There continues to be more news made about businesses and their email retention practices.  Today it was reported that Morgan Stanley proposed paying a $15 million dollar fine as a result of the firm not appropriately or adequately retaining emails.  Other fines have been in the news as well.  Considering the hugely expanding amount of email messages being sent and used each day for business…do we all really need a darned Blackberry with us 24/7?…companies really do need to re-examine their policies regarding the use of email for business.  It could result in huge fines or even jail time, depending upon the information personnel put within the messages, if it is not properly addressed.

Technorati Tags
retention
email

I have been interested for several years about the impact of security incidents and privacy breaches on business.  The Ponemon institute has done quite a bit of research on privacy, and last year did one specific to business impact.  I’ve created over the years my own business impact tool based upon my researh and work with several different companies who have experienced breaches; it contains even more types of costs that the companies experienced than the Ponemon research identified.  It would be interesting for the insurance companies that businesses use for their own liability and E&O insurance to keep track of these numbers.  Such information would not only provide some good information to start more accurately keeping track of incidents than the current hit-or-miss subjective surveys and guessing, but it could also form the basis for some nice actuarial tables to apply within cybersecurity insurance.

Technorati Tags
security incident
breach impact

I’ve been hearing a lot over the past year about trusted insiders…or formerly trusted insiders…doing bad things to their employers, ex-employers, the customers, and so on.  The latest I’ve heard about is the Honeywell ex-employee who the company says posted sensitive information about 19,000 of the company’s U.S. employees.  When I read these types of incidents, I wonder, why did one person have access to all the information on all these people?  If the person truly needed it, why weren’t there compensating controls to monitor what a person with such trust and access did with this data?  The story reported, "In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell’s computer systems was not compromised, Ferris said. "  So, was this employee a systems administrator? 

Companies must realize, after hundreds of frauds and incidents over the years, that information is most vulnerable to those in trust.  Just look at the yearly CERT/Secret Service Study.  Why does it always seem that most companies do not want to appropriately or adequately safeguard information until something bad happens?  Why are business leaders so willing to gamble that something bad will not happen within their organization?  Surely they do not take the same gambles with the other parts of their business…or do they?

Technorati Tags
insider threat
fraud

Today it was widely reported that the Boston Globe and Worcester Telegram & Gazette inadvertantly distributed credit and bank card numbers of as many as 240,000 subscribers with bundles of T&G newspapers on Sunday.  (See http://www.boston.com/business/articles/2006/02/01/subscriber_credit_data_distributed_by_mistake/ for one story on this).

I don’t know much about the mechanics of a newspaper printing press, but when I went on a tour of one (admittedly more years ago than I’m going to admit) the way the paper was printed was completely separate from the computer systems and customer databases.  Yes, I’m probably living in the dark ages, and probably modern news publication advancements now allow for direct printing of the paper with just a press of a computer keyboard button, but I’m still trying to figure out how what sounds like a subscriber database listing got printed with the Sunday funnies!  Is it as simple a lack of access controls?  Lack of separation of duties?

It reinforces in my mind the need to encrypt personally identifiable information (PII) in storage.  If the database *HAD* been encrypted, then would just some hieroglyphic-looking pages been bundled with the Sunday news?

Technorati Tags
privacy incident
PII

Upon second look I see the vendor actually has posted "more than 500,000 Enron emails," not the much lower 85,000 I indicated yesterday…

Geesh..

Technorati Tags
enron
ethics

Today I read a report about an incident for which many other similar incidents have occurred lately, and throughout the years.  The Calgary, Canada Privacy Commissioner started an investigation into a complaint that a Staples Business Depot store in Calgary sold a computer that contained a previous customer’s personal information. This would be a violation of Canada’s Personal Information Protection Act (PIPA) if the store really did leave the information on the computer without the customer’s knowledge and consent, and certainly if this is true, selling a computer containing personal information is not the way you want to demonstrate your company properly safeguards personal information.   See http://www.gov.ab.ca/acn/200601/19333026FCE40-E94C-2475-198185B9A5012E05.html for more information on this particular incident.

I do not think this is an isolated event.  In fact, it would be interesting to do a study of the used computers sold by companies in stores, through websites (yes, such as the Morgan Stanley Blackberry sold on eBay I wrote about also on this blog), and see how many of them still contain information.  I would anticipate the numbers would be high.  According to Gartner, U.S. homes and businesses combined discard 133,000 PCs EACH DAY (see http://msnbc.msn.com/id/10312478/site/newsweek/ for one story on this).  Additionally, the U.S. Environmental Protection Agency reports U.S. residents throw way 2 million tons of tech trash each year (see http://www.tdn.com/articles/2006/01/23/area_news/news07.txt for one story on this).  That’s a whole lot of computers!!  How many of these devices still have sensitive information stored upon them when they are discarded, which includes being donated to other organizations, or sold to computer store or through auction sites?  Does your organization completely remove sensitive information from retired computing devices?  Do you have procedures in place to accomplish this?  Identity theft and careless disposal of confidential information are posing increasing problems for individuals and businesses. Increasingly growing numbers of laws and regulations require businesses to take due care actions to prevent such incidents. 

Blackberry lovers (known widely as "crackberries"…yeah, it’s kinda clever) are in a tizzy since the U.S. Supreme Court refused to review a major patent infringement ruling against maker Research In Motion Ltd.(RIM), which manufactures the device.  A federal judge could now issue an injunction to block RIM’s U.S. business.  Many pundits have stated they believe that RIM may develop an alternative technology or may pay millions to a billion dollars to settle with NTP Inc., which holds the patent.  See http://today.reuters.com/news/newsArticle.aspx?type=topNews&storyID=2006-01-24T224759Z for just one of the stories on this.  All I know is that the crackberries I know were fretting over the possibility of having to pay hundreds to possibly over a thousand dollars to keep their electronic link to the world if RIM settles, or that they will lose it altogether.

Yes‚ĶLOSE the Blackberry‚Ķmeaning the technology as it exists today is no longer available to use.  The other kind of loss, which probably jumped into you mind when the heading caught your eye, is what truly scares me when I see how people use them.  One famous poster child of the risks involved with using Blackberries for work purposes is the story of the Blackberry purchased on eBay that contained massive amounts of Morgan Stanley information; some of it confidential information.  If you haven‚Äôt seen this story yet, check it out at http://www.wired.com/news/business/0,1367,60052,00.html.

Folks, these tiny amazing gadgets CAN do many wonderful things and allow for virtually non-stop connection with our business (ewww‚Ķis this what we really need, a 7x24x7 business in our pocket?).  However, a Blackberry can seem like electronic heaven on Earth for those gadget-loving workaholics.

Ok, enough with the glowing benefits of the Blackberry‚Ķtheir size and propensity to be lost or stolen is a huge risk to any information stored upon them.  I have performed many business partner security reviews to find that the business partner is storing their client‚Äôs data in clear text on these devices, but they see absolutely no risk in doing so‚Ķ‚Äùoh, we are careful with them!‚Äù  ANd, sadly enough, when pressed to encrypt the information on stored upon the mobile devices, most of the business partners steadfastly refuse to do so because of the inconvenience and little bit of extra cost if would be to THEM!  (Heck, it’s not their data…so why would they be so worried?)  If you outsource your data to any business partner who uses Blackberries, or any other mobile devices including laptops/notebooks, seriously consider having them contractually agree to never store any of your company data on these wonderful traveling liabilities.  Don‚Äôt just specify ‚Äúconfidential‚Äù information cannot be stored upon them; this is a subjective term, and your business partner‚Äôs definition of confidential may not be the same as your organization‚Äôs.  Besides, many types of information not considered confidential are still potentially embarrassing or capable of wreaking a public relations nightmare if discovered by the public.  This restriction may seem a little rigid, but I have worked with organizations and people long enough to know that if you place complete control of security in the end-users’ hands, such as asking each person to please remember to delete information from their blackberries, it often does not get done, or it gets done sporadically at best.   It is the easiest and most effective security to contractually require them not to store any of your company information on them at all.  True, this won’t prevent them from breaking your contract and storing data on the mobile devices anyway, but at least it gives you much more solid legal grounds to take action if they do.

Oh, and I haven’t even gotten to addressing how companies control the use of mobile devices by their own employees…that is a good discussion for another day.

So…maybe if they don’t make Blackberries any more…if the owners lose them in this way…perhaps our data will be more secure…at least in some aspects…

A week or two ago I got an unsolicited package in the mail from a software vendor.  I opened it up, and there was a copy of Enron’s 2000 "Code of Ethics" booklet, which also contained the corporation’s information security policies.  This surprised me.  Hmm…what was this all about…

Reading the letter I found that this vendor was promoting their product by encouraging potential customers to view a site they set up with a copy of all the Enron email messages, "over 85,000 records" that were on the system at the time of the Enron collapse.  They justified this by indicating that since the information "is already posted on the web by the Federal Energy Regulatory Commission" that the vendor "believes that it is not harming anyone."  However, right before this the vendor indicates that it, "believes that most Enron employees are (and were) hard working, honest people who are (and were) trying to do a good job. We respect them and apologize for any embarrassment that this content may cause them."  Obviously they realize that they are probably harming someone.

They then go on to offer *THREE* contests, each with a prize of iPod shuffles, to the people who, after searching through the emails, would find the best emails that 1) would be grounds for firing, 2) contained the funniest jokes, and 3) were the most embarassing to the sender.

They indicate they have scrubbed the emails of "really personal information"…but not of the people’s names…first and last names.  Gee, that’s kinda personal, don’t you think?

Does this feel right or ethical?  It is one thing for the government to post evidence under the FOIA, but it quite another thing for a vendor to actually make a copy of the information and post it, obviously indicating that they realize this will cause embarassment to the people named within the company, people who have lost their jobs and life savings, solely for the purpose of promoting their product.  And then they go on to have *THREE* contests for people visiting their site to continue to embarass them!

There were around 28,000 Enron employees who lost their jobs, in addition to another 85,000 Arthur Andersen employees who also subsequently lost their jobs.  And now this vendor is taking an opportunist advantage of the situation, and government regulations regarding evidence, to blatently promote their product and even go a step further and explicitly embarass anyone named in the now "public" documents in the name of their marketing gimmick…just because they can.

It’s almost like this vendor was setting up a circus around a train wreck and creating carnival side shows around the scattered victims.

Does this seem right to you?  Does this seem ethical?  If this vendor has CISSP, CISM, CISA or other certified professionals in their staff who went along with this, are they in violation of their ethics promises?

Today the Enron trial started.  I’m sure the Google searches on information related to it are high.  I’m sure this vendor had a very high hit rate on their site today.

No, I did not search the email database at their site…their justification for doing these macabre marketing stunts were enough to make me disgusted.  The longer I think about this the more my gut, heart and head tells me this is wrong.

So, am I over-reacting? 

Technorati Tags
ethics
enron

Ever since computers went mobile, it seems people have been determined to use their cars as computer lockers, despite the fact that cars are a prime target for theft.  Computerworld reported (http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108101,00.html?source=NLT_BNA&nid=108101) today that on December 31, 2005 an employee of the Providence Health Systems reported computer backup tapes and disks containing information on 365,000 patients were stolen from his car at his home.  The data was not encrypted.  And, here’s the kicker, "The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters."   Um…yeah…  Well, the spokeman for the healthcare system indicated that practice has now been stopped.

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

It seems it always takes an incident to convince some people that bad things can, and have, and probably will eventually, happen when you do high risk activities.

I believe the number of times computers and storage media get stolen from cars, within stolen cars, or from on top of cars (around 10 years ago the CEO of a large multinational company left his laptop on top of his car in the parking lot while he went back in the building to get something…surprise!  It was gone when he returned) is much larger than what is reported.  I know many risk managers have told me that when such incidents happen they write off the computer hardware/software loss with their corporate insurance coverage program, or sometimes tell the employee to file a claim with their home property insurance.  Most employees don’t do this because they do not want their insurance coverage to be impacted, and they also do not want to file a police report that most insurance companies require.

On May 23, 2005 it was reported (http://www.infoworld.com/article/05/05/23/HNmcidatastolen_1.html?DESKTOP%20SECURITY) that a laptop containing information about 16,500 current and former employees was stolen in April, 2005 from a car parked in the home garage of an MCI financial analyst.

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

Ameriprise Financial reported yesterday (http://www.twincities.com/mld/twincities/business/13712493.htm) that a company laptop containing clear text information, including names and Social Security numbers, for 225,000 clients was stolen from an employee’s car at an "undisclosed" location out of state.  What is even more disturbing about this is that the Ameriprise spokesperson, Andy Macmillan stated "We view this is a low-risk situation."

NOTE:  Cars are not secure storage locations for computers or storage media with sensitive data; not even if they are locked.

Technorati Tags
backup
privacy breach