The Need for Passwords on Cell Phones & FTC Advice for Protecting Your Identity

September 21st, 2006

Today the Washington Post hosted a live call-in show with Joel Winston, Associate Director for the FTC’s Division of Privacy and Identity Protection.  He fielded questions about how individuals can avoid being vicitims of identity thieves.  The Washington Post published an edited copy of the transcript of the show.  I tried to find a copy on the FTC site, but then noticed all editorial rights were reserved.

Some interesting discussions occurred during the show…

He reminded listeners that now everyone has a legal right to request one free credit report each year.  I encourage everyone to do so; you can find some significant, as well as many small, errors.  These reports certainly are an interesting trip down memory lane.  And when requesting them, it is VERY interesting the way the major credit reporting agencies (Equifax, Experian and TransUnion) use some of the most nondescript information from your credit report to verify your identity.  It would be even better if you could get one free report from EACH of the major agencies since one may have different information from the other.

Some interesting portions of the show:

  • “A Social Security number without a name can lead to identity theft, because the thief often can “reverse engineer” the name using public data services and online search engines.  Truncated numbers are far safer, but not foolproof.”

Unfortunately many organizations believe that it is okay to use the SSN if no other types of personally identifiable information (PII) is used at the same time.  This is a good reminder from the FTC…the agency that *WILL* and *HAS* applied severe penalties against companies…that using an SSN even on it’s own, and subsequently having an incident occur, could lead to some significant negative business impact.

  • “Arlington, Va.: My cell phone was stolen and used by the thief to call other people. I reported this to the police but they refused to help me retrieve it and said it is not worth their time. I really want my phone back because it has lots of data. What can I do if the police refuse to help?

Joel Winston: I’m not sure what you can do if the police won’t conduct an investigation. You should, of course, contact your telephone carrier, which I assume you’ve done.”

There is so much information…so much PII…stored on most people’s cell phones.  Not only their personal phones, but also on the phones they use for business.

I encourage companies to establish policies and procedures for their personnel to put passwords on their cell phones; not necessarily to be able to answer the phone (although that may be appropriate for certain people), but definitely to get to the phone book, incoming and outgoing phone logs, text messages, photos, website activity logs and so on.  If they do not, they are not putting everyone in their phone book’s information at risk.  Recall the Paris Hilton cell phone debacle and how upset all the folks in her phone book were for being exposed by her lack of security sense?

I have been impacted by someone else’s cell phone being stolen.  One of my business colleagues and friends in California had his cell phone either lost or stolen, he thinks while at a restaurant.  He did not notice it until his friends and business associates started calling his office phone the next day to ask him if he knew where his cell phone was…I was one of the people who called him.  He did not have any security on his cell phone…a big embarrassment to a security guru such as he is.  I was working late one night and my cell phone rang; I saw who it was from by the number on the display and thought it odd he would be calling me late at night.  When I answered I knew right away it actually was not my friend, but a sicko who was going through all the phone book numbers…which also had everyone’s full name listed…and was calling those he wanted to “get to know”…ick…I had to get a Q-Tip after that call and clean out my ear.  Fortunately nothing worse than a few more calls (which I did not answer) from the phone criminal occurred before my friend had his phone number cancelled.  However, it could have been worse if my friend had stored even more information, including about himself, on the phone.

Put passwords on your cell phone!  You’ll not only be protecting your own privacy, but the privacy of the others whose numbers are in your phone book or in your calling logs.

  • “Technically, federal law defines “identity theft” to include credit card fraud. But, the far more damaging problem is when a thief gets your Social Security number and opens new accounts in your name. If they only steal your credit card number and make unauthorized charges, typically you won’t have to pay for them. The law limits your liability to $50 and most credit card companies waive even that.”

Identity theft is a darling phrase used most commonly in the media.  However, many, many types of crime can be committed through the use of a wide range and combination of PII items.

Technorati Tags






Data Recovery…Always Expect that Anything Can Happen to Your Data

September 20th, 2006

I needed a good laugh today…and I got it from the Channel Register story "The Cat Peed on my Laptop…"

If you need to relieve a bit of stress, perhaps the following will make your frown turn upside down…

"By John Leyden 20 Sep 2006 13:09
The cat peed on my laptop…
and other bizarre data recovery disasters

It’s not only IT Help Desks that get strange queries and requests. Data recovery specialists at UK-based firm Disklabs have compiled an illuminating list of the oddest requests for assistance it receives from the 50,000 cases a year it deals with involving people needing to get their data recovered.

Disklabs said that recovery of data is nearly always possible, even from the extreme cases it highlights. "It seems that each year this list gets more and more bizarre," Disklabs director Simon Steggles said.

Disklabs top ten data recovery disasters

*  My cat urinated on my laptop – Disklabs technicians had to thread gingerly in handling a Toshiba laptop which had been urinated on by a client’s pet Persian Blue."

Talk about a bad review…sounds like the computer literally pissed him off!

"*  It fell off the roof of the car – A salesperson in a hurry placed his laptop on the roof of his car, while he placed all his demo products into the vehicle. He forgot the laptop on the roof and drove off. He stated: "I was doing about 40mph when I saw it in the rear view mirror"."

I know of *2* CEO’s who lost their laptops off the top of their cars!  This is a common occurrance I think.

"*  I accidentally drove over it – An MP3 player was the victim of this roadside mishap. The client didn’t realise that the MP3 player had fallen out of her pocket, and accidentally drove over the offending device. "

Not really surprising…more roadkill…

"*  We just sacked the IT manager and he started kicking the server – The IT manager wasn’t up to the job so he was fired. The man in question threw a wobbler, deciding the server had to go before he did. He achieved this by kicking the server until it stopped working, causing data corruption and hardware damage to the hard drives. "

What’s a wobbler?  Is that like a hissy-fit?  Or more like a having a cow?

"*  There was a bit of oil on it – Quite an understatement. One Disklabs’ client had approximately 120 barrels of crude spilt over his laptop, which was in use on an oil rig at the time. "

Wow!  Trying to visualize where on the rig they put him to have his computer covered with all the oil.  Gosh…what kind of job did he have on that rig…

"*  I accidentally threw it out of a window – A student claimed he was ‘messing around’ with his roommate’s laptop. But instead of pretending to throw the laptop out of the window, he chucked it for real ‚Äì much to the dismay of his roommate. "

Yes, this is very credible.  If you know college students, you KNOW this could happen!

"*  She just got stroppy and snapped it in half – A client’s wife thought he was playing away from home and snapped his mobile in a fit of pique. The phone, a Motorola V3 Razor, was literally snapped in half. Disklabs only received one half of the phone and was still able to retrieve all the SMS messages and contacts. "

Hey, I learned another new word, "stroppy"!  Of course I had to look it up…"touchy"…"belligerent".    I don’t know, sounds more like she was throwing a "wobbler" to me.

"*  The dog has had a go at it – a Staffordshire bull terrier took a liking to its owner’s camera and bit into it. The memory card inside sustained some damage and arrived still wet from dog saliva. "

Whew!  I was afraid of what that last word in the sentence was going to be.

"*   I was showing my friend how to delete data on the spare hard drive, but I deleted the wrong one – Enough said. "

Yeah, ‘nuf said.

"*  My wife threw my laptop down a well – Another marital dispute. Excuses offered failed to placate an irate wife who took her revenge by throwing her husband’s laptop into a 60 foot well. "

LOL…we have a 120 foot well…with a true throw, I can imagine the laptop bumping and ricocheting against the sides…thwank…bwonk…thunk…all the way down until you hear the deep, plonking splash, following by the lyrical echoes.  Or, if was a straight drop down, the waiting silence…finally broken by the big, SPLOSHing water crash.  Hope they didn’t have to drink that water…you’ve seen those reports about all the bacteria on computer keyboards, haven’t you?  😉

"Disklabs swears all the anecdotes above come from real jobs undertaken by its data recovery service. Disklabs was able to save data in all the above instances.  Which is nice."

Wonder if the husband or the wife climbed down the well for the retrieval?  Yeah, I think most definitely the husband, too…

Technorati Tags





U.S. Dept of Justice Identity Theft Task Force Recommendations: Possible Models for All Organizations?

September 19th, 2006

Today the U.S. DoJ announced in a speech their interim identity theft task force recommendations.  The final recommendations will be submitted to President Bush in November.  They also provided a press release about the interim task force recommendations.  But before showing a copy of the press release, a few thoughts about the guidelines…

I look forward to seeing the data breach guidance the task force creates.  Most organizations have very weak, if any, breach response plans, so if this could potential be a good model for them.  True, it will be guidance written specifically for government agencies, but there should be many guidelines applicable to any organization; no use re-inventing the wheel.

I really like the idea of creating a universal police report!  The challenge will be implementing this report throughout the U.S.  State, county and city-level government agencies, particularly law enforcement, are notoriously disjointed from all other law enforcement agencies.  I want to see the report they come up with!  I hope they do a privacy impact assessment (PIA) on their implementation plans before putting it into use…you don’t want this type of personally identifiable information (PII) getting into the wrong hands because the system was created poorly and/or with insufficient controls.  It would be horrible for the victims of identity theft to become victims again because of the mishandling of the identity theft report.

Restitution for victims’ lost time could be a very good motivator for organizations to create strong safeguards for their PII.  It will be interesting to see what ways they create to determine the restitution…what forms victims must fill out, how much they determine a victim’s time is worth per hour, etc.

Limiting use of SSNS…what a great idea…whose time has finally come??  Well, we shall see.  Hopefully they CAN take some positive steps forward with this initiative; anything is better than doing nothing, or worse, doing even more with SSNs as identifiers.

Authenticating individuals’ identities is so important; not only for the government, but for all organizations.  And most organizations struggle with how to do this efficiently, effectively and without the use of SSNs.  Perhaps this can be another area where the proposed and final solutions of the task force can also be used by any type organization.

Improving the security of information within the government…always a great idea!  I look forward to seeing what they come up with as the “top 10 or 20 ‚Äúmistakes‚Äù to avoid in order to protect government information.”

Improving the ability to respond to breaches; probably all organizations need to do this.  Definitely in some of the high profile government agencies that have had widely publicized incidents.

They are all great ideas, and it will be interesting to see the final recommendations in November.  The real test will be to see if there is any actual implementation or action taken after the final recommendations are issued.  Will these be mandatory, through some new or amended law, for all government agencies?  Will an oversight agency be chosen that will actually make sure the agencies are implementing the directives?  If not the recommendations will turn out to be a good hill of bean ideas never sewn or cultivated.  With proper cultivation and harvesting, however, these could turn out to be cash crop actions that actually make a dent in the misuse and subsequent crime committed with PII.

Okay…yes…it’s getting to be harvest time in the midwest…:)

Now here’s the press release:

“WASHINGTON ‚Äì The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

‚ÄúAs with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,‚Äù said Attorney General Gonzales. ‚ÄúThe President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.‚Äù

“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”

The Identity Theft Task Force’s interim recommendations to the Administration include the following:

Data Breach Guidance to Agencies-

In light of several, large data breaches suffered in recent months by government agencies, the Task Force recommends that the Office of Management and Budget (OMB) issue to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.

Development of Universal Police Report for Identity Theft Victims-

To ensure that identity theft victims have easy access to police reports documenting the misuse of their personal information ‚Äì which are necessary in order for the victims to, for example, request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file ‚Äì the Task Force recommends the development of a ‚Äúuniversal police report‚Äù that an identity theft victim can complete online, print and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The use of universal police reports will also ensure that identity theft complaints will flow into the FTC’s ID Theft Data Clearinghouse, and thereby will assist law enforcement officers in responding to such complaints.

Extending Restitution for Victims of Identity Theft-

To allow identity theft victims to recover for the value of the time that they spend attempting to make themselves whole – for example, the hours spent disputing fraudulent accounts with creditors that may be compromised or spent correcting credit reports – the Task Force recommends that Congress amend the criminal restitution statutes, 18 U.S.C. 3663(b) and 3663A(b), to require that defendants pay identity theft victims for the value of their lost time.

Reducing Access of Identity Thieves to Social Security Numbers-

In order to limit the unnecessary use in the public sector of Social Security Numbers (SSNs) – which are the most valuable pieces of consumer information for identity thieves – the Task Force recommends the following:

* The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable.

* OPM should develop and issue policy guidance to the federal human capital management community on the appropriate and inappropriate use of an employee’s SSN in employee records, including the appropriate way to restrict, conceal and/or mask SSNs in employee records and human resource management information systems.

* OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.

Developing Alternative Methods of “Authenticating” Identities-

Developing reliable methods of authenticating the identities of individuals, such as “biometrics,” would make it more difficult for identity thieves to misuse existing accounts or open new accounts using other individuals’ information. The Task Force recommends that agencies gather together academics, industry experts and entrepreneurs who are exploring ways to encourage greater development and use of authentication systems, and hold a workshop or workshops focused on developing and promoting improved means of authenticating the identities of individuals.

Improving Data Security in the Government-

To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the interagency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.

Improving Agencies’ Ability to Respond to Data Breaches in the Government-

In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data.

Anyone wishing to ask a question about identity theft or to report identity theft may call 1-877-ID-THEFT, or visit the FTC’s Web site, http://www.ftc.gov/idtheft, or the Department of Justice’s Web site, http://www.justice.gov/criminal/fraud/websites/idtheft.html.” 

Technorati Tags







July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat

September 18th, 2006

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags







July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat

September 18th, 2006

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags







Patient Data Theft & HIPAA Implications

September 16th, 2006

Today Naples News in Florida reported:

"We often hear of Medicare fraud. We shake our head at the millions and even billions of dollars lost to bureaucratic ineptitude and theft. Then a case hits home.  A former employee of Cleveland Clinic Hospital in North Naples and a relative who worked for a Naples-based health-insurance claims company have been arrested and charged with stealing records of more than 1,100 patients.  The Cleveland Clinic receptionist had been on the job for over a year, and the theft took place in June, authorities say. Her suspicious activity was noticed by a co-worker, who alerted superiors. The arrests were made almost immediately.  Authorities so far decline to spell out exactly what the suspects and maybe others planned to do with the data, but suffice it to say that someone other than those who provided care were to get money.  The hopeful rays of light in this story are that the arrests were made so quickly and that a co-worker was empowered to come forward. A harsh light, though, is cast on the inability by law of victimized patients to sue for problems that could result from financial and other personal data falling into the wrong hands. Medical institutions can be entrusted with confidentiality, then be unaccountable for safe-keeping?  It is important for all the details on this case to come to light. The local health-care industry and its consumers stand to learn a great deal."

Some notes about the situation:

  • A coworker was alert and told management about the suspicious conduct.  Thank goodness!  This is something more companies need to encourage their personnel to do.  The amount of crime and fraud committed by trusted insiders is significant, and making all personnel aware of what to do if they see someone doing something that puts the business or health of others at risk is important to not only help catch bad things happening, but also to dissuade those considering crime from doing it if they know it is likely their coworkers will report them.
  • It seems criminal charges could and should be filed in accordance with HIPAA against the former employee and the accomplices.  Hopefully they will be.
  • I don’t agree with the statement that the victims cannot sue.  I’m not a lawyer, but it seems there are certainly many ways in which civil actions could be brought against the criminals by the victims.
  • It is likely they could also bring some kind of action against the hospital.  However, any convictions would seem unlikely given the reality of the insider threat to do bad things.  From the hospital’s point of view, it is important that they have a comprehensive information security and privacy program in place and are enforcing their policies.  If they have documentation to validate they did everything possible to safeguard information and a trusted employee with authorized access to PHI still committed the theft, then it would be very hard to find the hospital guilty of wrongdoing.  The insider threat is real, and the best way to protect against it in addition to a sound information security program is to raise the awareness of personnel so that you have many eyes and ears noticing and reporting if bad things are going on…not just the folks in the info sec area.

Technorati Tags







FTC Continues Course With More Compliance Activities and Fines: CAN-SPAM and the Adult Labeling Rule

September 14th, 2006

Today the FTC announced, "FTC Puts a Permanent Halt to Illegal Spamming Operations" in a press release about some actions, fines and penalties they just made.

A high-level summary of the judgments:

  • Violations of the CAN-SPAM Act and the Adult Labeling Rule will cost Cleverlink Trading Limited $398,000 (Actual judgment was $2,635,000.00; the judgment was suspended except for: (1) $303 000 to be paid to the FTC (2) $95,000 to be deposited by Defendant Muir into an escrow account to facilitate tax payments, but the full amount could be reinforced if all conditions of the judgment are not met) plus a freeze on their corporate assets, plus implementing various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm their compliance. 
  • Violations of CAN-SPAM will cost Zachary Kinion $151,001.64 ("suspended because of his inability to pay," but the full amount could be reinforced if all conditions of the judgment are not met) plus implementing various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm their compliance.   
  • Violations of CAN-SPAM and the Adult Labeling Rule will cost William Dugger, Angelina Johnson, and John Vitale $8,000 (the defendants were liable for $597,166, but it was reduced to the amount in the defendants bank accounts, but the full amount could be reinforced if all conditions of the judgment are not met) plus implementing measures to obtain permissions.  They also had a freeze on their corporate assets, plus implementing various types of compliance activities and documentation on an ongoing basis for the next 5 and 8 years to confirm their compliance. 
  • Violations of CAN-SPAM will cost BM Entertainment and B Pimp $24,193 ("suspended because of his inability to pay," but the full amount could be reinforced if all conditions of the judgment are not met). The owner of the organizations also pleaded guilty to criminal charges related to spam and unauthorized possession of access devices and is awaiting sentencing.  He must also implement various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm his compliance.    

At first glance the suspensions of the fines are disappointing.  However, considering the asset freezes and also ongoing monitoring and reporting, with the possibility of having the original fines reinstated, this seems reasonable.

CAN-SPAM actually has had quite a bit of compliance activity since it has been inacted, along with the Adult Labeling Rule.

Technorati Tags








FTC Hosting Fraud Prevention Forums: Identity Theft Demographics

September 13th, 2006

The FTC announced today:

"FTC, Partners Will Hold Hispanic Fraud Prevention Forum in New York City

Members of Hispanic Communities Invited to Discuss Consumer Fraud Issues

The Federal Trade Commission, United States Postal Inspection Service (USPIS), U.S. Attorney’s Office for the Southern District of New York, and Manhattan Hispanic Chamber of Commerce are hosting a day-long Hispanic Fraud Prevention Forum in New York City. The Forum, which will be held September 27, 2006, from 8:30 A.M. until 3:30 P.M. at the Alexander Hamilton U.S. Custom House at One Bowling Green, New York, NY 10004, is open to Hispanic community leaders, representatives from community organizations, and local, state, and federal law enforcement and consumer protection agencies that work with Hispanic consumers. The goals are to discuss consumer fraud in Hispanic communities in the New York area and develop law enforcement and consumer education strategies to address it."

Go to the link to find out more.

This struck me as quite interesting.  I wonder what studies or statistics they have about all the demographic groups?

Searching through their site I found a 283 page report, "Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over" from May 2005, but no other reports about a specific demographic.

Okay, the mathematician in me is now thirsty for some demographic identity theft information…

I found the Better Business Bureau (BBB) Online identity theft study from January 2006.  "One Surprising Finding: the Core Demographic – 25 to 34 – Has the Highest Rate of Identity Fraud Rather Than Seniors"  Interesting…

Javelin Strategy & Research did the BBB Online study.  They also did another one in August 2006 that costs $950 (nope!  I’m not shelling out that kind of dough just to pique my curiosity).  Their overview provided an interesting statement: "Misunderstanding data breaches and their effect on identity fraud may lead to incorrect guidance to consumers, mistakes regarding protective measures companies employ, and overly burdensome legislation. Armed with facts, industry leaders must ensure that the data breach ‚Äúcure‚Äù is not worse than the affliction. This report is the first ever to show the actual impact that data breaches have on known-cause cases of identity fraud." 

First ever to show how data breashes impact identity fraud???

Hmm…definitely good bait to get some sales…I take these types of statements with several grains of salt without knowing what kind of meat they have to support their gravy statements… 

It all comes down to implementing the correct controls and safeguards around personally identifiable information (PII) to reduce risks to a reasonable and acceptable level to help prevent the compromise of PII to begin with. 

It would be very interesting to see the mistakes they found companies make; there are so many to choose from!  And yes, of course some legislation can be overly burdensome, and I agree that many laws should have been written better.  But, without legislation I wonder how many companies would decide that, since they aren’t legally required to protect PII that they won’t cut into their revenues by implementing controls at all…or just implementing the minimum they think they can get away with?  Data protection laws and information security intiatives are both double edged swords that often clink in battle within many organizations.

Technorati Tags






Employee Privacy and Common Sense

September 12th, 2006

Time magazine ran an interesting story in their 9/11 issue, "Snooping Bosses" that discussed multiple privacy issues within the workplace.  They provided a sidebar that truly should be common sense to anyone working in this day and age.  I’ll go over it later…it’s not on their site…

The article started with a great story about security guard who was fired for playing hooky…he called in sick, but his company-provided cell phone had a GPS system that showed him on the road to Reno…ultimately the unemployment ax fell.

Here are a few interesting excerpts with statistics you will find surprising…or perhaps not…

  • "Nine out of 10 employers observe your electronic behavior, according to the Center for Business Ethics at Bentley College."
  • "A study by the American Management Association and the ePolicy Institute found 76% of employers watch you surf the Web and 36% track content, keystrokes and time spent at the keyboard." & "38% hire staff to sift through your e-mail."
  • "A June survey by Forrester Research and Proofpoint found that 32% of employers fired workers over the previous 12 months for violating e-mail policies by sending content that posed legal, financial, regulatory or p.r. risks."

I would think the numbers in the first two bullets are actually higher.  With today’s regulatory requirements, need to demonstrate due diligence, and studies such as those referenced below, it just makes good business sense to monitor certain electronic communications…in reasonable ways.  If personnel violate published and communicated corporate policies they should face sanctions, and sometimes those will need to be dismissal.

  • "45% of us admit that surfing is our favorite time waster, according to a joint survey by Salary.com and AOL"

See…no wonder employers are monitoring!!  I’ve read other reports as well that indicate personnel spend anywhere from 8 – 20 hours per week surfing.  If you were paying someone to do work and they were sitting on the clock submitting bids on eBay or spending hours on Match.com, wouldn’t you be a little more than a bit ticked off?

  • "A Northeast technology company found that several employees who frequently complained of overwork actually spent all day on MySpace.com"

This is funny and sad simultaneously.  They probably did feel tired from all their MySpace.com chatting and viewing…poor carpel-tunnel fatigued folks.

  • "Slightly more than half of employers surveyed monitor how much time their employees spend on the phone, and even track calls–up from 9% in 2001."

Over 50% monitoring calls.  Not that surprising.  Quite interesting how much it has increased since 2001, though.

  • "Workers at Google, Delta Airlines and Microsoft have claimed their blogs got them fired."

Do you have policies regarding what your personnel cannot post to blogs with regard to your company?  Not only can information blogged about your company be embarrassing and cause PR problems, it is also very easy for confidential information to be inappropriately posted within blogs.

  • "In Thompson v. Johnson County Community College in Oklahoma, the court held that employees had no expectation of privacy in a locker room because the room had pipes that required occasional maintenance. (The need to service the pipes was enough for the court to let the employer use video surveillance.)"

ICK. Where were those CCTVs pointed?  Although there are safety and physical security reasons for CCTVs, putting them in locker rooms still seems at first blush (so to speak) a little too far.  Hopefully they communicated or had signs indicating the areas that were visible to the CCTVs.

  • "At Citywatcher, a Cincinnati, Ohio, company that provides video surveillance to police, some workers volunteered to have ID chips embedded in their forearms last June."

I’ve read other articles about this.  This really does take the 2-factor authentication concept of something you have and something you are to a whole new level.  What happens if the folks are fired?  Or, if they decide to quit and not come back to work?  There’s probably some way to disable them, but still…I’m not sure all the potential negative impacts of creating Johnny Mnemonic-like employees in our workplace have really been explored and addressed.

The sidebar lists "precautions" that should not only be common sense by now, but should also have been covered multiple times through a good information security and privacy training and awareness program.  At a high level these 9 precautions include:

  1. "Know your company’s policies"  DUH.  However, if the information security and privacy folks are NOT telling personnel what the policies are, then personnel will not know and will likely then do bad or dangerous things with your organization’s information assets.
  2. "Surf the web sparingly"  This is not only good for the company’s bottom line (hey, they are paying you to work, folks), but it is good for information security to help keep the electronic nasties from finding their way into your network.
  3. "Think twice before you hit "Send""  Most definitely.  I blogged about this recently
  4. "Proofread profiles"  This warns the personnel to make sure their own profile information on their blogs, in their emails, etc.  will not result in your company manager, or worse HR person, calling them in to have a serious discussion about their profession-limiting activities.
  5. "Snail-mail your resume"  This is so earlier edits do not hang around in them, and also so your boss does not see you are sending your resumes to other organizations.
  6. "Hold your tongue"  This warns not to leave voice mails you will later regret.  This happens way too many times.  Voice mails have been used extensively as evidence in court.
  7. "Forward with careAnother email oops that I have discussed
  8. "Use passwords"  DUH.  Info sec and privacy folks, you should be telling your personnel about all issues related to all types of passwords.
  9. "No porn at work"  This is beyond, DUH…c’mon folks!  You’re getting paid to work, not testing to see if you need the little blue pill.

Technorati Tags






Privacy Decisions Involve More Than Consideration of Personally Identifiable Information

September 11th, 2006

There was a nice article in the 9/11 issue of Newsweek that points out that, even if there are no items considered as personally identifiable information (PII) being collected or publically disseminated or posted on websites, the collection and interpretation of non-PII could actually reveal the persons involved, thus revealing their private activities, "aspirations and dreams."

However, Google, Yahoo and others who aggregate similar indicate that

"the information extracted from studying the way individuals search has been crucial in raising the quality of search to its present level. "Our searches have improved dramatically because we have that data," says Alan Eustace, Google’s senior vice president of engineering and research. Furthermore, they contend that without the information, they would be severely hobbled in further improving their products. "If you don’t have such data, there would be significant compromise of the user experience in the future," says Prabhakar Raghavan, Yahoo’s head of research." 

And, as the article points out, the government is also interested in the data…likely because it could point to specific individuals and groups as potential criminals and terrorists.

Does your company collect, aggregate, data mine and/or publicly post similar types of de-identified information to primarily improve your products or services?  Or, to enhance your marketing efforts?  If a secondary impact is that certain individuals’ activities, likes and dislikes, and thoughts are revealed, would you be concerned?  Would your business leaders be concerned?  What if, as a result, their own aspirations and dreams were revealed…or those of their living or deceased loved ones?

Before you decide that, just because there is no specific law against doing so, that you are going to aggregate the electronic traces and movements of your customers, employees or consumers in order to improve your products or services, take a good hard look at what the ultimate consequences could be; both to the individuals and to your company if the public decides that you stepped over the line and took it upon yourself to eavesdrop into their lives just for the greater good of your bottom line revenues.

Technorati Tags