Archive for February, 2006

Enron, ethics and opportunists…quick follow-up

Monday, February 6th, 2006

Upon second look I see the vendor actually has posted "more than 500,000 Enron emails," not the much lower 85,000 I indicated yesterday…

Geesh..

Technorati Tags


Do You Wipe Your Retired Computers?

Monday, February 6th, 2006

Today I read a report about an incident for which many other similar incidents have occurred lately, and throughout the years.  The Calgary, Canada Privacy Commissioner started an investigation into a complaint that a Staples Business Depot store in Calgary sold a computer that contained a previous customer’s personal information. This would be a violation of Canada’s Personal Information Protection Act (PIPA) if the store really did leave the information on the computer without the customer’s knowledge and consent, and certainly if this is true, selling a computer containing personal information is not the way you want to demonstrate your company properly safeguards personal information.   See http://www.gov.ab.ca/acn/200601/19333026FCE40-E94C-2475-198185B9A5012E05.html for more information on this particular incident.

I do not think this is an isolated event.  In fact, it would be interesting to do a study of the used computers sold by companies in stores, through websites (yes, such as the Morgan Stanley Blackberry sold on eBay I wrote about also on this blog), and see how many of them still contain information.  I would anticipate the numbers would be high.  According to Gartner, U.S. homes and businesses combined discard 133,000 PCs EACH DAY (see http://msnbc.msn.com/id/10312478/site/newsweek/ for one story on this).  Additionally, the U.S. Environmental Protection Agency reports U.S. residents throw way 2 million tons of tech trash each year (see http://www.tdn.com/articles/2006/01/23/area_news/news07.txt for one story on this).  That’s a whole lot of computers!!  How many of these devices still have sensitive information stored upon them when they are discarded, which includes being donated to other organizations, or sold to computer store or through auction sites?  Does your organization completely remove sensitive information from retired computing devices?  Do you have procedures in place to accomplish this?  Identity theft and careless disposal of confidential information are posing increasing problems for individuals and businesses. Increasingly growing numbers of laws and regulations require businesses to take due care actions to prevent such incidents. 

Loss of Blackberry = More Secure Info????

Monday, February 6th, 2006

Blackberry lovers (known widely as "crackberries"…yeah, it’s kinda clever) are in a tizzy since the U.S. Supreme Court refused to review a major patent infringement ruling against maker Research In Motion Ltd.(RIM), which manufactures the device.  A federal judge could now issue an injunction to block RIM’s U.S. business.  Many pundits have stated they believe that RIM may develop an alternative technology or may pay millions to a billion dollars to settle with NTP Inc., which holds the patent.  See http://today.reuters.com/news/newsArticle.aspx?type=topNews&storyID=2006-01-24T224759Z for just one of the stories on this.  All I know is that the crackberries I know were fretting over the possibility of having to pay hundreds to possibly over a thousand dollars to keep their electronic link to the world if RIM settles, or that they will lose it altogether.

Yes‚ĶLOSE the Blackberry‚Ķmeaning the technology as it exists today is no longer available to use.  The other kind of loss, which probably jumped into you mind when the heading caught your eye, is what truly scares me when I see how people use them.  One famous poster child of the risks involved with using Blackberries for work purposes is the story of the Blackberry purchased on eBay that contained massive amounts of Morgan Stanley information; some of it confidential information.  If you haven‚Äôt seen this story yet, check it out at http://www.wired.com/news/business/0,1367,60052,00.html.

Folks, these tiny amazing gadgets CAN do many wonderful things and allow for virtually non-stop connection with our business (ewww‚Ķis this what we really need, a 7x24x7 business in our pocket?).  However, a Blackberry can seem like electronic heaven on Earth for those gadget-loving workaholics.

Ok, enough with the glowing benefits of the Blackberry‚Ķtheir size and propensity to be lost or stolen is a huge risk to any information stored upon them.  I have performed many business partner security reviews to find that the business partner is storing their client‚Äôs data in clear text on these devices, but they see absolutely no risk in doing so‚Ķ‚Äùoh, we are careful with them!‚Äù  ANd, sadly enough, when pressed to encrypt the information on stored upon the mobile devices, most of the business partners steadfastly refuse to do so because of the inconvenience and little bit of extra cost if would be to THEM!  (Heck, it’s not their data…so why would they be so worried?)  If you outsource your data to any business partner who uses Blackberries, or any other mobile devices including laptops/notebooks, seriously consider having them contractually agree to never store any of your company data on these wonderful traveling liabilities.  Don‚Äôt just specify ‚Äúconfidential‚Äù information cannot be stored upon them; this is a subjective term, and your business partner‚Äôs definition of confidential may not be the same as your organization‚Äôs.  Besides, many types of information not considered confidential are still potentially embarrassing or capable of wreaking a public relations nightmare if discovered by the public.  This restriction may seem a little rigid, but I have worked with organizations and people long enough to know that if you place complete control of security in the end-users’ hands, such as asking each person to please remember to delete information from their blackberries, it often does not get done, or it gets done sporadically at best.   It is the easiest and most effective security to contractually require them not to store any of your company information on them at all.  True, this won’t prevent them from breaking your contract and storing data on the mobile devices anyway, but at least it gives you much more solid legal grounds to take action if they do.

Oh, and I haven’t even gotten to addressing how companies control the use of mobile devices by their own employees…that is a good discussion for another day.

So…maybe if they don’t make Blackberries any more…if the owners lose them in this way…perhaps our data will be more secure…at least in some aspects…