, and its auditors, don't seem to want to tell you what your security policy should state with regard to what constitutes an event worthy of 'law enforcement' contact, nor what agency is appropriate, yet they require you to have such a policy in place. Anyone have pointers/advice on what you came up with for a reasonable definition of events that warrant involving law enforcement, and then what agency/agencies would be contacted? We're obviously not going to waste the time, on either side, of calling the FBI if one credit card number is stolen since they won't care, nor would the local police, who don't even have a cybercrime section. Generic policies covering network breaches and law enforcement would be welcome too; may be able to work it into something that is appropriate for our environment and credit card data. Thanks, David
On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote:
Anyone have pointers/advice on what you came up with for a reasonable definition of events that warrant involving law enforcement, and then what agency/agencies would be contacted?
This question is best answered by an attorney with expertise in this area and with specific knowledge of your operation. ---rsk
Adding to what Rich said, it's very easy for advice on this to cross into advice on legal matters. It's also usually very illegal for non-attorneys or non-licensed attorneys to offer advice on legal matters. I recommend finding a lawyer with expertise in this area and who has specific knowledge of your operation. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote:
Anyone have pointers/advice on what you came up with for a reasonable definition of events that warrant involving law enforcement, and then what agency/agencies would be contacted?
This question is best answered by an attorney with expertise in this area and with specific knowledge of your operation.
---rsk
What advice does your QSA have regarding writing the policy? There are generic templates available to write your company security policy. That policy doesn’t necessarily constitute legal definitions or requirements for any sort of breach, which may vary by locale and provider. I’m assuming EDUs will have their own set of rules as may non-profits. At best you will want to pass legal responsibility out of technical hands into C-Level/management hands to make decisions about whom is notified, what legal actions and third parties are called in. Your security policy can define when the buck is passed and left to a given committee. On Jan 11, 2017, at 9:23 AM, Matt Freitag <mlfreita@mtu.edu<mailto:mlfreita@mtu.edu>> wrote: Adding to what Rich said, it's very easy for advice on this to cross into advice on legal matters. It's also usually very illegal for non-attorneys or non-licensed attorneys to offer advice on legal matters. I recommend finding a lawyer with expertise in this area and who has specific knowledge of your operation. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <rsk@gsp.org> wrote: On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote: Anyone have pointers/advice on what you came up with for a reasonable definition of events that warrant involving law enforcement, and then what agency/agencies would be contacted? This question is best answered by an attorney with expertise in this area and with specific knowledge of your operation. ---rsk --- Keith Stokes
I am not a lawyer, and this is not legal advice, but... General rule is to always notify the credit card companies, and to notify legal. One/both/neither may advice law enforcement activity. In either case, your PCI-required Incident response plan is required to do certain isolation steps explicitly to aid in digitial forensics if an investigation is needed. As for how many - thats a legal question, but under California breach laws, any breach must notify the affected person(s), and over 500 has additional requirements - and those numbers do provide a sane precedent to fall back to. Also, reporting to an FBI office is a good move to provide a liability shield to your company, as you did follow due diligence. If the FBI does not follow up, thats not your problem. On Wed, Jan 11, 2017 at 7:39 AM, Keith Stokes <keiths@neilltech.com> wrote:
What advice does your QSA have regarding writing the policy?
There are generic templates available to write your company security policy. That policy doesn’t necessarily constitute legal definitions or requirements for any sort of breach, which may vary by locale and provider. I’m assuming EDUs will have their own set of rules as may non-profits.
At best you will want to pass legal responsibility out of technical hands into C-Level/management hands to make decisions about whom is notified, what legal actions and third parties are called in. Your security policy can define when the buck is passed and left to a given committee.
On Jan 11, 2017, at 9:23 AM, Matt Freitag <mlfreita@mtu.edu<mailto:mlfre ita@mtu.edu>> wrote:
Adding to what Rich said, it's very easy for advice on this to cross into advice on legal matters.
It's also usually very illegal for non-attorneys or non-licensed attorneys to offer advice on legal matters.
I recommend finding a lawyer with expertise in this area and who has specific knowledge of your operation.
Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/
On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote: Anyone have pointers/advice on what you came up with for a reasonable definition of events that warrant involving law enforcement, and then what agency/agencies would be contacted?
This question is best answered by an attorney with expertise in this area and with specific knowledge of your operation.
---rsk
---
Keith Stokes
participants (5)
-
David H
-
Jippen
-
Keith Stokes
-
Matt Freitag
-
Rich Kulawiec