Archive for September, 2006

Patient Data Theft & HIPAA Implications

Saturday, September 16th, 2006

Today Naples News in Florida reported:

"We often hear of Medicare fraud. We shake our head at the millions and even billions of dollars lost to bureaucratic ineptitude and theft. Then a case hits home.  A former employee of Cleveland Clinic Hospital in North Naples and a relative who worked for a Naples-based health-insurance claims company have been arrested and charged with stealing records of more than 1,100 patients.  The Cleveland Clinic receptionist had been on the job for over a year, and the theft took place in June, authorities say. Her suspicious activity was noticed by a co-worker, who alerted superiors. The arrests were made almost immediately.  Authorities so far decline to spell out exactly what the suspects and maybe others planned to do with the data, but suffice it to say that someone other than those who provided care were to get money.  The hopeful rays of light in this story are that the arrests were made so quickly and that a co-worker was empowered to come forward. A harsh light, though, is cast on the inability by law of victimized patients to sue for problems that could result from financial and other personal data falling into the wrong hands. Medical institutions can be entrusted with confidentiality, then be unaccountable for safe-keeping?  It is important for all the details on this case to come to light. The local health-care industry and its consumers stand to learn a great deal."

Some notes about the situation:

  • A coworker was alert and told management about the suspicious conduct.  Thank goodness!  This is something more companies need to encourage their personnel to do.  The amount of crime and fraud committed by trusted insiders is significant, and making all personnel aware of what to do if they see someone doing something that puts the business or health of others at risk is important to not only help catch bad things happening, but also to dissuade those considering crime from doing it if they know it is likely their coworkers will report them.
  • It seems criminal charges could and should be filed in accordance with HIPAA against the former employee and the accomplices.  Hopefully they will be.
  • I don’t agree with the statement that the victims cannot sue.  I’m not a lawyer, but it seems there are certainly many ways in which civil actions could be brought against the criminals by the victims.
  • It is likely they could also bring some kind of action against the hospital.  However, any convictions would seem unlikely given the reality of the insider threat to do bad things.  From the hospital’s point of view, it is important that they have a comprehensive information security and privacy program in place and are enforcing their policies.  If they have documentation to validate they did everything possible to safeguard information and a trusted employee with authorized access to PHI still committed the theft, then it would be very hard to find the hospital guilty of wrongdoing.  The insider threat is real, and the best way to protect against it in addition to a sound information security program is to raise the awareness of personnel so that you have many eyes and ears noticing and reporting if bad things are going on…not just the folks in the info sec area.

Technorati Tags







FTC Continues Course With More Compliance Activities and Fines: CAN-SPAM and the Adult Labeling Rule

Thursday, September 14th, 2006

Today the FTC announced, "FTC Puts a Permanent Halt to Illegal Spamming Operations" in a press release about some actions, fines and penalties they just made.

A high-level summary of the judgments:

  • Violations of the CAN-SPAM Act and the Adult Labeling Rule will cost Cleverlink Trading Limited $398,000 (Actual judgment was $2,635,000.00; the judgment was suspended except for: (1) $303 000 to be paid to the FTC (2) $95,000 to be deposited by Defendant Muir into an escrow account to facilitate tax payments, but the full amount could be reinforced if all conditions of the judgment are not met) plus a freeze on their corporate assets, plus implementing various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm their compliance. 
  • Violations of CAN-SPAM will cost Zachary Kinion $151,001.64 ("suspended because of his inability to pay," but the full amount could be reinforced if all conditions of the judgment are not met) plus implementing various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm their compliance.   
  • Violations of CAN-SPAM and the Adult Labeling Rule will cost William Dugger, Angelina Johnson, and John Vitale $8,000 (the defendants were liable for $597,166, but it was reduced to the amount in the defendants bank accounts, but the full amount could be reinforced if all conditions of the judgment are not met) plus implementing measures to obtain permissions.  They also had a freeze on their corporate assets, plus implementing various types of compliance activities and documentation on an ongoing basis for the next 5 and 8 years to confirm their compliance. 
  • Violations of CAN-SPAM will cost BM Entertainment and B Pimp $24,193 ("suspended because of his inability to pay," but the full amount could be reinforced if all conditions of the judgment are not met). The owner of the organizations also pleaded guilty to criminal charges related to spam and unauthorized possession of access devices and is awaiting sentencing.  He must also implement various types of compliance activities and documentation on an ongoing basis for the next 3 and 6 years to confirm his compliance.    

At first glance the suspensions of the fines are disappointing.  However, considering the asset freezes and also ongoing monitoring and reporting, with the possibility of having the original fines reinstated, this seems reasonable.

CAN-SPAM actually has had quite a bit of compliance activity since it has been inacted, along with the Adult Labeling Rule.

Technorati Tags








FTC Hosting Fraud Prevention Forums: Identity Theft Demographics

Wednesday, September 13th, 2006

The FTC announced today:

"FTC, Partners Will Hold Hispanic Fraud Prevention Forum in New York City

Members of Hispanic Communities Invited to Discuss Consumer Fraud Issues

The Federal Trade Commission, United States Postal Inspection Service (USPIS), U.S. Attorney’s Office for the Southern District of New York, and Manhattan Hispanic Chamber of Commerce are hosting a day-long Hispanic Fraud Prevention Forum in New York City. The Forum, which will be held September 27, 2006, from 8:30 A.M. until 3:30 P.M. at the Alexander Hamilton U.S. Custom House at One Bowling Green, New York, NY 10004, is open to Hispanic community leaders, representatives from community organizations, and local, state, and federal law enforcement and consumer protection agencies that work with Hispanic consumers. The goals are to discuss consumer fraud in Hispanic communities in the New York area and develop law enforcement and consumer education strategies to address it."

Go to the link to find out more.

This struck me as quite interesting.  I wonder what studies or statistics they have about all the demographic groups?

Searching through their site I found a 283 page report, "Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over" from May 2005, but no other reports about a specific demographic.

Okay, the mathematician in me is now thirsty for some demographic identity theft information…

I found the Better Business Bureau (BBB) Online identity theft study from January 2006.  "One Surprising Finding: the Core Demographic – 25 to 34 – Has the Highest Rate of Identity Fraud Rather Than Seniors"  Interesting…

Javelin Strategy & Research did the BBB Online study.  They also did another one in August 2006 that costs $950 (nope!  I’m not shelling out that kind of dough just to pique my curiosity).  Their overview provided an interesting statement: "Misunderstanding data breaches and their effect on identity fraud may lead to incorrect guidance to consumers, mistakes regarding protective measures companies employ, and overly burdensome legislation. Armed with facts, industry leaders must ensure that the data breach ‚Äúcure‚Äù is not worse than the affliction. This report is the first ever to show the actual impact that data breaches have on known-cause cases of identity fraud." 

First ever to show how data breashes impact identity fraud???

Hmm…definitely good bait to get some sales…I take these types of statements with several grains of salt without knowing what kind of meat they have to support their gravy statements… 

It all comes down to implementing the correct controls and safeguards around personally identifiable information (PII) to reduce risks to a reasonable and acceptable level to help prevent the compromise of PII to begin with. 

It would be very interesting to see the mistakes they found companies make; there are so many to choose from!  And yes, of course some legislation can be overly burdensome, and I agree that many laws should have been written better.  But, without legislation I wonder how many companies would decide that, since they aren’t legally required to protect PII that they won’t cut into their revenues by implementing controls at all…or just implementing the minimum they think they can get away with?  Data protection laws and information security intiatives are both double edged swords that often clink in battle within many organizations.

Technorati Tags






Employee Privacy and Common Sense

Tuesday, September 12th, 2006

Time magazine ran an interesting story in their 9/11 issue, "Snooping Bosses" that discussed multiple privacy issues within the workplace.  They provided a sidebar that truly should be common sense to anyone working in this day and age.  I’ll go over it later…it’s not on their site…

The article started with a great story about security guard who was fired for playing hooky…he called in sick, but his company-provided cell phone had a GPS system that showed him on the road to Reno…ultimately the unemployment ax fell.

Here are a few interesting excerpts with statistics you will find surprising…or perhaps not…

  • "Nine out of 10 employers observe your electronic behavior, according to the Center for Business Ethics at Bentley College."
  • "A study by the American Management Association and the ePolicy Institute found 76% of employers watch you surf the Web and 36% track content, keystrokes and time spent at the keyboard." & "38% hire staff to sift through your e-mail."
  • "A June survey by Forrester Research and Proofpoint found that 32% of employers fired workers over the previous 12 months for violating e-mail policies by sending content that posed legal, financial, regulatory or p.r. risks."

I would think the numbers in the first two bullets are actually higher.  With today’s regulatory requirements, need to demonstrate due diligence, and studies such as those referenced below, it just makes good business sense to monitor certain electronic communications…in reasonable ways.  If personnel violate published and communicated corporate policies they should face sanctions, and sometimes those will need to be dismissal.

  • "45% of us admit that surfing is our favorite time waster, according to a joint survey by Salary.com and AOL"

See…no wonder employers are monitoring!!  I’ve read other reports as well that indicate personnel spend anywhere from 8 – 20 hours per week surfing.  If you were paying someone to do work and they were sitting on the clock submitting bids on eBay or spending hours on Match.com, wouldn’t you be a little more than a bit ticked off?

  • "A Northeast technology company found that several employees who frequently complained of overwork actually spent all day on MySpace.com"

This is funny and sad simultaneously.  They probably did feel tired from all their MySpace.com chatting and viewing…poor carpel-tunnel fatigued folks.

  • "Slightly more than half of employers surveyed monitor how much time their employees spend on the phone, and even track calls–up from 9% in 2001."

Over 50% monitoring calls.  Not that surprising.  Quite interesting how much it has increased since 2001, though.

  • "Workers at Google, Delta Airlines and Microsoft have claimed their blogs got them fired."

Do you have policies regarding what your personnel cannot post to blogs with regard to your company?  Not only can information blogged about your company be embarrassing and cause PR problems, it is also very easy for confidential information to be inappropriately posted within blogs.

  • "In Thompson v. Johnson County Community College in Oklahoma, the court held that employees had no expectation of privacy in a locker room because the room had pipes that required occasional maintenance. (The need to service the pipes was enough for the court to let the employer use video surveillance.)"

ICK. Where were those CCTVs pointed?  Although there are safety and physical security reasons for CCTVs, putting them in locker rooms still seems at first blush (so to speak) a little too far.  Hopefully they communicated or had signs indicating the areas that were visible to the CCTVs.

  • "At Citywatcher, a Cincinnati, Ohio, company that provides video surveillance to police, some workers volunteered to have ID chips embedded in their forearms last June."

I’ve read other articles about this.  This really does take the 2-factor authentication concept of something you have and something you are to a whole new level.  What happens if the folks are fired?  Or, if they decide to quit and not come back to work?  There’s probably some way to disable them, but still…I’m not sure all the potential negative impacts of creating Johnny Mnemonic-like employees in our workplace have really been explored and addressed.

The sidebar lists "precautions" that should not only be common sense by now, but should also have been covered multiple times through a good information security and privacy training and awareness program.  At a high level these 9 precautions include:

  1. "Know your company’s policies"  DUH.  However, if the information security and privacy folks are NOT telling personnel what the policies are, then personnel will not know and will likely then do bad or dangerous things with your organization’s information assets.
  2. "Surf the web sparingly"  This is not only good for the company’s bottom line (hey, they are paying you to work, folks), but it is good for information security to help keep the electronic nasties from finding their way into your network.
  3. "Think twice before you hit "Send""  Most definitely.  I blogged about this recently
  4. "Proofread profiles"  This warns the personnel to make sure their own profile information on their blogs, in their emails, etc.  will not result in your company manager, or worse HR person, calling them in to have a serious discussion about their profession-limiting activities.
  5. "Snail-mail your resume"  This is so earlier edits do not hang around in them, and also so your boss does not see you are sending your resumes to other organizations.
  6. "Hold your tongue"  This warns not to leave voice mails you will later regret.  This happens way too many times.  Voice mails have been used extensively as evidence in court.
  7. "Forward with careAnother email oops that I have discussed
  8. "Use passwords"  DUH.  Info sec and privacy folks, you should be telling your personnel about all issues related to all types of passwords.
  9. "No porn at work"  This is beyond, DUH…c’mon folks!  You’re getting paid to work, not testing to see if you need the little blue pill.

Technorati Tags






Privacy Decisions Involve More Than Consideration of Personally Identifiable Information

Monday, September 11th, 2006

There was a nice article in the 9/11 issue of Newsweek that points out that, even if there are no items considered as personally identifiable information (PII) being collected or publically disseminated or posted on websites, the collection and interpretation of non-PII could actually reveal the persons involved, thus revealing their private activities, "aspirations and dreams."

However, Google, Yahoo and others who aggregate similar indicate that

"the information extracted from studying the way individuals search has been crucial in raising the quality of search to its present level. "Our searches have improved dramatically because we have that data," says Alan Eustace, Google’s senior vice president of engineering and research. Furthermore, they contend that without the information, they would be severely hobbled in further improving their products. "If you don’t have such data, there would be significant compromise of the user experience in the future," says Prabhakar Raghavan, Yahoo’s head of research." 

And, as the article points out, the government is also interested in the data…likely because it could point to specific individuals and groups as potential criminals and terrorists.

Does your company collect, aggregate, data mine and/or publicly post similar types of de-identified information to primarily improve your products or services?  Or, to enhance your marketing efforts?  If a secondary impact is that certain individuals’ activities, likes and dislikes, and thoughts are revealed, would you be concerned?  Would your business leaders be concerned?  What if, as a result, their own aspirations and dreams were revealed…or those of their living or deceased loved ones?

Before you decide that, just because there is no specific law against doing so, that you are going to aggregate the electronic traces and movements of your customers, employees or consumers in order to improve your products or services, take a good hard look at what the ultimate consequences could be; both to the individuals and to your company if the public decides that you stepped over the line and took it upon yourself to eavesdrop into their lives just for the greater good of your bottom line revenues.

Technorati Tags






Privacy Decisions Involve More Than Consideration of Personally Identifiable Information

Monday, September 11th, 2006

There was a nice article in the 9/11 issue of Newsweek that points out that, even if there are no items considered as personally identifiable information (PII) being collected or publically disseminated or posted on websites, the collection and interpretation of non-PII could actually reveal the persons involved, thus revealing their private activities, "aspirations and dreams."

However, Google, Yahoo and others who aggregate similar indicate that

"the information extracted from studying the way individuals search has been crucial in raising the quality of search to its present level. "Our searches have improved dramatically because we have that data," says Alan Eustace, Google’s senior vice president of engineering and research. Furthermore, they contend that without the information, they would be severely hobbled in further improving their products. "If you don’t have such data, there would be significant compromise of the user experience in the future," says Prabhakar Raghavan, Yahoo’s head of research." 

And, as the article points out, the government is also interested in the data…likely because it could point to specific individuals and groups as potential criminals and terrorists.

Does your company collect, aggregate, data mine and/or publicly post similar types of de-identified information to primarily improve your products or services?  Or, to enhance your marketing efforts?  If a secondary impact is that certain individuals’ activities, likes and dislikes, and thoughts are revealed, would you be concerned?  Would your business leaders be concerned?  What if, as a result, their own aspirations and dreams were revealed…or those of their living or deceased loved ones?

Before you decide that, just because there is no specific law against doing so, that you are going to aggregate the electronic traces and movements of your customers, employees or consumers in order to improve your products or services, take a good hard look at what the ultimate consequences could be; both to the individuals and to your company if the public decides that you stepped over the line and took it upon yourself to eavesdrop into their lives just for the greater good of your bottom line revenues.

Technorati Tags






Business Leaders Take Note: $1 Million Civil Penalty Against Xanga.com Is Largest Ever for a COPPA Violation

Saturday, September 9th, 2006

The FTC is much more aggressive in charging fines and penalties for noncompliance regulations than most of the other oversight agencies.  Their dedication for upholding the FTC Act, the Children’s Online Privacy Protection Act (COPPA) and others should grab the attention of business leaders who think they can ignore data protection laws and not worry about any penalties.

This also demonstrates that as time goes on the penalties and fines for noncompliance and violations can increase dramatically.  Consider the history of COPPA penalties and violations; just a few of them over a timeline shows that the FTC is clearly becoming more serious about making an impact with their penalties:

  • $10,000:  American Popcorn Company, 2002
  • $30,000:  GirlsLife.com, 2003
  • $35,000:  Looksmart, 2003
  • $35,000:  BigMailbox.com, 2003
  • $85,000:  Hershey Foods, Corp., 2003
  • $100,000: Mrs. Fields Cookies, 2003
  • $75,000:  Bonzi Software, 2004
  • $400,000:  UMG Recordings, 2004
  • $1,000,000: Xanga.com, August 2006

Xanga.com Inc becomes infamous as getting the largest penaly to date, $1,000,000.

What will be the next COPPA violator get?  Potentially more, and perhaps additional requirements that the FTC has ordered for non-compliance with the FTC Act, such as implementation of a comprehensive information security program and bi-annual independent audits of their programs for the next 20 years?  It’s all possible.

When other oversight agencies start enforcing their regulations in ways that impact businesses more, then all business leaders will have to take notice and respond with compliance efforts or end up finding their business pockets will have the hands of the government taking significant $$ out of them as a result.

For those of you leery of visiting government web sites (yes, some of you have told me you are!) at the bottom of this posting is the FTC press release regarding the Xanga.com penalty.  Notice that the company appeared to have followed a few of the COPPA requirements, but then did not build in the controls within the website application to ensure all the compliance requirements were in place, and also did not create the required procedures for parental permissions.  Another example of the importance of building information security and privacy into the applications and systems development lifecyle, from project birth to burial. 

What is not in the press release, but contained within the consent decree and order, is that Xanga.com must also:

  • Post the following notice conspicuously on their website:  "NOTICE: Visit www.ftc.gov/privacy for information from the Federal Trade Commission about protecting children’s privacy online."
  • Must conspicuously post the following on websites with blogs:  "Visit www.OnGuardOnline.gov for social networking safety tips for parents and youth [‚Äúparents‚Äù must contain a hyperlink to < www.onguardonline.gov/socialnetworking.html > and ‚Äúyouth‚Äù must contain a hyperlink to < www.onguardonline.gov/socialnetworking_youth.html >"
  • Must delete the personal information they have collected about children that was in violation of COPPA (basically all the children’s PII)
  • Immediately implement awareness and training to all their personnel and managers about the requirements of COPPA and submit the names of all to the FTC, and continue to do this for at least the next 5 years.
  • Submit to the FTC their detailed plans for complying with COPPA, including copies of the messages that will be sent to parents, methods of obtaining approval, etc.
  • Maintain copies of all parental approvals for specified periods of time

So this will result in significant additional costs for ongoing years on top of the $1M penalty.  Of course, they should have been doing the requirements for notice, retention and training and awareness to begin with.

Okay…on to the FTC press release:

"Xanga.com to Pay $1 Million for Violating Children’s Online Privacy Protection Rule

Civil Penalty Against Social Networking Site Is Largest Ever for a COPPA Violation

Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced today.

According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty.

The complaint charges that the defendants had actual knowledge they were collecting and disclosing personal information from children. The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. Further, they failed to notify the children’s parents of their information practices or provide the parents with access to and control over their children’s information. The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.

‚ÄúProtecting kids‚Äô privacy online is a top priority for America’s parents, and for the FTC,‚Äù said FTC Chairman Deborah Platt Majoras. ‚ÄúCOPPA requires all commercial Web sites, including operators of social networking sites like Xanga, to give parents notice and obtain their consent before collecting personal information from kids they know are under 13. A million-dollar penalty should make that obligation crystal clear.‚Äù

Xanga.com – Xanga.com is one of the most popular social networking sites on the Internet. After setting up a personal profile, users can post information about themselves for other users to read and respond to. On Xanga.com, users can create their own pages or Web logs (blogs) that contain profile information, online journals, text, hypertext images, as well as links to audio, video, and other files or sites. Information on the Xanga site is available to the general public through the use of global search engines such as Google and Yahoo.

Incorporated in 1999 and based in New York City, privately held Xanga.com, Inc. was founded by Ginsburg and Hiler. In 2005, Xanga had about 25 million registered accounts.

The Commission’s Complaint – According to the Commission’s complaint, the defendants violated COPPA, the COPPA Rule, and the FTC Act by collecting personal information from children with actual knowledge that they were under the age of 13, failing to post on their site sufficient notice of their information practices regarding children, failing to notify parents directly about their information practices regarding children, and failing to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. The complaint also alleges the defendants failed to provide parents with reasonable access to and control over their children’s information on the Xanga.com site.

The Consent Order- The consent order is designed to prohibit Xanga, Ginsburg, and Hiler from violating COPPA and the COPPA Rule in the future. Accordingly, it contains strong conduct provisions that will be monitored by the FTC. The order specifically prohibits the defendants from violating any provision of the Rule and requires them to delete all personal information collected and maintained by the site in violation of the Rule. The defendants further must distribute the order and the FTC’s How to Comply with the Children’s Online Privacy Protection Rule to certain company personnel. The order also contains standard compliance, reporting, and record keeping provisions to help ensure the defendants abide by its terms.

To provide resources to parents and their children about the risks associated with social networking sites, the order additionally requires the defendants to provide links on certain of their sites to FTC consumer education materials for the next five years. First, the defendants must include a link to the Children’s Privacy section of the Commission’s ftc.gov site on any site they operate that is subject to COPPA. Second, the defendants must include links to the Commission’s recently published safety tips for social networking on any of their social networking sites.

The order requires the defendants to pay a civil penalty of $1 million for violating the COPPA Rule, as detailed above.

The Commission vote approving the complaint and consent decree and order was 5-0. They were filed by the Department of Justice on the FTC’s behalf on September 7, 2006, in the U.S. District Court for the Southern District of New York.

NOTE: Stipulated final judgments are for settlement purposes only and do not necessarily constitute an admission by the defendants of a law violation. Stipulated judgments have the force of law when signed by the judge.

Copies of the complaint and consent decree and order are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad."

Technorati Tags









Don’t Underestimate Motivation for Hacking or Cybercrime

Thursday, September 7th, 2006

Today Information Week reported that a man hacked into the University of Southern California computers in 2005 and stole personal information on up to 270,000 individuals apparently because he was rejected for admission. He was just sentenced to a 6-month home detention sentence, and must pay $37,000 in restitution for this crime.

So many times I read about and I hear business leaders say that they are not that concerned with the potential of a hacker or cybercrime because they do not have a business that would be a target of an attack, or they are not in an industry that would be targeted for an attack.  "Why, we only make O-rings for engine pistons…no one would be interested in attacking our systems!" 

It would nice to think that you’re safe just because you aren’t a financial or healthcare company, but that is completely unrealistic.  Any company system that is attached to the Internet, or to another organization’s system that is attached to the Internet, or has personnel using the Internet, is subject to some kind of malicious code or hacker attack.

Motivation for cyber crime is a very interesting topic.  The rejected USC student perhaps also wanted to show that he would have been a very good computer student.  Or, he also may have just wanted to get even with an organization that he felt had done him wrong or was unfair.  Or, perhaps he wanted to sell the personal information he stole to be able to afford a more expensive university.  There are unlimited possibilities.   

It is important to educate business leaders not only about the regulatory requirements for information security and privacy, and the many different domains of information security that impact your business, but they also need to understand the motivators for cybercrime so that they can help to eliminate the presence of those motivators within the business environment as much as possible, or at least incorporate security safeguards to help prevent motivated individuals from doing bad things.

Donn Parker has done a lot of research and related work with cyber crime motivation.  Some of the motivators he lists in his book "Fighting Computer Crime" can be used to help business leaders understand these very real human threats.  At a high level the motivators he lists include:

  • The Robin Hood Syndrome:  Stealing from the rich companies because, in the criminal’s mind, they can afford the loss.
  • The Differential Association Syndrome:  The criminal wants to deviate from accepted practice among his/her peers or associates in only small ways, such as stealing computer services by using them for personal use.  Such small successful crimes lead to larger more significant crimes as confidence builds from not getting caught.
  • Fear of Getting Caught:  Because criminals are afraid of getting caught doing "normal" crimes, the complexity and seeming anonymity of computers and networks may lure them to cybercrime.  It is interesting to note, however, that complexity is also a deterrent to them since, according to Parker, they may end up avoiding the complexities inherent in using computers unless there are no other options.
  • The Personification of Computer:  Criminals do not have to physcially confront their computer victims, or witness resulting anguish from computer crimes, so it is easier for them to commit crimes against computers.
  • The Higher Ethic Motive:  The cyber criminal often justifies his or her actions by rationalizing that they need to do the crime for a greater good, such as stealing personal data and selling it to make money for a family member’s operation.

Understanding that various human motivators can make your business a target just as much as the type of industry your business is in will help business leaders understand that ALL organizations need to implement a strong and effective information security and privacy program.

Technorati Tags







Effectively Partnering Information Security and Privacy For Business Success

Wednesday, September 6th, 2006

The number of information security and privacy incidents are not on the decline; quite to the contrary.  As the amount of data and information continues to grow exponentially, as the flavors of information technologies continue to be cooked up and become quickly ladled into the business environment, as computers and data bytes become more mobile, and as the ethereal world gets more intimate as systems continue to become interconnected, more incidents will occur, more data protection laws will emerge, and more ways to compromise data and systems will continue to appear. 

Establishing effective privacy and information security strategies has moved to the top of the list for companies maintaining customer and employee information. However, there are often gaps in communication and coordination between privacy and information security activities, creating risks for incidents, duplication of effort, contradictory privacy and security initiatives, along with contractual and regulatory noncompliance.

Successful efforts require privacy and information security strategies to be complementary and integrated throughout all of the enterprise, within every business process stage and at every level within the organization.  There must be documented processes for addressing information security and privacy throughout the entire applications and systems development lifecycle.  There must be coordinated and mutually supportive information security and privacy awareness and training efforts.  Corporate policies, and website policies, must establish clear requirements for personnel to follow to safeguard information, in addition to complying with applicable laws and regulations.  There must be processes to ensure the security of information entrusted to third parties.  A corporate information security and privacy framework must be built, using the concepts from such already established and globally supported frameworks as COBIT, ITIL, ISO27001 (BS7799), and the OECD privacy principles, to address these, and other, major information security and privacy issues that will turn out to be your company’s security and privacy Achilles’ heel if you don’t.

I had the opportunity to work with Christopher Grillo to create a workshop,"Effectively Partnering InfoSec and Privacy For Business Success" that provides insight into Privacy and Information Security practitioners’ roles and responsibilities within the organization and offers not only guidance and discussion for how to effectively work together, but we have also spent literally hundreds of hours creating tools to help support information security and privacy that we provide to workshop attendees.  Businesses are now successfully using these tools to make their information seccurity and privacy efforts more efficient and effective. 

Within our workshop, through presentation, discussion, and case-studies, attendees will obtain a better understanding of the challenges faced by both information security and privacy, and be able to create a workable framework for integrating efforts. Participants take away tools for building an effective Privacy and Information Security framework, a roadmap for creating synergy between the groups, and many tools and methodologies to start using right away to result in positive business impact. 

If you take our workshop along with the CSI conference in November, you will save $200 on the regular workshop cost.  I was happy to recently learn that CSI is allowing us to give a discount code for our workshop through my blog; if you only want to attend our workshop, then you can save $100 by using the code PR133 when you register. 

If you already have an integrated, highly successful information security and privacy program in place, that is great!!  I know it takes a lot of effort to have a successful program.  You likely have spent a great amount of figurative blood, sweat and tears in making your program effective and successful. 

I also know there are so many new and evolving challenges that even the most dedicated and hard-working information security and privacy professionals can benefit from new ideas, interactions with others, and effective tools and resources.  If you want to improve your information security and privacy programs, or need help establishing them, I hope you’re able to join us.  After all the hard work we put into creating this workshop, I am happy to know that the people who have attended have told Christopher and I that they found it very valuable, and that they were very pleasantly surprised by the large amount of tools and reference material we provided to the workshop attendees.

Technorati Tags






Good Privacy Move by the U.S. Treasury Department

Tuesday, September 5th, 2006

My business credit card has a great benefit; it gives U.S. Savings Bonds for reaching certain, comparatively low, accumulated charge amounts.  Over the past 7 years I’ve obtained dozens of Bonds that I plan to use for my sons’ college.  Unfortunately the credit card company is discontinuing this at the end of October…guess I’ll have to shop for another card that provides the same type of benefit!

I have always looked forward to getting the Bonds, directly from the U.S. Treasury Department.  The last set of Bonds I received were different, though.  All the previous Bonds had my social security number printed on the bond.  The most recent ones now, instead, have asterisks for the first 5 digits of my SSN, and just show my last 4 digits.  What a nice surprise!  I love to see when government agencies make changes to improve the privacy of our personally identifiable information (PII).  Too many of the agencies are still much too careless with their practices of making PII too easily available, electronically and in printed hard copy documents, for way too many people to see.

Curious to see if they provided any additional privacy enhancements to their practices, I visited their site.  I found their privacy impact assessment (PIA) from last year, required annually of all U.S. government agencies posted.

The table they used on pages 3 – 7 within their PIA is a nice summary format that organizations should consider using as a way to document each type of PII collected.

I would have liked to have seen more analysis of the security practices for the physical copies of PII and also PII that may be located outside their network (perhaps they don’t allow this?); the PIA seemed to focus primarily upon the network computer systems.  I saw nothing about the security of PII on the printed documents, such as Savings Bonds, themselves.

Well, although the change does not appear to be a result of their PIA, it is GOOD to see that now the SSN is no longer printed on the Bond itself. They did provide a webpage discussing the change to SSNs on the Bonds

"7/28/2006

Treasury Protects Investor Privacy
To help protect savings bond owners’ privacy and guard against identity theft, the first five digits of the Taxpayer Identification Number (TIN)-the Social Security Number (SSN) or Employer Identification Number (EIN)-will be masked on all paper Treasury savings bonds issued or replaced, starting August 1, 2006. Asterisks will replace the masked digits. For example, an SSN previously shown as 123 45 6789 will be inscribed as *** ** 6789, and an EIN previously shown as 12 3456789 will be inscribed as ** ***6789.

Treasury is taking this action to eliminate the possibility, however remote, that the TIN could be seen by an unauthorized individual and used for identity theft.

This change applies to purchases of Series EE and I paper savings bonds. It also applies to Series E, EE, H, HH and I savings bonds issued in other authorized transactions, such as those involving reissues and replacements for paper bonds not received.

Customers must provide the full TIN with all purchase applications and transactions. Taxpayer Identification Numbers will continue to be used as identifiers in Treasury’s record-keeping system. Bond owners must provide their full TIN when redeeming savings bonds.

Customers receiving paper savings bonds from the Federal Reserve Bank will receive an explanation of this change with their printed bonds."
 

Limiting where SSNs, and other PII, are printed on government documents is a good step toward better privacy practices.

Technorati Tags