On August 10 the Michigan Attorney General, Mike Cox, last week issued a press release about charges against Florida and California companies. 

"Attorney General Mike Cox announced today that he is filing criminal and civil charges against senders of unsolicited e-mail messages ("spam") that seek to lure children to gamble and buy alcoholic beverages.  The messages were sent to children’s e-mail addresses registered with the State of Michigan under Michigan’s Child Protection Registry Act.  The act requires senders to check the registry to remove children’s e-mail addresses before sending messages advertising goods or services that children cannot legally buy.  Today’s criminal charges against RR Media, Inc. of Cathedral City, CA, and Data Stream Group, Inc. of Bonita Springs, FL, are the first of their kind in the country and may subject the spammers to a fine of up to $10,000 and other penalties.

            "The Internet – especially email and instant messaging – is a favorite vehicle for spammers and sexual predators to solicit children to buy harmful products, view pornographic images, and, worst of all, become targets of predatory activity," Cox said.  "I will continue to utilize all the tools available under the law to protect Michigan children from these menaces."

            The "Protect MI Child Registry" allows parents and others to submit e-mail addresses, instant message addresses, and other electronic contact points to which children in Michigan have access to the Michigan Public Service Commission, which administers the registry. The law prohibits sending e-mail to a registered address with content in the e-mail that advertises anything a minor is prohibited from doing, viewing, or using.  Examples include alcohol, tobacco, gambling, and pornography.  The law requires senders of this type of e-mail to electronically scrub their mailing lists against the registry, eliminating the registered e-mail addresses from mailing lists. Michigan and Utah are the only states that have adopted a registry law.

            "Spamming is a huge problem with no easy solution.  The registry law is an attempt by our State to find an effective way to protect children from the most offensive variety of spam.  I hope our criminal and civil actions send a message to spammers peddling harmful products – stay away from our kids," Cox said.

            The cases follow an investigation by the Attorney General’s Office, which received complaints of inappropriate e-mail solicitations for gambling and alcohol purchases being sent to e-mail addresses registered as children’s contact points.  The Attorney General’s cyber-investigation led to the defendants, RR Media, Inc. and Data Stream Group, Inc.  Each corporation stands charged with one count of violating the Registry Act.  Criminal complaints were signed on August 10, 2006, in the 36th and 52-2nd District Courts in Detroit and Clarkston, respectively.  The next court date has not yet been set.

            In addition to the criminal cases, Cox has filed civil actions against RR Media, Inc. and Data Stream Group, Inc. in Ingham County Circuit Court.  These companion cases to the criminal actions seek injunctions against further violations and other statutory penalties.

            Parents and guardians of minor children can visit the State of Michigan’s "Protect MI Child" website, operated by the Michigan Public Service Commission, at: https://www.protectmichild.com .  At this site, parents can:

• register their children’s contact points (including e-mail addresses, instant message   addresses, and fax numbers);
• file complaints concerning violations of the Michigan Child Protection Registry Act;
• obtain additional information.

Consumer alerts on e-mail scams, identity theft, and a wide range of other topics of interest to parents and consumers can be viewed or downloaded at the Attorney General’s Web site, www.michigan.gov/ag  (click on "Consumer Alerts").  An online complaint form is also available.

Mail or telephone inquiries and complaints may be directed to the Attorney General’s Consumer Protection Division at:

Consumer Protection Division
P.O. Box 30213
Lansing, MI 48909

Phone: 517-373-1140

Toll-free within Michigan: 1-877-765-8388
Fax: 517-241-3771
www.michigan.gov/ag (click on "File A Complaint")"

This continues with the more aggressive actions I’ve seen states taking with regard to compliance, particularly those laws addressing children’s safety and rights, using the Internet, and protecting individuals from identity theft and other privacy intrusions.

Just a few examples:

• On July 10, 2006 Rhode Island Governor Donald L. Carcieri signed into law bill H. 7674 that prohibits the use of the Internet or e-mail to obtain personal information, such as Social Security numbers or financial account information, from individuals under the pretense of being a legitimate online business. The new law, which took effect immediately upon being signed, makes it a criminal offense to "solicit, request or take any action to induce another person to provide identifying information by representing that the person, either directly or by implication, is an online business without the express authority or approval of the online business purported to be represented by the person" through a Web page, e-mail, or any other type of Internet service.
• On July 13, 2006 the California Supreme court ruled a California statute under which *all* parties must consent to the recording of their telephone conversation precludes Salomon Smith Barney Inc.’s Atlanta branch office from recording its telephone conversations with California clients without their knowledge and consent.  Multiple lawyers reported they believe the supreme court’s decision may have broad implications for businesses nationwide, not just those which are in California or that conduct telephone calls with individuals in the state. There are 11 other states in addition to California that have laws on the books that require all parties to a telephone call to consent to the taping of the call.
• A law, S.B. 601, signed June 29, 2006 by Pennsylvania Governor Edward G. Rendell bars businesses and government agencies from publicly posting a Social Security number or printing it on any card required for access to a company’s products or services.
• On June 30, 2006 Delaware Governor Ruth Ann Minner signed two bills that add a new privacy safeguard for Delaware residents (H.B. 392) and help reduce the damage identity theft can cause its victims (H.B. 334).  H.B. 392 makes it a criminal violation to install an electronic or mechanical location tracking device in or on a motor vehicle without the consent of the person who owns or leases the vehicle. The prohibition does not apply to use of a tracking device by a law enforcement officer or by a parent or legal guardian who installs the device to track his or her minor child. H.B. 334 authorizes the Delaware Attorney General’s Office to issue an "identity theft passport" to any person who files a police report alleging identity theft, as long as there is reasonable assurance that the claim is valid.  The "passport" will be a card or certificate that the identity theft victim can present to a law enforcement agency to help prevent his or her arrest for a crime committed by someone else using the victim’s stolen identity.

And so many more…it is hard to keep up with all the new laws!

I find Delaware law H.B. 334 particularly intriguing…issuing an identity theft passport to show to law enforcement.  What if the person is in a different state?  Will law enforcement there know about this passport?

The legal and regulatory data protection environment just gets more interesting all the time…

Technorati Tags
information security
IT compliance
regulatory compliance
state data protection laws
spam
identity theft
encryption
policies and procedures
awareness and training
privacy

A friend and colleague of mine of mine told me today that he had received an email notice from a company for which he is a customer, Book Surge, which was recently acquired by Amazon. 

I had not noticed any news reports about it before I heard from my friend, but upon hearing this and doing some searching I found one lonely little article about it in the Charleston Post & Courier from August 10:

"North Charleston-based publisher BookSurge LLC said Wednesday that a hacker possibly infiltrated its computer system and gained account information on tens of thousands of its customers.  As of Wednesday, none of the 42,000 customers who could be affected had reported any problems with their personal accounts, said BookSurge spokeswoman Mary Meagher.  "We have no reason to believe that any customer data was compromised, but we have notified the affected individuals out of an abundance of caution," she said.  BookSurge has been owned since last year by Internet heavyweight Amazon.com.

Meagher declined to say what percentage of the company’s customer base the affected accounts represent. She also would not comment on how the security breach came about and how it was discovered.  BookSurge learned late last week that an "unauthorized individual" might have gained access to files on a computer server that contained credit card and other account information for some customers and authors, according to an e-mail message it sent out. It went on to say it had "no indication that your credit card or other account information" was compromised.

Meagher said the company has taken its servers offline and has started an investigation. "We’ve been in touch with the appropriate authorities," she said. 

Typically, potential computer crimes are investigated by the Secret Service, which is a branch of the U.S. Treasury.  On Wednesday afternoon, BookSurge’s Web site was not functioning. Meagher said the company is working to get the system up and running again as soon as possible.  "We take the protection of customer data very seriously and are committed to providing a safe and secure online environment for our customers and authors," Meagher said. "We are taking additional security measures to help prevent such an incident from happening again."

For security reasons she declined to say what those measures are.  BookSurge developed an "on-demand" software system that can quickly print and bind as many or as few copies as a buyer wants. It can ship orders in two days, saving publishing houses and authors the cost of printing and storing thousands of copies at a time.  The company operates next to a bingo hall in a Dorchester Road shopping center. The company was purchased in April 2005 by online retail pioneer Amazon.com, reportedly for $10 million.  While the BookSurge computer system is down, customers still can place book orders via Amazon.com, said Patty Smith, spokeswoman for the Seattle-based company.  "The servers are completely separate," Smith said."

The BookSurge site was working today.

According to my friend, the only notification he received was a brief (6 sentence) vaguely worded email on August 8.  The extent of the information provided was just:  "I am writing to let you know that we have learned that an unauthorized individual may have gained access to files on a BookSurge server which contained credit card and other account information from some BookSurge customers."

The email provided no dates about when the breach occurred. 

The email did not provide a phone number that those impacted individuals could call, they did not indicate when the breach occurred (although the news report said BookSurge "learned late last week" about the breach).

They said they had no indication that credit card or other account information was compromised, but without knowing any details about the event, how does this make 42,000 feel better?  They will likely be the ones to know if their personal information has been compromised.

Not only was the email notification vague, breach notification via email, especially *only* via email, is a very bad business decision. 

Breach notification via email should only be done

1. if the customers have agreed to accept such types of notifications in advance by email, and
2. as a supplement to a USPS mailed letter, and/or personal phone call. 

Numerous state-level breach notification laws indicate that email only notification should not be done, but only done only as a secondary form of notification.

Email-only notification is a bad idea for many reasons.

1. It is highly likely in today’s spam-heavy environment that many, of not most, recipients will view such email notifications as spam and never read them, or their spam filters will delete them before they ever get to the inbox.
2. It is highly likely in today’s phish-abundant electronic waters that many, of not most, recipients will view such email notifications as phishing attempts without even reading them and delete them.
3. It is highly likely that a large percentage of customers, particularly within a group of 42,000, will either no longer use the email address the company has on file for them, or they may not check that email regularly, if at all, any more.
4. Email is not a reliable form of communication.  Just because you send an email, even to a valid email address, does not guarantee it will ever reach its recipient; businesses should not make such faulty assumptions that just because you send an email it will be delivered.
5. If the email is sent to a "family" or shared type of email address it is very possible the person who would recognize the importance of the information may never get the message before it is deleted by someone else who may have seen it first.
6. Only sending an email…and a horribly vague and weakly worded one at that…shows disregard for the customer and appears to just be a token action being done in a sorry attempt to appease regulators.
7. And several more reasons I decided to edit out of my typing… 🙂

There was no mention of the need for the customers to check credit reports, let alone any suggestion that they company might step up to their blunder and provide credit monitoring for the affected customers.

The email also indicated they were "taking additional security measures to help prevent such an incident from happening again."  Why weren’t these measures already in place?  If the information had been encrypted would the incident even have occurred?  What other measures should they have already had in place?

Their website has absolutely no information about this breach…another bad thing.

The Amazon site has nothing about this incident in their press releases, either.  Wonder if Amazon did any type of review of the Book Surge security program when they acquired them?

Technorati Tags
information security
IT compliance
regulatory compliance
security incident
privacy breach
breach notification
encryption
policies and procedures
awareness and training
privacy

More computer thefts were reported this past week…one I’ve already blogged about and numerous others.  Just a few of them…

• A briefcase containing U.S. Bank customer information was stolen from the car of one of the bank’s employees. "Bank spokesman Steve Dale said the names, phone numbers and Social Security numbers of a "very small" number of customers were in the briefcase that was stolen in Covington from the employee’s car."  This points out the reality that information security incidents and privacy breaches often occur through means other than electronic.  People have been stealing paper documents and committing fraudulent acts with them for basically as long as people have figured out how to commit frauds.  The bank actually is responding to the incident well compared to other organizations that have experienced incidents.  They even called all the people involved instead of just sending a form letter, as most companies have done.
• Theft of laptops, Blackberries, iPods and cellphones is not a U.S. only phenomenon.  A story published in Australia today discusses the alarming jump in the number of thefts of these electronics from parked cars.  The report indicates over 250 such thefts have occurred since June 1 of this year.
• "…burglars broke into a regional office and stole 10 computers containing names and Social Security numbers for thousands of patients treated" at HCA hospitals in Nashville.  "The computers contain 15,000 to 18,000 files with information on Medicare and Medicaid patients who have uncollected co-pays and deductibles."  Although the data was NOT encrypted, the computers were password-protected, and were stolen from a locked facility, so it is unlikely, based upon past Department of Health and Human Services (HHS) activities, that any HIPAA noncompliance actions will be pursued.  It appears from the report, though, that Internet transmissions may have been made in clear text, so this could lead to a HIPAA infraction if HHS chooses to pursue it.

Technorati Tags
information security
IT compliance
regulatory compliance
stolen computers
HIPAA
patient information privacy
encryption
policies and procedures
awareness and training
privacy

Many organizations are taking advantage of using a wider range of communication systems and technologies than ever before. For example, just to name a few:

• Voice over IP (VoIP) is used not only for voice communications but also often integrated with the corporate email system.
• Instant messaging (IM) is commonly used to allow real-time interactive business communications.
• Blackberry messaging devices are used by a large number of business personnel to send and receive email no matter where they are at, at any time of the day.

Many companies have been burned in many ways (revenue loss, stock value drops, reputation damage, etc.) as a result of lack of planning for retaining specific types of data inappropriately, as well as for destroying data that was court-ordered to be retained; recall the July 21, 2004, judgment against Philip Morris USA, Inc. to pay $2.75 million for destroying emails related to litigation.  There are probably thousands, if not tens of thousands, of lawsuits going on against organizations on any given day.  In many, if not most, of these cases there are data discovery issues that require organizations to be retaining specific types of data.  Because of the highly distributed locations where data is now stored, it is likely many of the storage locations are unknown, or are under the control of end-users who may be doing things with the data that can have huge impact in court and on the organization.

The evolving systems and technologies are certainly timesaving and efficient business tools. However, business leaders need to consider the archiving, retention, and discovery requirements that are involved with these technologies to ensure they are not unknowingly putting the business at information security, privacy, and/or legal risk with the ways in which the technologies are implemented. 

This week I posted a paper, "The Business Leader Data Retention and E-Discovery Primer" within which I discuss some of the important data retention and electronic discovery issues that organizations must consider and plan for.  These issues can cost organizations much time, resources and money if not addressed properly.

Technorati Tags
information security
IT compliance
regulatory compliance
electronic discovery
e-discovery
data retention
policies and procedures
awareness and training
privacy

It was disappointing, but not really surprising, to read in Computerworld today that another VA computer was missing.  What is a bit unusual was that it was a desktop computer, as opposed to the typical missing/lost laptop, notebook, or handheld computer.  This time it was a Unisys contractor who was using the computer.

"VA officials are also working with Unisys regarding an offer of credit monitoring and individual notifications to those who may be affected."

Gee…this is kinda "deja vu all over again," isn’t it?  The veterans were initially offered credit monitoring with their last incident but then the government cancelled that offer when the computer and disk were found months later.  IF a credit monitoring offer is made, you think they will retract the offer…again…as soon as, and if, the computer is found…even though someone intentionally stole the computers?

"The loss of this computer comes just two days after Montgomery County Police in Maryland announced the arrests of two men accused of stealing a VA laptop and hard drive that contained identifying information on 26.5 million of veterans and active-duty military personnel in May. That laptop was recovered in June and the VA does not believe that any of the personal information contained on it was compromised."

Yah…right…there is no way that you can tell for certain that data has or has not been copied.  If these two men stole the computer and hard drive they very well could have made a copy, or several copies, of the data to use for years into the future.  Sensitive data on 26.5 million people is a pretty good retirement plan.

""[The] VA is making progress in efforts to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor’s secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," said Nicholson in the statement."

Organizations of every size need to be diligent about information security practices. Small and medium sized businesses often do not have dedicated information security personnel on staff to comprehensively address security issues.  Some organizations are such behemoths that a centralized information security office with too few employees cannot effectively address security throughout the entire organization.  Veterans Affairs is such a behemoth, with 235,974 employees…not to mention thousands of contractors…at the beginning of the year; with around 500 information security officers.  So, significantly less than 1% of the staff…around 0.2%…are responsible for securing a vast amount of sensitive data on "approximately 70 million people" that is scattered among potentially thousands of locations. 

I believe many more organizations lose laptops, notebooks, handhelds, storage media and so on than are ever reported…even with today’s breach notification laws.  I know in speaking with several organizations that many of these losses and thefts are reported to physical security and the insurance claimed on the hardware value, and the information security department often does not find out until days, weeks, or even months later, if ever at all, and then there is often no idea of the types of data that were on the devices.

This situation points out some important lessons for organizations.

• You need to have enough people responsible for information security to have effective information security.
• You need to have policies and procedures in place to ensure the security of laptops, storage devices, and end-user computers, and enforce them consistently.
• You need to have a comprehensive inventory of data and computing devices so you don’t misplace important information.
• You need to perform consistent and effective security program reviews of the organizations to whom you entrust your information and processing of sensitive information so that their sloppy and/or insecure practices do not end up putting your organization at risk, or result in significant negative impact to your organization.
• The more distributed data is, and the more mobile data is, the more at risk data is. 
• The more you depend upon end-users for securing information, the more information security and privacy education, training and awareness, must be provided on an ongoing basis.

Technorati Tags
information security
IT compliance
regulatory compliance
breach notification
incident impact
lost VA laptop
policies and procedures
awareness and training
privacy

Today I almost had an email oops.  Well…perhaps not "almost" because of a habit I got into years ago.  This habit has saved me many times from sending out a message prematurely before I’ve had a chance to review.  I’ve incorporated this tip into several organizations’ awareness messages and training content and have heard back that it has prevented some email incidents.

While composing an email to a client today, someone came into my office and asked me a question, and while turning to respond, my thumb bumped my overly sensitive mouse pad (yes, I know the sensitivity is adjustable…but overall I like it at the current level) after my cursor had moved over the <send> button.  A sudden chill went over me…I wasn’t ready to send that message!  It wasn’t complete and I didn’t want to send all the raw (don’t worry, it was non-PII) data I had included as I was drafting it.  Then I looked at the TO:, CC: and BCC: lines…WHEW!  I did not have any addresses there yet…in following my email habit of the last decade+.

Many email incidents have occurred by mistakenly sending emails either with unintended information, or with incorrect or unwanted email addresses in the TO: line, etc.  I just talked about many email incidents on August 1.

A good way to avert many email incidents from accidentally happening is to compose the body of the email message BEFORE filling in the TO:, CC: and BCC: lines.  If these lines are blank, then the email composer cannot accidentally send the message before it has been finished and carefully proofread.  It is very simple, but also very effective, as are most security habits.  Effective training and awareness communications help to drill such habits into the minds and typing fingers of personnel.

My habit over the years that I’ve passed on to my co-workers and clients, and have put into communications, is simply:

1. When writing an email, leave all the address lines blank.
2. Write the message.
3. Proofread the message…ALL the message!  Including attachments and being sure to scroll down to see if you have left any extraneous information that you may have copied into the message while composing.
4. Be especially diligent about reviewing an email message you are forwarding.  Make sure all the information in the forwarded email is something you CAN be forwarding without violating the original sender’s intentions for the email, and to ensure you are not divulging information inappropriately. 
   • You will often need to remove the email address, and perhaps even name, of the email originator to protect their identity/privacy. 
   • You will likely not need to forward the entire email message.  Delete everything from the forwarded email that is not relevant to the reasons why you need to forward it to someone else.
5. When you know the message is exactly as you want it to be, fill in the address lines with the addresses of the people you want to receive your message.
6. DON’T HIT SEND YET!  Carefully read through the addresses.  Make sure you didn’t accidentally include an email address that was next to one of your intended recipients in your address book.
7. Now hit send without worrying about suddenly feeling your heart miss a beat and going "DOH!" because you sent it to the wrong people, or sent inappropriate information.

"But!"  you may say, "This does not work when replying to an email!"

Ahhhh…yes…well…here is another habit I’ve gotten into that has worked well for me.  However, I realize this one requires more tenacity for end-users to follow consistently, but it can save A LOT of embarrassment and potential incident impact by doing.  If your end-users who send a lot of email to customers, business partners, and particularly others outside your organization, it is worth suggesting to them.  One of my clients from a few years ago sent me a message telling me he was happy he had told his folks about this tip, because one his marketers would have done a very big OOPS without following it.

The habit for replying to email messages is simply:

1. After hitting <reply>, copy, then delete, all the addresses from the TO: line of your message and paste into the first line of your reply message body.
2. Repeat #1 for the CC: line as necessary.
3. Create your message on the lines after the lines of addresses in the body.
4. After finishing and proofreading well, do a copy, delete and paste of the addresses from the first line of your message into the TO: line, ensuring that it/they are the recipients you really want for your message.
5. If appropriate, do a copy, delete and paste of the remaining addresses into the CC: or BCC: lines.
6. Determine if you need to put any addresses in the BCC: line.
7. Proofread everything, deleting the parts of the original message not necessary, then <send>.

Yes, this is somewhat clunky, but it can avert some significant security and privacy incidents. 

Once people get into the habit, it truly does become second-nature…like today when I briefly panicked when I heard the <send> button click, then realized that my email habit had saved me from a bit of embarrassment from an unfinished email message.

Technorati Tags
information security
IT compliance
regulatory compliance
email security
e-mail security
policies and procedures
awareness and training
privacy

I’m creating some information security training content, and today I spent some time researching for some actual stories of email incidents to add to my already bulging email incident file.  So many of the reported incidents in the news over the past couple of years involve emails; mistakenly sent to too many people; putting IDs into TO: lines instead of BCC: lines where they should have been; not encrypting data that is subsequently accessed by those who shouldn’t be seeing it; and so many other incidents resulting from end-user errors, lack of knowledge, and incorrect assumptions.

Email decisions are ultimately made by the people sending them.  It is important they know and understand the impacts their email boo-boos can have…not only upon themselves, but also for their companies. 

I found some great stories, some recent and some older ones that I have just stumbled upon but that are still relevant today, that would be great for any organization’s awareness and training incident story arsenal.  Here are a few of them, with a few of my thoughts interspersed…

• A story from last week from Riverside, California reports "an information technology worker inadvertently sent a routine e-mail intended for the payroll department to every inbox on the city’s system. The e-mail had an attachment with the names, addresses, Social Security numbers and 401(k) account numbers of 1,974 city employees."

Of course accidents will happen.  Even with awareness and training.  Be sure you have an incident response plan in place when such accidents do occur.

• At the end of June Mich Kabay wrote an entertaining and good example about how the use, or non-use, of BCC: could create an e-mail incident.  "The problems caused by CC are worse when the recipients do not know each other. I have often received messages from technically unsophisticated correspondents who put dozens of e-mail addresses in the CC field even though many of the recipients are total strangers to each other. Such exposure of e-mail addresses always makes me nervous; who knows whether everyone on the list is trustworthy?"

Email addresses are considered as personally identifiable information (PII) by many laws.  Putting them clearly in the CC: or TO: lines can lead to major impact to your company.  The FTC certainly does not look kindly upon revealing email addresses; remember the Eli Lilly incident from 2002?  It is the poster child story of this type of incident.  The impact of that incident is lasting 20 years and is costing the company millions of dollars.  A big price to pay for an "oops"!

• There are many great examples of email incidents in a piece from PC World from 2002, "D’oh! The Most Disastrous E-Mail Mistakes."  This article provides many examples of email gone wrong…accidentally sending inappropriate email to a mail group…accidentally copying everyone on the email system on a personal email…inappropriate email messages being discovered through monitoring…accidentally sending PII to others…and so many others. 

I know many more email incidents occur than are reported; most companies keep these ethereal email woes to themselves if at all possible.  However, even the most innocent email incident can have profound long-lasting impact.

Technorati Tags
information security
IT compliance
regulatory compliance
e-mail security
email security
policies and procedures
awareness and training
privacy

Many of the publicized statements from the organizations that have experienced incidents where personally identifiable information (PII) was stolen or lost often say something similar to, a scant two or three weeks…or even two or three months…later that "there is no evidence the data has been compromised."  Well, here’s a good example of how bad things can be done with that PII even years later.

A week ago it was reported that a Greek ex-soldier had obtained PII about other armed forces personnel while he was serving as an officer three years ago.  He, or someone else with access to his computer, just posted that PII and other sensitive information a week or so ago on the Internet.  The information was "concerning armed forces personnel, passwords used to access army bases and other details concerning military facilities."

This points out a long-time concern…trusted insiders, who are no longer with your company, often still possess much PII, and other sensitive information, from your company if they did work outside of the office, or if they used mobile computing and/or storage devices.  Today that is a significantly large percentage of the workforce.

How do you keep track of who has possession of the PII for which your company is responsible?  How do you know who has access to, or copies of, all your sensitive information?  How do you collect all that PII from personnel when they leave your company?  What kind of controls are in place to lessen the likelihood that personnel with access to PII and other sensitive information do not use it or post it in inappropriate ways?  What controls are in place to notify you when such incidents occur?

This is another good example of an insider threat incident to add to your awareness and training files.

Technorati Tags
information security
IT compliance
insider threat
privacy breach
awareness and training
privacy

MSNBC reported that the laptop I blogged about earlier this week that contained sensitive personally identifiable information (PII) on 540,000 New Yorkers was found by the FBI and CS Star.   

"The FBI and the private company that had been in possession of the state-owned personal computer would not say how or where it was found, only that it was in "a secure location.""

The computer had been missing since May 9.  The story did not say specifically when it was found, but implies it was found just this week.  So, it was missing for around 2 1/2 months. 

"Mike Kachel, a spokesman for CS Stars’ New York City office, said the FBI located the computer, missing since May 9, and that it appeared no one had used any of the information it contained."

These statements are always interesting to me…I’m told by my digital forensic expert buddies that you cannot tell for certain if data has or has not been copied.

Since the FBI was part of the team that found the laptop it seems it was probably found outside of CS Stars’ facilities…but then again, that is supposition.   

"The company had earlier offered the affected workers identity theft insurance, 12 months to get free credit reports and access to fraud resolution specialists. That offer still stands, Kachel said."

This is good.  When an organization, or the government, offers credit monitoring they should stand behind that offer, even when the computer is found.  Because there is no way to tell if the data has been copied, it is foolhardy to believe that just because the computer is found there are not copies of all the data floating around and perhaps being auctioned off to any fraudster who wants to pay for social security numbers, names and addresses.  This computer was "lost" for 2 1/2 months…it could have passed through many hands during that time.

"Identity theft is considered one of the country’s fastest growing white-collar crimes. One recent survey reported that there have been more than 28 million new identity theft victims since 2003, but experts say many incidents go undetected or unreported."

Indeed, instances of identity theft occur every day.  In fact yesterday CNN reported that U.S. Senator Harry Reid was recently a victim of identity fraud. 

"Senate Minority Leader Harry Reid discovered this week he was the victim of identity theft after someone used his MasterCard number to charge about $2,000 at a Wal-Mart and other stores in Monroe, North Carolina. The Nevada Democrat said he found out someone had obtained the number after opening his bill Tuesday night."

The report said he did not know how anyone else got his credit card number.  Gee, wonder if his credit card number was on one of the many laptops and hard drives that have been lost and stolen?  Perhaps even on one that was recovered and determined to have not been compromised?  We’ll likely never know for sure…hmm…

Technorati Tags
information security
IT compliance
regulatory compliance
stolen laptop
identity theft
cybercrime
policies and procedures
awareness and training
privacy

Your organization’s personnel hold the security and privacy of the organization’s information in their hands; both figuratively and literally. Businesses depend upon their personnel to handle their valuable data responsibly and securely. Without effective personnel education, businesses face significant negative business impact and even possible business failure from the consequences.

A majority of the incidents in the news have been ultimately due to personnel lack of awareness and knowledge of how to properly secure information in all forms and in the many circumstances in which they handle information.  You cannot expect personnel to know how to effectively protect information if you do not communicate to them on an ongoing basis HOW to provide that protection while doing their day-to-day job responsibilities. 

There are many compelling reasons for businesses to implement an effective information security and privacy education program, including addressing legal and regulatory requirements, raising awareness and understanding, and helping to reduce the insider threat of information misuse and fraud.  I just posted a paper,"The Business Need for Information Security and Privacy Education" that discusses the reasons why businesses must implement an effective privacy and information security education program.

Technorati Tags
information security
IT compliance
regulatory compliance
policies and procedures
awareness and training
privacy