Safeguarding sensitive data

     As most law enforcement management can attest, the public safety mission to protect and serve isn't limited to the community streets.

     When government data are concerned, the threats multiply beyond the walls of its physical jurisdiction and encompass the ubiquitous unknown of the cyber world. The necessity of the various government databases is rarely contested, but the larger question mark regarding government databases is how to protect them. Factoring in the many essential mobile workstations in patrol vehicles as well as laptop units that can't be kept behind constant lock and key, how can management protect data without limiting its utility?

...Or can they?

     Instead of keeping physical hardware under lock and key, IT administrators like Nick Mohamed at York Regional Police (YRP) are able to use a smartcard-based, key-like device to ensure the identity of the officer and protect the information on already fully encrypted laptops and other computer workstations.

     In recent years, a federal mandate forced Canadian police agencies to strengthen network and access security in order to access its main federal database which holds the nation's criminal records, among other data. The new standard of security forced agencies like the YRP in Ontario, Canada, to revamp its information security, including implementing a new user authentication process.

     In 2005, once YRP established the specifications it would need to comply with Canada's strong identification and authentication (I&A) requirements, it had to find a way to be sure the individuals accessing the network were in fact themselves and that they were cleared to enter network areas.

     York reached out to its network security provider for 10 years, the Mississauga-based NCI (also in Canada), to come up with a strong I&A strategy to evaluate potential technologies and proffer an opinion on the best solution. Representing YRP's best interest, NCI's vice president, Ryan Krukoski, says it weeded out solutions based partly on the solution manufacturer's willingness to show insight into a product's future direction and its receptivity to suggestions.

     "We were tasked with this idea of evaluating our solutions and trying to build what constraints and criteria the solutions needed to have as well as being forward-thinking and [looking] at where the companies are taking their solutions over the years," Krukoski says.

     The end result of that evaluation and testing in 2005 was that the smartcard-based eToken solution from Aladdin Knowledge Systems, headquartered in Chicago, best fit YRP's needs, was a good long-term strategy and has since proven itself say Krukoski and Mohamed, the assistant IT manager and civilian senior officer with YRP.

     In order to sign on to the York network, officers must insert a thumb-drive-like device - an eToken. This eliminates the need for network usernames and passwords, which was an element of the Royal Canadian Mounted Police mandate that YRP must comply. ETokens provide two-factor authentication (2FA), password and digital identity management, which in addition to full-disk encryption and internal and external firewalls, Mohamed feels York's system is better protected. "We're very vigilant in our security and we're very proactive in our approach to security management," Mohamed says. "A breach is something that we hope will never happen so we do everything possible to protect ourselves from it."

A safe digital ecosystem

     Information technology system directors are mindful and diligent about safeguarding sensitive data. But it's not only the moral code of IT managers that dictates the sensitive, valuable data are protected.

     Since 2003, when California passed an historic data breach law, many states have followed suit enacting similar laws to protect consumer's rights and personal data privacy.

     David O'Berry, director of info systems and services for the South Carolina Department of Probation, Parole and Pardon Services (DPPPS), says data breach laws are meant to inspire any entity, which includes government agencies, to ensure the data they keep is encrypted in a safe digital ecosystem.

     DPPPS has a large mobile network, with more than 700 mobile-capable users including 400 remote agents in 46 courtrooms. In order to protect its confidential data, DPPPS recently began a conversion to McAfee's Endpoint Encryption, which secures laptops, PDA's, desktops and can encrypt single file folders if needed.

     Like Aladdin, McAfee also offers a thumb drive-like device equipped with encryption software. The McAfee thumb drive solution utilizes dual authentication, meaning the thumb print, user name and password are required get access to the information. Mark Rutledge, McAfee's director of business development for more than a year, and the former chief information officer for the state of Kentucky, explains that the stick can hook up to any PC, but users need to have the credentials to get to the information on it.

     "Now [safe access is] portable, it's protected, and you're not tied to a specific machine," he says. "If you want to take [information] from home to work, as long as policy allows it, now you have a way to transport it in a secure fashion."

     The law enforcement community in Tennessee found itself in a mess in December over its 5-year, $1 million project: the Tennessee Criminal Justice Portal. Col. Mike Walker of the Tennessee Highway Patrol (THP) says some authorized employees were abusing access to the Portal, which linked its approximately 850 agencies to the six state-hosted databases, by looking up local celebrities and political figures, as well as neighbors or ex-girlfriends out of curiosity. He says that if management had been able to see into the future, it may have avoided critique from a local news organization and the community. (See "Bad apples" on Page 22 for more on internal data abuse.)

     He says the misuse and abuse by employees may have been thwarted "if we had had more technology built into things and looked forward to what kind of reports management would need ... for some checks and some balances."

     Rutledge, who does not work with THP, says McAfee has several add-ons through its Data Protection suite that would provide management with an insight on how confidential and sensitive information is being handled by users, allowing policies and controls to be enforced.

     For example, when certain types of accesses are attempted by people who don't have the credentials, it can alert management and send a message to remind that his or her conduct is out of bounds, educating users in the process.


     If a breach is detected, in addition to notifying people, in some areas, punitive damage monies may be allowable under law for the leaked data.

     Complicating matters for government agencies are the data they must keep to operate - driving records, Social Security Numbers, vehicle registration data, criminal history, etc. It's no question of the value and necessity to track and maintain the latter records, but data breach laws require hosts - government or not - to notify individuals of a breach event. And attacks can come from anywhere, especially for DPPPS, which hosts offender data as well as victim information.

     "Anybody that wants to touch my data, I'm worried about," says O'Berry. "[The data miner] could even be inside. We don't really treat people that are inside any differently than we do [people] that are outside. That's one of the models that we're trying to get to: Just watch everything because you just don't want to take a chance."

     South Carolina's statute allows data hosts to be fined up to $1,000 per record that is lost. For an agency that safeguards data for upwards of 32,000 offenders, a breach of even a quarter of that amount at the maximum penalty could strike DPPPS with a total bill in the millions of dollars range. In a recessed economy with government budgets maxed and forecasts for millions of dollars of cuts nationwide, there's no margin for error on the subject of database protection.

     "It's unfortunate that sometimes you have to have punitive aspects in order for people to take notice," O'Berry says. "I'm not saying people aren't doing their jobs, I'm saying that I know the state of security, and it's just not an easy thing."

     O'Berry explains that too often, laws are developed in reaction to technology's capabilities.

     "It's that standard situation where policy always drags technology," O'Berry says. "And education drags policy. So essentially it's technology, policy, education. Unfortunately, it should be exactly reverse.

     "So what you have is this giant pendulum that swings way one way, where nobody's protected, and then it swings way the other way."

     O'Berry says the law-making skip from one extreme - of having little or no protection for databases - to having layers or policy regarding protection and notification highlights the scramble to protect.

     "I totally believe in protection for the people, I'm just saying that when the pendulum keeps swinging, you can't find the middle ground," O'Berry says. "And the punitive aspect of it: It's unfortunate that people didn't pay attention to it … six years ago, when they should have."

Safeguarding sensitive data

     Law enforcement management need not only worry about protection and service in its physical community.

     When an instance comes about that highlights a nick in digital security armor, laws are rushed into place to compensate, and in some cases overcompensate for past inadequacies.

     Though O'Berry explains it is difficult to plan for future needs technologically, he says IT administrators will continue to find a way to integrate policy and technology to protect without limiting useful access by taking challenges as they come and adapting.

     He compares the challenge of planning for IT futures to planning a vacation four years in advance - down to the meals one plans to eat.

     "Now that's not practical," O'Berry says. "But that's how people sometimes approach IT. It's this big, monolithic thing; I believe you're going to have to be increasingly more flexible and agile as you go."

Bad apples

     For all of its utility and convenience, the Tennessee Criminal Justice Portal, linked to six of the state's records databases, caused some grief for Tennessee's law enforcement management - arguably, it was some misguided use by authorized users, curious about country music star Gretchen Wilson, which brought the grief.

     A December article in the state's daily newspaper all but decried the $1 million Tennessee Criminal Justice Portal a flop, citing police users who used and abused the Portal.

     Tennessee Highway Patrol Col. Mike Walker says the violation of Portal use policy was first looked into after a lieutenant saw a hit on his personal record and asked the IT department to identify who had accessed the personal information and for what reason. Walker says after arduous review of computer coding and records, management was able to identify who accessed the information and set about its process for auditing the access.

     "My guess is they didn't have a clue that it could be tracked," Walker says. "And the other issue is they probably thought it was kind of like Google; You just go in and you search [during] downtime or whatever. Technology is a tremendous tool, as long as you use it the right way."

     The incident made its way to the press, where some misinterpretation made a mess for Walker and his colleagues. After further investigations by the Tennessee Department of Safety, other agencies connected to the Portal were identified with possible users abusing the resource, including several individuals with the Tennessee Highway Patrol, the Smyrna/Rutherford Co. Airport Authority, State Probation and Metro PD - a total of four agencies - with a combined total of 12 civilian and sworn individuals - out of 350 authorized agencies.

     However, for all the trouble it caused, Walker says the incident lead to some positives: Executives were forced to learn a lot about the Portal, which helped them understand how use is tracked and could lead to a better way of reviewing usage. "We're seeing, developing and working on better ways to audit from an executive's viewpoint and manager's viewpoint," Walker says.

     Users' understanding of appropriate versus inappropriate use was also heightened, making an example of the alleged data abusers and possibly thwarting a few from becoming an example themselves.

     Reforms to the Portal and policy to prevent future incidents are in development and the resource remains available to authorized users. But curiosity's lethal reach did in more than the cat this time: The alleged snooping led management to fire one trooper and open several internal investigations. A state probation officer is also facing termination as a result of running checks on neighbors. "I think that's one of the good things that's come out of this, is people ... have been reminded ... this is the real world out here folks, you can very easily lose [your integrity]," Walker says. "You lose your character, and you lose everything; you cannot be a law enforcement officer.

     In the end, the few bad apples seemed to spoil it for themselves: "It takes one brief moment of lapse in judgment to loose a career."

On the books

     According to the National Conference of State Legislatures, nearly all states and territories have legislation codifying data breach responsibilities and procedure. Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota do not have security breach notification laws as of December 2008. All other states, the District of Columbia, Puerto Rico and the Virgin Islands have codes or statutes requiring notification if personal information is breached.