Microsoft Making Their Internal Privacy Standards Public in August

June 26th, 2006

Yesterday a ZDNet published a story, "Microsoft to publish its privacy rules."

"Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products.  The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft."

Indeed most organizations need help with creating privacy standards.  Privacy is a relatively new concept within organizations, and most still view it solely as a legal issue.  It is so much more. 

Privacy, in addition to information security, must be built into all business processes, from the beginning of the planning stage all the way through to the retirement of a process.  Privacy policies, procedures and standards must be created to ensure consistent privacy implementation throughout all levels and areas of the enterprise.  Most organizations do not have privacy policies (beyond just their posted website privacy statement), let alone privacy procedures and standards.  If Microsoft has good standards to use as a model, then I applaud their efforts.

"This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’" he said. "The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’"

This could be a fantastic document to help CISOs and CPOs partner to provide guidance to IT areas in creating standards for programmers and developers.  It would also be a good start in leading the privacy standards development efforts for the rest of any enterprise.  So many areas have access to personally identifiable information (PII) and communicate directly with customers, consumers and employees, that it is critical they know the ways in which the PII must be protected, and the ways in which communications must occur to be consistent with how they release PII and not end up being social engineered into revealing PII.  This requires more than just high-level policy statements (which are certainly necessary), but also requires detailed procedures specific to business services and products, and standards to ensure consistent application across enterprises.

This is also a good example to set for other vendors who need to be addressing privacy within their own products.  Perhaps Microsoft should challenge the other technology giants to also make their privacy standards public…I wonder how many of them actually even have such documents?

I’m not saying that Microsoft is perfect in their information security and privacy practices…no company is…they can definitely improve in places.  However, it is admirable that they are willing to open themselves up to such scrutiny; will others follow suit?

Technorati Tags









Security Incidents Inundating the News Today

June 24th, 2006

When checking the news this morning I felt like I was in the Twilight Zone; it seemed that the news of information security incidents just kept popping up, one right after the other. 

I envisioned a TZ episode, perhaps entitled, "Data Wants To Be Free," with the plotline:  Overnight all the personal data for every business in North America and the EU (yes, this needs to be an international story) has been stolen…every hard drive, every storage device and every laptop computer…CISOs and CPOs anguish about what to do while copies of everyone’s personal data that were on these devices continue to be mysteriously posted to thousands…no, make that millions…of Internet sites…the major credit reporting agencies increase their computing power to accommodate credit monitoring for basically all the U.S.’s…and rest of the world’s…population…the public panics and jams the credit card companies phone lines with requests to cancel their accounts and establish new ones…   Okay, I’ll stop with the silly storyline…but is it really so far-fetched?  🙂 

Back to the real (and in many ways equally as scary) news…

Here are the first eight incident stories that leaped out at me this morning; I found many more after these, most in smaller venues, but I think this listing demonstrates how information security and cybercrime really seem to be out of control with data virtually flying out of businesses and going to who-knows-where every day.

  1. Tops employees’ personal data stolen (Buffalo News) – For the second time in a month, a laptop computer containing personal information on Tops Markets employees has been lost, the supermarket’s parent company said Friday. The computer was stolen from a Deloitte Accountants employee during a commercial airline flight, said a spokesman for Dutch supermarket company Royal Ahold NV. Neither Ahold nor Deloitte would say when or where the laptop was stolen, how many supermarket employees are affected or exactly what personal information is at risk. (click the link to read the full story)
  2. Navy finds sailors’ private info on Web: Latest in string of security gaps affects 28,000 (San Francisco Chronicle) – Navy officials this week discovered that personal data for nearly 28,000 sailors and family members appeared on a public Web site, fueling more concerns about the security of sensitive information belonging to federal employees. (click the link to read the full story)
  3. City Hall break-in puts thousands at risk (Hattiesburg American) – Thieves who broke into Hattiesburg City Hall made off with more than $150,000 in computer equipment, including four computer servers that contained personal information of at least 23,000 city residents and employees.  Sometime late Thursday or early Friday, two unidentified men broke out a window on the southeast side of the building to gain entry into the basement level. There they shattered the door of the information technology department and took the computer equipment, Hattiesburg Police Chief David Wynn said Friday. (click the link to read the full story)
  4. Stop & Shop employees’ data stolen (Worcester Telegram) – A laptop computer containing personal information of current and former employees of supermarket chains Stop & Shop, Giant and Tops was stolen during a commercial flight, the supermarkets’ parent company said yesterday. It was the second such incident disclosed by the company this month.
    The U.S. subsidiary of Dutch parent company Royal Ahold and an auditor whose employee had the computer would not say when the laptop was stolen, how many supermarket employees were affected or describe what personal information had been divulged.
    (click the link to read the full story)
  5. 619 students’ secure data revealed online (Bradenton Herald Today) – A number of Catawba County high school students received an unwanted adult-world graduation present: Their Social Security numbers were exposed on the Web.  The mother of a graduate found the numbers along with test scores of 619 students on a school Web site this week. She found the page while looking on Google for information about a beauty pageant contestant.  Catawba County Schools officials said the page was password protected and they had no idea how Google got access. Google was working to remove the page Friday night. (click the link to read the full story)
  6. Identity data stolen along with laptop (Roanoke) – A laptop containing the personal information of more than 200 people was stolen from a Roanoke-based staff attorney for the federal Social Security Administration.  The computer contained the names, Social Security numbers and, in some cases, medical information of the 228 people whose records may have been compromised, said Mark Lassiter, a spokesman for the Social Security Administration. (click the link to read the full story)
  7. Thief steals Bank of the Orient ID data (Pacific Business News) – An estimated 28,000 consumers of Bank of the Orient are potentially at risk for identity theft after a robbery at a branch in Los Angeles, the company said Friday. The San Francisco-based bank, which has two branches in Honolulu, said magnetic tapes containing customers’ names and Social Security numbers were stolen during the heist. (click the link to read the full story)
  8. STOLEN LAPTOP CONTAINED STUDENTS’ PERSONAL INFORMATION (Bay City Newswire) – A laptop stolen from a San Francisco State University faculty member’s car on June 1 contained identity information of 3,035 business students, SFSU spokeswoman Ellen Griffin said today (June 23, 2006). The university was notified of the incident on June 6 and alerted students on June 13. About 95 percent of the names on the stolen computer were alumni, but some were current students.  There is no indication that information on the laptop has been used illegally, but because it contained 2,816 social security numbers and other personal data, university officials sent a warning letter to affected students. (click the link to read the full story)

Technorati Tags








Irony: Two FTC Laptops Stolen From Car…An Unfair and Deceptive Business Practice?

June 23rd, 2006

Earlier this month the AICPA, proponent of good privacy programs and creator of a privacy management methodology (actually apparently built around OECD privacy principles) reported that it did not remove personally identifiable information (PII) from a hard drive they sent to an outside repair shop, and the drive was subsequently stolen.  Irony.  Someone within their organization was not following their own advice (yep, human nature…and possibly lack of awareness and training…at work).

Today it was reported that two laptops were stolen from the car of an FTC employee that contained PII about 110 individuals.   More irony.

"The information includes individuals’ names, addresses, Social Security numbers, birth dates, and "in some cases, financial account numbers," the regulatory agency said this week."

"The analyst had violated a department security policy by taking home the sensitive data. The incident prompted calls for all government agencies to adhere more closely to the Federal Information Security Management Act."

It makes you wonder, will a regulatory oversite agency such as the FTC fine itself?  Appears they need to beef up their information security program.  Should they require themselves to have independent, 3rd party audits for the next 20 years?  Should they require an extensive list of information security and privacy actions to be implemented?  Well, okay…I’m being facetious…but this really is ironic…the agency that is constantly scolding businesses for lax security…WHICH IS A GOOD THING; WE NEED AGENCIES THAT UPHOLD THE LAWS AND BUSINESS PROMISES…now experiences an incident.  This is the type of situation all CISOs and CPOs have nightmares about…trying as hard as the can to have a good program, and then having a hugely publicized incident occur as a result of one person’s lack of knowledge about security, or carelessness, or whatever other excuse can be attributed.

The FTC actually did provide information about this event on their website:

"Commission Notifies Individuals of Theft

The Commission today announced it is notifying approximately 110 individuals that two FTC laptop computers, one of which contained some of their personally identifiable information, were stolen from a locked vehicle. The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops. The personal information was gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers. The letters being sent to the individuals, some of whom are defendants in current and past FTC cases, explain the type of information about that individual that may have been on the laptop, and the steps the individuals should consider taking to limit their risk of identity theft. The FTC will offer these individuals one year of free credit monitoring.

The FTC’s Inspector General has been notified and is investigating the theft. The local police department, as well as appropriate federal law enforcement agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, also have been notified."

Well, their information within the message certainly is lacking…they are using statements similar to the ones that they have scolded other organizations for using…such as, "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops."  Come on, now…it would have been much more effective to just say, look, we made a mistake.  We should have ensured all the PII on our mobile computing devices were encrypted.  We were silly not to.

The fact there were "several thousand files" contained on the laptops is pretty  much irrelevant; it takes just a few seconds to a few minutes to do a search using the native OS utilities to find data within any of hundreds of thousands of files.

Most of the individuals whose PII were compromised were defendants in current cases.  What would REALLY be ironic is if they were defendents in laptop theft cases!  🙂

Technorati Tags









Virginia Law Gives All Higher Education Student Names, Birthdates and SSNs to State Police

June 22nd, 2006

A friend of mine (thanks Barry!) pointed out an interesting article from a couple of days ago that reported a new Virginia law will go into effect July 1 requiring all public and private colleges and universities to submit student names, birthdates and social security numbers (SSNs) to state police to cross-check against sex offender registries

Hmm…interesting and disconcerting article…let’s see more about the law…

Appears the law, known as HB 984, Sex Offender and Crimes Against Minors Registry, was actually signed by Governor Kaine on April 24 and covers a very wide range of actions to identify and catch sexual predators in an effort to keep children safe, and I applaud such efforts when they are well considered and thoughtfully framed. 

However, it appears in the quest to catch all these disgusting monsters, the zealousness of the law writers went beyond just accumulating known offenders, and even likely offenders, and cast a net lumping a large group of individuals who have absolutely no characteristics of being sexual predators, but are merely a targeted stratum of the population…those attending institutions of higher education.  Within all the text outlining the characteristics and requirements for known sexual criminals, the following text is curiously dropped:

"§ 23-2.2:1.  Reporting of student information to Sex Offender and Crimes Against Minor Registry.

Each public and private two- and four-year institution of higher education physically located in the Commonwealth shall electronically transmit data including (i) complete name, (ii) social security number or other identifying number, (iii) date of birth, and (iv) gender to the Department of State Police, in a format approved by the State Police, for comparison with information contained in the Virginia Criminal Information Network and National Crime Information Center Convicted Sexual Offender Registry File, for all applicants that are offered acceptance to attend the institution. This data shall be transmitted before such time that an applicant becomes a "student in attendance" pursuant to 20 U.S.C. 1232g(a)(6) at that institution. However, institutions with a rolling or instantaneous admissions policy shall report enrollment in accordance with guidelines developed by the Department of State Police in consultation with the State Council of Higher Education and the Virginia Community College System. Such guidelines shall be developed no later than January 1, 2007.

Whenever it appears from the records of the State Police that a person has failed to comply with the duty to register or reregister pursuant to Chapter 9 (§9.1-900 et seq.) of Title 9.1, the State Police shall promptly investigate and, if there is probable cause to believe a violation has occurred, obtain a warrant or assist in obtaining an indictment charging a violation of § 18.2-472.1 in the jurisdiction in which the person was enrolled with the educational institution."

So individuals who are pursuing a college education in Virginia now by default have all their personal information combined in with all the known sex offenders and criminals? The intent is certainly noble, but what kind of precedent does this set to collecting the personal information of individuals from basically any other population stratum?  And where will this information about all the students be stored?  How will access to it be protected?  How long will it be retained?  Will it be combined within the databases of known sexual predators?  And what will prevent this personal data from being used for other purposes?

I am all for catching criminals and the horrible monsters who shatter childhoods.  No one wants to see these disgusting poor substitutes for human beings be locked away with the key thrown away more than I.  However, incorporating the personal informtion of innocent individuals who happen to be pursuing high education into a database with these animals is not the right thing to do. 

Noble intentions are good.  However, lawmakers really need to consider the negative impacts their good and noble intentions, and poorly written laws, have upon innocent people.

Technorati Tags







Lessons Learned: Don’t Blindly Trust Your Business Partners; the FTC Still Holds You Accountable

June 21st, 2006

Today the FTC released news that Executive Financial Home Loan Corp. was given a $1.1 million fine, reduced to $50,000 because of "inability to pay", for using the Do-Not-Call list to call "tens of thousands of consumers who are on the National Do Not Call (DNC) Registry for telemarketers and for failing to pay the annual fee required to access the DNC Registry. In addition, the company and its officers are permanently barred from violating the DNC provisions of the Telemarketing Sales Rule (TSR) and from making illegal telemarketing calls in the future." 

Executive Financial Home Loan Corp. claimed they purchased lead lists that they had been assured were not on the list.  However, the FTC indicated that even when an organization purchases such lists, “The bottom line is that telemarketers are responsible for complying with the Do Not Call provisions of the Telemarketing Sales Rule, and cannot hide behind the claims of their service providers."

I have spoken with many organizations, and most depend upon the claims of their business partners about such situations, and do not go the step further to ensure the lists purchased truly does consist of consumers who have given their permission to use their personal information for marketing. 

This is a good example, and lesson, for the need for organizations to perform due diligence activities to validate the customer lists they are purchasing actually do consist of valid, legal, information.  If they don’t, not only could they face a fine and accompanying consent orders, but they may face even more damaging negative publicity…and significant lost customers and revenue…as a result.  Never underestimate the impact of bad PR.  Go the step further and validate the legality of any customer/marketing lists you purchase.

The FTC also indicated that the Executive Financial Home Loan Corp. did not "pay the required fees to gain access to the phone numbers in the Registry itself."  I wrote about another situation where the FTC took action against a telemarketer that was inappropriately using the Do-Not-Call list for marketing and did not pay the required fees to get access to the Registry.  How do these organizations get access to the Registry without paying the fee?  Hmm…another topic to explore…

Learn from these experiences of others.

It is good to see the FTC is taking actions to enforce the laws for which they are responsible for overseeing; it is the only way in which the laws will be effective.  The Department of Health and Human Services should take note and consider being more proactive for the HIPAA rules that are so limp and ineffective without active enforcement.

Technorati Tags









Privacy Gurus and Tech Giants Speak to Congress on 6/20 About the Need for a Unified Data Protection Law

June 20th, 2006

There was an interesting short piece published on CNET News today, "Tech titans lobby for national consumer privacy laws."  Basically the tech giants are pushing for a single unified privacy law to apply to all businesses.  Gee, makes sense, doesn’t it?  Too bad congress has been creating hodge-podge data protection (privacy) legislation for the past couple of decades.  Well, it’s better than not having anything. 

The meeting took place today with a group from the U.S. House of Representatives, the Subcommittee on Consumer Protection.

Well…the news item whetted my curiosity whistle…but I like to go to the source for the full details.  The meeting is currently available via a webcast but (RATS!) not yet the full transcript.  Arrggghhh…it is too late in the evening for me to listen to all of this…something to add to my to-do list for tomorrow.

The Witness List & Prepared Testimony came from Meg Whitman, President and CEO, eBay Inc, Dr. Thomas M. Lenard Ph.D., Senior Vice President for Research, The Progress & Freedom Foundation, Peter Swire ,  Professor, C. William O’Neill Professor of Law Moritz College of Law, The Ohio State University, Scott Taylor, Chief Privacy Officer, Hewlett-Packard Company, Evan Hendricks, Editor/Publisher, Privacy Times.

Their prepared statement, quite short, is also endorsed by Google, Microsoft and several other tech leaders, and pushes for a:

"comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework. The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value. In principle, such legislation would address businesses collecting personal information from consumers in a transparent manner with appropriate notice; providing consumers with meaningful choice regarding the use and disclosure of that information; allowing consumers reasonable access to personal information they have provided; and protecting such information from misuse or unauthorized access. Because a national standard would preempt state laws, a robust framework is warranted."

Such a law truly would start to coincide with all the non-U.S. data protection laws currently in effect.  Harmonization is a great idea, and I urge companies to use that concept with their compliance efforts.  There are many commonalities and overlaps among existing laws, both U.S. and non-U.S.  It would be interesting to see how such a comprehensive law would impact the existing U.S. laws…or vice versa.

One of the subcommittee members, Cliff Stearns (or Joe Barton; it’s hard to tell the way the document is labelled) appears to support such legislation.

This will be something to keep an eye on…hopefully this is not just activity coming at a time to placate the public’s concerns with the glut of privacy/security incidents occurring in the past couple of years.  Both businesses and the public need a strong data protection law to help provide security and privacy, as well as provide a legal framework around which organizations can build strong privacy/security programs.  Will congress be brave enough to pass such a strong law with teeth and no loopholes?  Time will tell.  At least one eye will keep on this issue…

Technorati Tags







Semantic web and privacy

June 19th, 2006

Over the past few weeks I have been intrigued with semantic web and the impact of it upon privacy and security.  I was at CSI’s NetSec in Scottsdale, AZ last week (followed by a wonderful first visit to the Grand Canyon…and then some hardware problems…AARRRRGGGGHHHHH!!!!!…thus my lack of blog postings), and I was surprised that no one I spoke with (admittedly a small fraction of the total number of attendees) had heard of semantic web.

Semantic web has actually been in the news lately.  For example,

  • NSA Looking At Social-Networking Spaces"Bajarin also mentioned that the NSA searches are also tying into a time when the Internet is evolving towards what’s known as the "semantic Web." With simple code revisions to major Web sites, the Internet’s content becomes far easier to search through and index, larger systems and search engines seeing the structure of the Internet in a more logical, easily searchable way. "While it (the "semantic Web") might help surveillance, it helps make searches more accurate," Bajarin said. "It would have to help data mining and surveillance efforts to some degree. If you want serious data mining done for lower-level access, you’d need legal access to the back end."  Others have wondered about the NSA’s logic in tracking terrorist connections through social-networking sites such as MySpace.com and Facebook.com."
  • Pentagon datamines social networks"New Scientist reports that the Pentagon is datamining social networks.  This is to allow the US government to draw up detailed personal profiles of individuals, according to what they post to the internet.  It is also intended to work out which individuals are connected to blacklisted organisations, either directly, or through people they interact with online.  Ironically, attempts by the W3C to make the web more interaccessible via different data formats – the so-called semantic web, using the Resource Description Framework (RDF) – will expedite this process. "
  • Inventor of ‘Semantic Web’ hired as RPI professor"He is recognized as one of the inventors of the "Semantic Web," which is the development of a language for the Internet that can be understood by computers. Such a system can allow far fuller use of the Web, Hendler said. "As a simple example, imagine being able to search the Web for ‘the scene where the guy throws his hat at a statue and its head falls off’ and finding the right clip from the movie Goldfinger to download to your hand-held video device," Hendler said in a statement released by Rensselaer."

Several web sites are devoted to semantic web, such as W3C and the Semantic Web Community portal.

Much has been written about semantic web in various universities.  For example, just a few include:

It certainly has great potential…imagine the computing power! 

However, when delving into the possibilities, there are certainly significant privacy issues to consider in the way it is used, and the impact of incorrect labelings and codings. 

Consider a 1000 piece jigsaw puzzle of a blue lake and blue sky…looking at just one piece at a time would not tell someone what the completed puzzle would look like.  Even looking at a few connected pieces would not tell much more of significance.  However, by putting together significant portions of the puzzle, eventually leading to puzzle completion, everything about the picture becomes clearly obvious.  The semantic web holds that same potential for piecing together the private lives of people; taking a piece from here and a piece from there to form the complete picture about an individual.  A huge risk is when the semantic web does not interpret the pieces correctly, makes vastly inaccurate conclusions, and subsequent mistakes are made that negatively impact lives.  Similar to the profiling programs used by the TSA that have resulted in a few incorrect interpretations of travellers that resulted in significant impacts to their otherwise comparatively normal lives, only on a potentially larger scale.

There is much more to say about this…more research first, however…

Technorati Tags





State-Level Breach Notice Laws as of June 7, 2006

June 13th, 2006

There are many resources throughout various locations on the Internet that have listings of state level breach notice laws.  Unfortunately most are not up-to-date, and often they are not presented in a format that can serve as a quick reference.  I have found it most helpful to have a basic listing of all the state breach notice laws, along with the effective date for each.  As of June 7, 2006, I have found 32 state-level breach notice bills that have been signed into law, with the exception of the bill in Hawaii, which has been enrolled to the governor. I have created a table to serve as a handy reference to these laws and their corresponding effective dates.  My goal is to keep this up-to-date and repost whenever new laws are signed.

Technorati Tags






What IT Needs to Know About Compliance

June 8th, 2006

Businesses must always be vigilant about data security and privacy, particularly in the global information-based economy.  The need for security and privacy has never before been more apparent, with a new incident occurring practically every day. Businesses are dependent upon information technology (IT), not only to be successful in business, but also to be successful in protecting and controlling electronic data.

The risks that are an inherent part of IT make it necessary for IT leaders and IT personnel to know the data protection laws and regulations more than ever before. It is with this knowledge that they can incorporate information security and privacy within all the IT processes, throughout the entire systems development life cycle (SDLC). 

There are many commonalities between the regulatory, contractual and policy requirements for protecting data.  By realizing these commonalities IT can more successfully address compliance in a unified manner throughout the enterprise, and not try to address compliance issues in a piecemeal manner (which is typical but leads to significant compliance gaps). 

I discuss these issues, the IT issues within a wide range of U.S. and international laws and regulations, and clearly list the IT requirements to demonstrate the commonalities, in a new article I posted on my site, "What IT Needs to Know About Compliance."

Technorati Tags





Information Security and Privacy Professionals MUST Work Together to be Successful

June 6th, 2006

A few weeks ago I discussed the need for Information Security and Privacy professionals to work together to be successful.  Yesterday I posted a new podcast that expands upon this topic, and I also describe 14 business trends that information security and privacy professionals must collaborate with each other to address. If you get a chance to listen, please let me know what you think!



MP3: Rebecca Herold – Information Security and Privacy Professionals MUST Work Together to be Successful