Archive for January, 2006

Enron, ethics and opportunists

Monday, January 30th, 2006

A week or two ago I got an unsolicited package in the mail from a software vendor.  I opened it up, and there was a copy of Enron’s 2000 "Code of Ethics" booklet, which also contained the corporation’s information security policies.  This surprised me.  Hmm…what was this all about…

Reading the letter I found that this vendor was promoting their product by encouraging potential customers to view a site they set up with a copy of all the Enron email messages, "over 85,000 records" that were on the system at the time of the Enron collapse.  They justified this by indicating that since the information "is already posted on the web by the Federal Energy Regulatory Commission" that the vendor "believes that it is not harming anyone."  However, right before this the vendor indicates that it, "believes that most Enron employees are (and were) hard working, honest people who are (and were) trying to do a good job. We respect them and apologize for any embarrassment that this content may cause them."  Obviously they realize that they are probably harming someone.

They then go on to offer *THREE* contests, each with a prize of iPod shuffles, to the people who, after searching through the emails, would find the best emails that 1) would be grounds for firing, 2) contained the funniest jokes, and 3) were the most embarassing to the sender.

They indicate they have scrubbed the emails of "really personal information"…but not of the people’s names…first and last names.  Gee, that’s kinda personal, don’t you think?

Does this feel right or ethical?  It is one thing for the government to post evidence under the FOIA, but it quite another thing for a vendor to actually make a copy of the information and post it, obviously indicating that they realize this will cause embarassment to the people named within the company, people who have lost their jobs and life savings, solely for the purpose of promoting their product.  And then they go on to have *THREE* contests for people visiting their site to continue to embarass them!

There were around 28,000 Enron employees who lost their jobs, in addition to another 85,000 Arthur Andersen employees who also subsequently lost their jobs.  And now this vendor is taking an opportunist advantage of the situation, and government regulations regarding evidence, to blatently promote their product and even go a step further and explicitly embarass anyone named in the now "public" documents in the name of their marketing gimmick…just because they can.

It’s almost like this vendor was setting up a circus around a train wreck and creating carnival side shows around the scattered victims.

Does this seem right to you?  Does this seem ethical?  If this vendor has CISSP, CISM, CISA or other certified professionals in their staff who went along with this, are they in violation of their ethics promises?

Today the Enron trial started.  I’m sure the Google searches on information related to it are high.  I’m sure this vendor had a very high hit rate on their site today.

No, I did not search the email database at their site…their justification for doing these macabre marketing stunts were enough to make me disgusted.  The longer I think about this the more my gut, heart and head tells me this is wrong.

So, am I over-reacting? 

Technorati Tags


Cars Are Great for Securely Storing Computers and Sensitive Data…NOT!

Friday, January 27th, 2006

Ever since computers went mobile, it seems people have been determined to use their cars as computer lockers, despite the fact that cars are a prime target for theft.  Computerworld reported (http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108101,00.html?source=NLT_BNA&nid=108101) today that on December 31, 2005 an employee of the Providence Health Systems reported computer backup tapes and disks containing information on 365,000 patients were stolen from his car at his home.  The data was not encrypted.  And, here’s the kicker, "The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters."   Um…yeah…  Well, the spokeman for the healthcare system indicated that practice has now been stopped.

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

It seems it always takes an incident to convince some people that bad things can, and have, and probably will eventually, happen when you do high risk activities.

I believe the number of times computers and storage media get stolen from cars, within stolen cars, or from on top of cars (around 10 years ago the CEO of a large multinational company left his laptop on top of his car in the parking lot while he went back in the building to get something…surprise!  It was gone when he returned) is much larger than what is reported.  I know many risk managers have told me that when such incidents happen they write off the computer hardware/software loss with their corporate insurance coverage program, or sometimes tell the employee to file a claim with their home property insurance.  Most employees don’t do this because they do not want their insurance coverage to be impacted, and they also do not want to file a police report that most insurance companies require.

On May 23, 2005 it was reported (http://www.infoworld.com/article/05/05/23/HNmcidatastolen_1.html?DESKTOP%20SECURITY) that a laptop containing information about 16,500 current and former employees was stolen in April, 2005 from a car parked in the home garage of an MCI financial analyst.

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

Ameriprise Financial reported yesterday (http://www.twincities.com/mld/twincities/business/13712493.htm) that a company laptop containing clear text information, including names and Social Security numbers, for 225,000 clients was stolen from an employee’s car at an "undisclosed" location out of state.  What is even more disturbing about this is that the Ameriprise spokesperson, Andy Macmillan stated "We view this is a low-risk situation."

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

Technorati Tags