In the tradition of the year–end custom of awarding something or someone with a “Best of” award for outstanding achievement in a particular category, I have decided to do the same with the area of privacy – with a bit of a twist. We constantly hear about of our loss of privacy as one of the chief byproducts of our interconnected, always-on world, and how we are barely grasping to what’s left of the shredded veil of secrecy behind which we were so used to hiding. I thought it would be more interesting to award the one person who has done the most to willingly obliterate his or her right of privacy.
So, welcome to the 1st annual ‘Privacy Putz of the Year’ award. Unlike the complexity of trying to choose who has done the most to advance the interests of privacy and security in our culture and day-to-day lives, it was comparatively simple this year to highlight the individuals who have done the complete opposite of what makes sense as it relates to try and maintain one’s anonymity and low-profile in this quasi-Orwellian world of me, me, me on the Web and TV.
For this year’s inaugural award, I decided to forgo the obvious, the deluded attention-seekers who were purposely willing to give their privacy away for a small taste of the nectar of fame. It would have been too easy, for example, to choose one of the three top higher-profile candidates: first, Nadya Suleman, the so called “Octo-mom”. This is the lady who recently produced a set of octuplets and then signed on to her own reality show so we could all voyeuristically enjoy another person taking care of their kids, only in this case it was 14 of them at the same time time. What was more interesting about Suleman, however, was that the world soon found out that this 33-year-old single mother already had six children who were born, just like the octuplets, through in vitro fertilization. (Six isn’t enough?!)
The second candidates I quickly discounted were the White House party crashers, Tareq and Michaele Salahi, I spoke about in my last blog who must have been shocked, shocked I say! that their personal lives would be so scrutinized after this little misdeed of theirs. However, to their credit, the Salahis did organize their Facebook page very nicely, fully detailing every person and dignitary they met that night, with glossy color photos in case the Secret Service didn’t know where to look for evidence of the security breach.
Finally, the last obvious candidate that was too easy to ignore was the pair of Kate and Jon Gosselin. These two have been so overexposed in the media and their story has been so hashed and rehashed that it warrants no further comment from me. They have reaped the wind; so let them now sow the whirlwind.
As for the viable candidates, First Runner up to the Privacy Putz award goes to one Craig Lynch, a 28 year-old prison escapee from Suffolk, England, who escaped from prison back in September but has not been content to just keep the low-profile of your average bloke who manages to make it over the prison wall, but has continued to update his Facebook status regularly - describing everything from what he had for dinner to who his next girlfriend in the New Year might be. This might be the digital version of the trail of popcorn…
But the real winner of the Privacy Putz Award for 2009 goes to the one individual who in my opinion did the most harm to her own privacy, the most to undermine her overall well being and anonymity, and that person was one Natalie Blanchard, an IBM employee from Quebec. Ms. Blanchard was out of work on long-term disability for depression for 18 months when suddenly her insurance company, Manulife, immediately terminated her monthly payments. How was it that the company came to such a definitive diagnosis of Ms. Blanchard’s ostensibly legitimate condition? A psychological examination? A thorough medical evaluation? Rock, paper, scisssors? Nope. Ms. Blanchard, actually, was apparently only too eager to assist the company in its conclusive diagnosis of her remarkable recovery from major depression.
Blanchard undermined her own case by posting certain pictures and status updates of herself on her Facebook page. What’s wrong with that, you ask? Well, in the past 18 months while she was “recovering,” a series of pictures she posted on her Facebook page show her taking the time-tested remedy for depression by attending a Chippendale’s male strip show while on vacation. Other pictures showed Blanchard at bars, beaches, and on three other 4-day holiday trips, which were recommended by her psychologist all the while collecting the benefits from her job at IBM. A Facebook status message said that she had climbed a mountain recently, as well. You go, girl.
It appears that her privacy settings, or lack thereof, on her Facebook page allowed either someone from her company or someone from the insurance company to view her tell-tale postings, because when she eventually called the insurance company to inquire why her payments had abruptly ceased, the reason given was that according to the photos and postings on her Facebook page, Blanchard was apparently no longer depressed! Wow! Manulife was able to diagnosis Ms. Blanchard essentially through hearsay, assumption and innuendo all from the comfort of the office PC. One small step for psychology; one giant leap for Manulife. Case closed. It’s a Holiday miracle.
Congratulations to Natalie Blanchard for the 2009 Privacy Putz of the Year award. Well deserved.
As I attempt to emphasize in every blog post here, we now live in a post-privacy world, devoid of the traditional trappings of common sense, guilt, shame and discretion. Using tools like Facebook, MySpace, Twitter, and even blogs like this puts your life, opinion, ideology and in some cases private life right out on the web for all to see, and see it forever.
Just think, the world used to be your oyster; now it is your fishbowl.
Happy New Year.
Tuesday, December 29, 2009
Tuesday, December 1, 2009
The Paradox of Privacy - Part III, The Exciting Conclusion
I hadn't intended this piece to run beyond one part, let alone two, but there are just too many interesting things to discuss about who the biggest threat to your privacy is…
I want to discuss the recent event of the two publicity seekers who crashed the White House state dinner last month. Their obvious desperate need for attention and B-List fame reflects what Andy Warhol said about everyone: we all want 15 minutes in the spotlight. Some get it. But at what cost? What the party-crashing couple is now finding out about the dark side is fame (even fleeting, undeserved fame like theirs) is what the first casualty always is: privacy.
Because these two miscreants put themselves in the spotlight willingly, it is obvious that the last thing they wanted from the experience is anonymity. What they are now and will experience a hundredfold more is the degree to which the blogosphere will go to turn over every stone and look for every skeleton in every closet to attempt to (rightfully) embarrass these two. What they will find is that they have awakened a sleeping giant of spite and vindictiveness that will rain down all hell upon them. You can see it already occurring by the revelations that the couple is involved in a plethora of lawsuits, bankruptcies and intra-family fighting.
Why? I believe primarily that Americans are easy lot to entertain and amuse - American Idol, People Magazine, NASCAR don't require much brain matter to process - but the one thing we demand is that our 'celebrities' bring something to the table. Michael Jackson, Tiger Woods and Oprah are famous for a reason - talent. Talent is their currency and we exchange it for fame and adoration. We realize at some level that we cannot easily be like them because they are 'better' then us in some unique way. The couple that crashed the White House is not better than us in any way; we resent their pretentiousness and base arrogance that is offset with nothing in return - it is a classic bait and switch. That they could crash the White House party - okay, good trick - but what do we get in return? A vacuum. Luciano Pavarotti could be arrogant; Bill Gates can be arrogant; Dr. J can be arrogant, he was after all one of the greatest basketball players that ever lived. These two, however, deserve what they get.
Most of only give up our privacy piecemeal – a bit here for some small convenience, a bit there for a 25% off coupon, etc. This couple relinquished their personal privacy wholesale with this selfish and thoughtless antic. Who will they have to blame for the sudden and very public loss of privacy? Who else? Themselves. I hope it was worth it.
I want to discuss the recent event of the two publicity seekers who crashed the White House state dinner last month. Their obvious desperate need for attention and B-List fame reflects what Andy Warhol said about everyone: we all want 15 minutes in the spotlight. Some get it. But at what cost? What the party-crashing couple is now finding out about the dark side is fame (even fleeting, undeserved fame like theirs) is what the first casualty always is: privacy.
Because these two miscreants put themselves in the spotlight willingly, it is obvious that the last thing they wanted from the experience is anonymity. What they are now and will experience a hundredfold more is the degree to which the blogosphere will go to turn over every stone and look for every skeleton in every closet to attempt to (rightfully) embarrass these two. What they will find is that they have awakened a sleeping giant of spite and vindictiveness that will rain down all hell upon them. You can see it already occurring by the revelations that the couple is involved in a plethora of lawsuits, bankruptcies and intra-family fighting.
Why? I believe primarily that Americans are easy lot to entertain and amuse - American Idol, People Magazine, NASCAR don't require much brain matter to process - but the one thing we demand is that our 'celebrities' bring something to the table. Michael Jackson, Tiger Woods and Oprah are famous for a reason - talent. Talent is their currency and we exchange it for fame and adoration. We realize at some level that we cannot easily be like them because they are 'better' then us in some unique way. The couple that crashed the White House is not better than us in any way; we resent their pretentiousness and base arrogance that is offset with nothing in return - it is a classic bait and switch. That they could crash the White House party - okay, good trick - but what do we get in return? A vacuum. Luciano Pavarotti could be arrogant; Bill Gates can be arrogant; Dr. J can be arrogant, he was after all one of the greatest basketball players that ever lived. These two, however, deserve what they get.
Most of only give up our privacy piecemeal – a bit here for some small convenience, a bit there for a 25% off coupon, etc. This couple relinquished their personal privacy wholesale with this selfish and thoughtless antic. Who will they have to blame for the sudden and very public loss of privacy? Who else? Themselves. I hope it was worth it.
Sunday, November 15, 2009
The Paradox of Privacy - Part II
I want to continue my discussion from last month one of the biggest threats to your right of privacy - you.
If you have a Facebook account you probably get 10-15 requests a week from your Friends to answer or play games or contests that require some personal information to be input or revealed - the most famous and pervasive application was the "25 Things You Don't Know About Me" which took the Facebook community by storm over the spring and summer.
Notwithstanding that fact that you get to know random, irrelevant and mostly inane 'facts' about your friends and friends of friends, what is more insdious is what you reveal to them and the world at large. Since most cases of identity theft are commmited by people that the victim knows well or has some relationship with, it is not improbable that you may have 'friended' that person on Facebook as well. Now that they know what your first dog's name was, or favorite grade school teacher, or that you eat peas with a fork, that insight allows them to glean little bits of info about you that helps build a case of identity theft. Think about all of the websites that ask either passwords or security questions for credentials. You supply very similar information as the answers, and in many questions also provide your own questions - some which mirror the ones asked by that Facebook application iself. Perfect fodder for ID thieves....and most valuable because it comes right from the source.
So think before you surrender little pieces of your personal life for what you may think to be only harmless and transitory amusement (and for free!). It may have some very long-lasting and unwanted repurcussions.
If you have a Facebook account you probably get 10-15 requests a week from your Friends to answer or play games or contests that require some personal information to be input or revealed - the most famous and pervasive application was the "25 Things You Don't Know About Me" which took the Facebook community by storm over the spring and summer.
Notwithstanding that fact that you get to know random, irrelevant and mostly inane 'facts' about your friends and friends of friends, what is more insdious is what you reveal to them and the world at large. Since most cases of identity theft are commmited by people that the victim knows well or has some relationship with, it is not improbable that you may have 'friended' that person on Facebook as well. Now that they know what your first dog's name was, or favorite grade school teacher, or that you eat peas with a fork, that insight allows them to glean little bits of info about you that helps build a case of identity theft. Think about all of the websites that ask either passwords or security questions for credentials. You supply very similar information as the answers, and in many questions also provide your own questions - some which mirror the ones asked by that Facebook application iself. Perfect fodder for ID thieves....and most valuable because it comes right from the source.
So think before you surrender little pieces of your personal life for what you may think to be only harmless and transitory amusement (and for free!). It may have some very long-lasting and unwanted repurcussions.
Saturday, October 10, 2009
An effective incident response process
Thanks to the great people at SC Magazine for publishing this piece of mine.
Security and privacy incidents pose real risks to companies of any size and complexity.
These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.
An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.
Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.
Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.
In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.
From the October 2009 Issue of SCMagazine (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)
Security and privacy incidents pose real risks to companies of any size and complexity.
These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.
An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.
Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.
Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.
In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.
From the October 2009 Issue of SCMagazine (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)
Thursday, October 1, 2009
The Privacy Paradox Part I
"You have zero privacy anyway. Get over it." - Former Sun Microsystems CEO, Scott McNealy.
With the increasing evidence of the lack of personal privacy that average Americans are experiencing daily, it might be interesting to try and uncover possible culprits and root causes. Technology? The Government? Global warming? Nope. Here's the answer: You. Read on.
Forget about the lack of privacy for a second. Instead, think about all you do to try and stay secure, and low profile enough so as not to make yourself a target for identity theft: you shred all of your sensitive documents, you only do business online with SSL enabled websites, you check your credit score annually, you read your credit card statements carefully. And yet, ironically, many of your daily habits work to undermine the anonymity and low visibility to seek to maintain. How? Simple. Throughout the week, in the on and off-line world, start counting up all of the places you leave an electronic fingerprint or footprint big enough that Hansel and Gretel would have no problem following it home, let alone someone more nefarious trying to track you.
Let’s start in the morning. You head to Starbucks for coffee and breakfast. You pay with your Starbucks card and a little crumb is left that you were there. (Literally and figuratively.)
As you head over the bridge, you maneuver towards the E-ZPass lane to expedite your crossing, while the camera reads your E-ZPass tag and debits your account for the $4 toll. At the same time, it records that you were crossing the bridge, again, that morning at around the same time every week day.
Once you’re at work, all day you’ll be logging into websites that you typically frequent that will greet you will the “Welcome Back!” message since you checked the “Remember Me” box on the sites and a ‘cookie’ was placed on your computer. Ostensibly created to enrich the surfing experience and save the users from logging in every time, the cookies tell the websites not only when you went to the site but what kind of things you like to do when you are there. You may have even given them a credit card to hold for you as a matter of convenience! (Yours or theirs?)
You head to the gym at lunch and swipe your bar-coded gym card to let L.A. Fitness know you exercise at least 3 days a week. After the gym, you stop at Chick-fil-A for a grilled chicken sandwich, which you pay for by credit card. MasterCard now knows you like waffle fries.
You stop on the way home from work at ShopRite for flowers for the wife and before you pay, you swipe your ShopRite Plus card at the register to save $1.50 on the bouquet, and, unknowingly, to help Shop Rite know to not only order another batch or orchids for its inventory, but what your shopping preferences are as well. Finally, you make a call to home to let them know you’re running late. But the GPS tracking in your iPhone already knows this.
And this is all in just one day…the pattern amplifies once you begin to travel further away from home and to other countries. Everything collected about so far was possible because you felt it a worthwhile voluntarily tradeoff of a bit of your privacy for the sake of convenience and efficiency; none of it was required or mandated by anyone.
Here’s the kicker. Think of the proverbial frog in the pot; you turn up the heat immediately and he jumps out. If you slowly turn up the heat incrementally, he boils to death without realizing it. So you think you are losing your privacy little by little every day? Guess what? You are. And it’s not because the government or advancements in technology is necessarily taking it away, it is because you are giving it away. Little by little. And you may not realize it. Just like the little oblivious frog.
Monday, September 14, 2009
Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention
I just published a White Paper with an associate, Todd Ruback, entitled
"Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention".
The purpose of the paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Here is the link to the paper. Please let me know your comments or feedback.
http://tinyurl.com/n9d9lc
Al
"Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention".
The purpose of the paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Here is the link to the paper. Please let me know your comments or feedback.
http://tinyurl.com/n9d9lc
Al
Sunday, June 28, 2009
Airport Security Part II
As I have recently been in airports in India, Malaysia, and the Philippines, I am continuing my discussion form last month on the absurd, contrived and even artificial displays of security in airports around the world. Though I don’t want to minimize the real and effective measures of security that some of the airports I was in had in place (especially Kuala Lumpur), there still seemed to be a number of procedures and processes in place that were either ill-conceived or worse, arbitrary.
The best example of this scenario I can give you in the practice of some airports which require you to have your luggage screened for dangerous items right after you enter the airport. The curious thing about this procedure is that the luggage screening machine is right in the middle of the airport floor, and that in most cases you are given your luggage back to then take it to the ticketing counters to check it yourself. In India and Manila, for example, airport security staff (manually) put a very thin plastic security band around the middle of your checked luggage which states that this piece of luggage has now been ‘security screened.’ For the life of me, I cannot imagine why the authorities who concocted this process would not think that someone could easily put an explosive or some other device in their luggage after it went through the scanner and it was given back to them?!? Granted, there might be a secondary screening after the bag is checked at the ticket counter (which I doubt), but why make it so easy to bypass this first layer of security?
In the world of privacy and security, the most effective defenses are a series of layered security hurdles, be they electronic, physical or a series of both. The point is to set up a series of inline hurdles that a bad guy needs to clear before being able to cause damage to your organization. And those hurdles should be progressively more difficult as the more determined the bad guy is, the more work he should have to do to get to the prize. The initial barriers of defense are fine for the lazy, stupid or inadvertent criminal, but the last barriers should be very difficult to overcome (e.g. biometrics).
All this has a price. Contrived security measures make a mockery of the whole notion of having security in place at all. At best, it causes inconveniences and extra costs for both travelers and the airport system in general. At worst, it gives bad guys easy insights into exploiting the systems and also gives travelers a false sense of safety. And that is the most expensive price of all to pay.
The best example of this scenario I can give you in the practice of some airports which require you to have your luggage screened for dangerous items right after you enter the airport. The curious thing about this procedure is that the luggage screening machine is right in the middle of the airport floor, and that in most cases you are given your luggage back to then take it to the ticketing counters to check it yourself. In India and Manila, for example, airport security staff (manually) put a very thin plastic security band around the middle of your checked luggage which states that this piece of luggage has now been ‘security screened.’ For the life of me, I cannot imagine why the authorities who concocted this process would not think that someone could easily put an explosive or some other device in their luggage after it went through the scanner and it was given back to them?!? Granted, there might be a secondary screening after the bag is checked at the ticket counter (which I doubt), but why make it so easy to bypass this first layer of security?
In the world of privacy and security, the most effective defenses are a series of layered security hurdles, be they electronic, physical or a series of both. The point is to set up a series of inline hurdles that a bad guy needs to clear before being able to cause damage to your organization. And those hurdles should be progressively more difficult as the more determined the bad guy is, the more work he should have to do to get to the prize. The initial barriers of defense are fine for the lazy, stupid or inadvertent criminal, but the last barriers should be very difficult to overcome (e.g. biometrics).
All this has a price. Contrived security measures make a mockery of the whole notion of having security in place at all. At best, it causes inconveniences and extra costs for both travelers and the airport system in general. At worst, it gives bad guys easy insights into exploiting the systems and also gives travelers a false sense of safety. And that is the most expensive price of all to pay.
Sunday, May 31, 2009
Airport Security: Security through Absurdity?
IN A PERFECT WORLD security and screening procedures at all airports around the world would be the same, and uniformly applied to all travelers. Airport security agencies could always apply stricter measures of interrogation or screening as appropriate based on a tangible or suspected suspicion of travelers who may pose a risk to the safety of the other fliers.
IN THE REAL WORLD of course, this does not always happen, if at all. I am a frequent and diverse traveler, visiting at least 28 countries so far. I think that I speak for many travelers when I say that the most frustrating aspect of the security screening process is not the ridiculously invasive and inane measures of having us remove most of our clothes. Nor is it the ‘random’ screening of grandmothers and 5 year old kids that make people inwardly think that Osama Bin Laden would laugh himself silly over these ‘protective’ measures if he could witness what he hath wrought. No, I think what infuriates the traveler most, at least the seasoned ones who have some point of reference, is the real weakness of the procedures that are in place: inconsistency.
Now, I grudgingly concede that screening should be done in this day and age. I would even finally quietly submit to the partial disrobing that occurs in the most public of places, if only it was the same routine each and every time. For example, sometimes I have to take my little bag of 3 ounce toiletries (the ‘humiliation baggie’ as I call it) out of my suitcase, and sometimes I forget and it goes thru the scanner with no comment whatsoever. Sometimes I have to take my stainless steel watch off; sometimes I don’t. Sometimes I have to remove my belt; sometimes I don’t. Does the watch or belt represent a risk or not? Just tell us to do it every time or let us board a plane with at least an ounce of dignity remaining. You used to be able to put your shoes and coat in the same bin at screening, now I notice they are making you put your shoes right on the belt as it goes thru the scanner. (Are terrorists still trying to get on planes with explosives in their shoes?!? Hasn’t that ship left the dock? God forbid some dumbass terrorist tries to smuggle explosives on the plane in his underwear….ponderous what that might mean at screening…)
In every U.S. airport I have to remove my laptop out my bag before it goes thru the scanner; in most foreign airports, I don’t. In the U.S., you have to have a picture that matches the name on the boarding pass; in India, for instance, they don’t even ask you for I.D. when flying within the country.
So why the inconsistencies? I can’t imagine the TSA in its infinite wisdom has created the process by design to foil or catch bad guys. If anything, the haphazard application of the rules will only catch the stupidest of terrorists. I realize that the poor TSA employees in the airport are only following orders from above and have to deal with the wrath of the beleaguered travelers. Again, the concern from most travelers is that the procedures are more knee-jerk reactions to recent past threats and not proactive measures that are risk-based. The TSA should take note from the screening measures in Israeli airports. The Israelis do not try and mete out politically correct measures to everyone (grandmothers and 5 years) like we do here; instead they focus their efforts on the most likely suspects and focus energies on the targets that are most likely to try and do them harm – generally Arab males between ages 18-35. In other words, they are consistent. Does it work? The Israelis have not had any airline terrorist incidents since 1973. What do you think?
IN THE REAL WORLD of course, this does not always happen, if at all. I am a frequent and diverse traveler, visiting at least 28 countries so far. I think that I speak for many travelers when I say that the most frustrating aspect of the security screening process is not the ridiculously invasive and inane measures of having us remove most of our clothes. Nor is it the ‘random’ screening of grandmothers and 5 year old kids that make people inwardly think that Osama Bin Laden would laugh himself silly over these ‘protective’ measures if he could witness what he hath wrought. No, I think what infuriates the traveler most, at least the seasoned ones who have some point of reference, is the real weakness of the procedures that are in place: inconsistency.
Now, I grudgingly concede that screening should be done in this day and age. I would even finally quietly submit to the partial disrobing that occurs in the most public of places, if only it was the same routine each and every time. For example, sometimes I have to take my little bag of 3 ounce toiletries (the ‘humiliation baggie’ as I call it) out of my suitcase, and sometimes I forget and it goes thru the scanner with no comment whatsoever. Sometimes I have to take my stainless steel watch off; sometimes I don’t. Sometimes I have to remove my belt; sometimes I don’t. Does the watch or belt represent a risk or not? Just tell us to do it every time or let us board a plane with at least an ounce of dignity remaining. You used to be able to put your shoes and coat in the same bin at screening, now I notice they are making you put your shoes right on the belt as it goes thru the scanner. (Are terrorists still trying to get on planes with explosives in their shoes?!? Hasn’t that ship left the dock? God forbid some dumbass terrorist tries to smuggle explosives on the plane in his underwear….ponderous what that might mean at screening…)
In every U.S. airport I have to remove my laptop out my bag before it goes thru the scanner; in most foreign airports, I don’t. In the U.S., you have to have a picture that matches the name on the boarding pass; in India, for instance, they don’t even ask you for I.D. when flying within the country.
So why the inconsistencies? I can’t imagine the TSA in its infinite wisdom has created the process by design to foil or catch bad guys. If anything, the haphazard application of the rules will only catch the stupidest of terrorists. I realize that the poor TSA employees in the airport are only following orders from above and have to deal with the wrath of the beleaguered travelers. Again, the concern from most travelers is that the procedures are more knee-jerk reactions to recent past threats and not proactive measures that are risk-based. The TSA should take note from the screening measures in Israeli airports. The Israelis do not try and mete out politically correct measures to everyone (grandmothers and 5 years) like we do here; instead they focus their efforts on the most likely suspects and focus energies on the targets that are most likely to try and do them harm – generally Arab males between ages 18-35. In other words, they are consistent. Does it work? The Israelis have not had any airline terrorist incidents since 1973. What do you think?
Thursday, May 21, 2009
Lost my data? Oh, thanks for telling me!
IN A PERFECT WORLD if a company suffered a data or security breach or compromise, the company would have to notify only the customers it had in the state where the company was incorporated or was headquartered. Or, slightly more onerous, the company would notify all of its customers, but only according to the notification and disclosure law(s) (if any were in effect) within the state where the company was headquartered. The company would always disclose these infractions as it was in the best interest of both the company, by building good will with its customers, and good for the customers by making them aware of an untoward event that may make their financial life a bit less agreeable.
IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?
As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!
If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.
IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?
As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!
If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.
Thursday, April 16, 2009
Privacy & Security as a competitive advantage
Thanks to the great people at SC Magazine for publishing this piece of mine.
(http://www.scmagazineus.com/The-privacy-security-advantage/article/130470/)
Here is the longer unabriged version:
Using privacy & security as a competitive advantage
There is an old axiom in marketing circles that it costs significantly more money to acquire new customers than to retain and service your old ones. Since the business environment has slowed for now, showing additional ‘value added’ services rather than simply a lower price, for example, is critical for many companies higher up the value-chain that provide are providing a service. Clients should particularly value a competent privacy and security program implemented at its service providers since it will not ‘cost’ them anymore than they already pay for an expectation that their data/info is safe and secure.
Any company who has customers to be accountable to doing business during these days of dire financial times, should be required to look good and hard at what additional they can bring to its customers - besides the primary product or service it already provides. In addition to being a great marketing and selling opportunity, this introspective look for security and privacy ‘value’ can give companies a chance to leverage what they uncover as a differentiating factor – a competitive advantage.
A company with a solid, mature security and privacy program will be well advised to make this fact known to both its marketing and sales teams, and its customers. Privacy and security competence matters more than ever in this precarious financial environment. Rather than ‘distraction’ of making money hand over fist, the focus for many companies is now on keeping the existing customers satisfied, rather than only worrying about adding new ones to the fold.
How can an organization best position their privacy and security programs and oversight to be used as a competitive advantage? First, of course, you need to ensure that your privacy and security program is robust, well-tested, formally documented and meets or exceeds whatever legislation that your company is subject to or regulated against (Gramm-Leach-Bliley, HIPAA, etc). Aligning your programs against a standard like NIST or ISO 27001 is an excellent way to ensure that your programs minimally meet a design framework that is accepted and understood by your market or vertical.
It is critical to give your customers a point of reference about the validity of your programs so they easily translate the value into a currency they recognize. If your clients are banking institutions, for instance, it makes a lot of sense to develop your privacy and security programs around the Federal Financial Institutions Examination Council (FFIEC) standards since most banks, thrifts, savings & loan institutions and credit unions are regulated by entities that make up the FFIEC (OCC, OTS, FRB, FDIC, & NCUA). Doing this will make it easier for your banking clients to get their auditors or regulating agencies comfortable with using your firm as a service provider. Helping them successful navigate audits makes you a valuable partner. Your customers will really begin to derive value from well-designed and real-world tested programs when they realize that they can lessen their due diligence and oversight of your firm due to the extensive testing and thoroughness of your own internal activities.
Companies doing business in the US, especially in the financial and health care sectors, are already exposed to a litany of legislation, mandates and guidance that they are regulated and tested against quarter after quarter, year after year. Companies can realistically expect such federal and state legislation to only stricter, more onerous and more invasive. Most companies already either perform or have a 3rd party perform some kind of internal and/or external assessment. These activities could be everything from simple perimeter vulnerability scans to intrusive penetration tests on web-facing applications. If you have having these done, you should leverage the results (properly scrubbed of any confidential or proprietary information like IP addresses, of course) and provide your clients Executive summary-type versions of the reports to show that not only are you constantly evaluating the viability of your network, but you are having an independent third-party doing it for you. You should also take advantage of any other internal and external audits, assessments and oversights that you can reasonably share with external parties by crafting these documents, or summaries of them as a consumable for external parties. It has been my experience that clients, especially their security teams, really appreciate this effort.
Any attestation, especially an independent one, that your controls are in place and functioning properly gives clients and sense of comfort, and may even relieve them of either significantly overseeing you as a service provider – saving them time and money, or may at least minimize the intrusions of each and every client and their auditors tramping through your shop.
Another innovative way to deliver a competitive advantage today is in the realm of vendor management. This discipline is quickly becoming an increasingly high profile topic of discussion and interest between clients, customers and their service providers. The onus is on you to demonstrate oversight of your 3rd party service provider(s); you need to show especially robust oversight controls if the 3rd parties are perceived to be of higher risk, such as an overseas provider. If you are outsourcing some of the work your clients have turned over to you, those clients may ask “Why am I outsourcing to you if you in turn outsource?” Here is where you point out your management and oversight of the vendors and how you assume full accountability for the controls in place, as well as the robustness of those controls. This is where you also have the “value add” conversation and demonstrate why your clients placed their trust in you in the first place; it is a key selling point for your company to use to distinguish itself from competitors. This will resonate especially soundly with any clients that provide you access to or control over their sensitive customer data, proprietary or intellectual property.
Lastly, a final easy way to show privacy and security competence over competitors is in the area of oversight of employees and their access controls. This long-neglected, decidedly un-sexy discipline is now, like vendor management, starting to get the attention it deserves. Most studies of risk show that internal employees who already have access to the company network pose the biggest threat – the malicious insider. One of the best ways to show oversight and mitigation of this risk is with regular entitlement reviews. Nothing may prevent a trusted employee from one day going ‘rogue’ of course, but habitual review of appropriate access will minimize damage from people who no longer have a ‘need to know’ access to the critical and sensitive applications and data that may represent the lifeblood of your company.
Still need justification for your programs? The benefits of a competent privacy and security program are myriad and are more visible and tangible than ever. Don’t just analyze what it costs to administer your programs (FTE’s, software, etc) or even what the ROI may be (if you can even calculate it). The hard and soft costs associated with damage to a brand or reputation due to a breach or compromise maybe incalculable, and may make it very difficult or impossible to woo back former clients who left due to the breach, or worse, woo new clients into the fold. How’s that for justification?
(http://www.scmagazineus.com/The-privacy-security-advantage/article/130470/)
Here is the longer unabriged version:
Using privacy & security as a competitive advantage
There is an old axiom in marketing circles that it costs significantly more money to acquire new customers than to retain and service your old ones. Since the business environment has slowed for now, showing additional ‘value added’ services rather than simply a lower price, for example, is critical for many companies higher up the value-chain that provide are providing a service. Clients should particularly value a competent privacy and security program implemented at its service providers since it will not ‘cost’ them anymore than they already pay for an expectation that their data/info is safe and secure.
Any company who has customers to be accountable to doing business during these days of dire financial times, should be required to look good and hard at what additional they can bring to its customers - besides the primary product or service it already provides. In addition to being a great marketing and selling opportunity, this introspective look for security and privacy ‘value’ can give companies a chance to leverage what they uncover as a differentiating factor – a competitive advantage.
A company with a solid, mature security and privacy program will be well advised to make this fact known to both its marketing and sales teams, and its customers. Privacy and security competence matters more than ever in this precarious financial environment. Rather than ‘distraction’ of making money hand over fist, the focus for many companies is now on keeping the existing customers satisfied, rather than only worrying about adding new ones to the fold.
How can an organization best position their privacy and security programs and oversight to be used as a competitive advantage? First, of course, you need to ensure that your privacy and security program is robust, well-tested, formally documented and meets or exceeds whatever legislation that your company is subject to or regulated against (Gramm-Leach-Bliley, HIPAA, etc). Aligning your programs against a standard like NIST or ISO 27001 is an excellent way to ensure that your programs minimally meet a design framework that is accepted and understood by your market or vertical.
It is critical to give your customers a point of reference about the validity of your programs so they easily translate the value into a currency they recognize. If your clients are banking institutions, for instance, it makes a lot of sense to develop your privacy and security programs around the Federal Financial Institutions Examination Council (FFIEC) standards since most banks, thrifts, savings & loan institutions and credit unions are regulated by entities that make up the FFIEC (OCC, OTS, FRB, FDIC, & NCUA). Doing this will make it easier for your banking clients to get their auditors or regulating agencies comfortable with using your firm as a service provider. Helping them successful navigate audits makes you a valuable partner. Your customers will really begin to derive value from well-designed and real-world tested programs when they realize that they can lessen their due diligence and oversight of your firm due to the extensive testing and thoroughness of your own internal activities.
Companies doing business in the US, especially in the financial and health care sectors, are already exposed to a litany of legislation, mandates and guidance that they are regulated and tested against quarter after quarter, year after year. Companies can realistically expect such federal and state legislation to only stricter, more onerous and more invasive. Most companies already either perform or have a 3rd party perform some kind of internal and/or external assessment. These activities could be everything from simple perimeter vulnerability scans to intrusive penetration tests on web-facing applications. If you have having these done, you should leverage the results (properly scrubbed of any confidential or proprietary information like IP addresses, of course) and provide your clients Executive summary-type versions of the reports to show that not only are you constantly evaluating the viability of your network, but you are having an independent third-party doing it for you. You should also take advantage of any other internal and external audits, assessments and oversights that you can reasonably share with external parties by crafting these documents, or summaries of them as a consumable for external parties. It has been my experience that clients, especially their security teams, really appreciate this effort.
Any attestation, especially an independent one, that your controls are in place and functioning properly gives clients and sense of comfort, and may even relieve them of either significantly overseeing you as a service provider – saving them time and money, or may at least minimize the intrusions of each and every client and their auditors tramping through your shop.
Another innovative way to deliver a competitive advantage today is in the realm of vendor management. This discipline is quickly becoming an increasingly high profile topic of discussion and interest between clients, customers and their service providers. The onus is on you to demonstrate oversight of your 3rd party service provider(s); you need to show especially robust oversight controls if the 3rd parties are perceived to be of higher risk, such as an overseas provider. If you are outsourcing some of the work your clients have turned over to you, those clients may ask “Why am I outsourcing to you if you in turn outsource?” Here is where you point out your management and oversight of the vendors and how you assume full accountability for the controls in place, as well as the robustness of those controls. This is where you also have the “value add” conversation and demonstrate why your clients placed their trust in you in the first place; it is a key selling point for your company to use to distinguish itself from competitors. This will resonate especially soundly with any clients that provide you access to or control over their sensitive customer data, proprietary or intellectual property.
Lastly, a final easy way to show privacy and security competence over competitors is in the area of oversight of employees and their access controls. This long-neglected, decidedly un-sexy discipline is now, like vendor management, starting to get the attention it deserves. Most studies of risk show that internal employees who already have access to the company network pose the biggest threat – the malicious insider. One of the best ways to show oversight and mitigation of this risk is with regular entitlement reviews. Nothing may prevent a trusted employee from one day going ‘rogue’ of course, but habitual review of appropriate access will minimize damage from people who no longer have a ‘need to know’ access to the critical and sensitive applications and data that may represent the lifeblood of your company.
Still need justification for your programs? The benefits of a competent privacy and security program are myriad and are more visible and tangible than ever. Don’t just analyze what it costs to administer your programs (FTE’s, software, etc) or even what the ROI may be (if you can even calculate it). The hard and soft costs associated with damage to a brand or reputation due to a breach or compromise maybe incalculable, and may make it very difficult or impossible to woo back former clients who left due to the breach, or worse, woo new clients into the fold. How’s that for justification?
Wednesday, March 4, 2009
Identity Theft Tops FTC Complaint List.... Again
IN A PERFECT WORLD when someone attempted to use data that is not theirs, the hurdles and roadblocks to successful authentication would prevent the illegal use of that data. It would be like finding a key, but not having the matching lock to use it with - what good would having the key do you then?
The FTC recently noted that identity theft was the biggest consumer complaint again for data collected in 2007...no surprise there. What was interesting in the data was that although credit card fraud was top of the list in terms of percentages (23%) - as well as the usual suspects (loan fraud) - the surprising info for me was the significance of other fraud: phone or utilities fraud (18%), employment fraud (14%) and government documents / benefits fraud (11%).
IN THE REAL WORLD this data tells me that fraudsters are either setting themselves up for more sophisticated identity theft schemes by further compromising a stolen person's identity, or, ordinary people who do not have some basic resources and coverages are misrepresenting their identity to get a job, a health claim paid, or to get cable or phone service. Some of it is due to outright fraud, obviously, but I suspect a lot of it is due to the fact that some people either have no credit or lousy credit and cannot get some service or job on the merit of their own credit history and have taken the low road to use someone else's good credit history. Either way, it still is a warning signal to us that our personal data is still subject to compromise and misuse in so many ways that may be not as evident as receiving your monthly Visa card bill showing a new flat panel TV just purchased from Best Buy (that you didn't buy).
Studies of identity theft show that the perpetrators of this crime are typically people who are known to the victim (friend, family, tenant), as well as by people who have physical access to the data. Rare is the cliched situation where the hacker, wearing a skimask and 5-day stubble, intercepts your data via an online transaction. As security guru Bruce Schneier has said, making the data hard to get is not as practical an approach as making stolen data hard to use.
What do you think?
The FTC recently noted that identity theft was the biggest consumer complaint again for data collected in 2007...no surprise there. What was interesting in the data was that although credit card fraud was top of the list in terms of percentages (23%) - as well as the usual suspects (loan fraud) - the surprising info for me was the significance of other fraud: phone or utilities fraud (18%), employment fraud (14%) and government documents / benefits fraud (11%).
IN THE REAL WORLD this data tells me that fraudsters are either setting themselves up for more sophisticated identity theft schemes by further compromising a stolen person's identity, or, ordinary people who do not have some basic resources and coverages are misrepresenting their identity to get a job, a health claim paid, or to get cable or phone service. Some of it is due to outright fraud, obviously, but I suspect a lot of it is due to the fact that some people either have no credit or lousy credit and cannot get some service or job on the merit of their own credit history and have taken the low road to use someone else's good credit history. Either way, it still is a warning signal to us that our personal data is still subject to compromise and misuse in so many ways that may be not as evident as receiving your monthly Visa card bill showing a new flat panel TV just purchased from Best Buy (that you didn't buy).
Studies of identity theft show that the perpetrators of this crime are typically people who are known to the victim (friend, family, tenant), as well as by people who have physical access to the data. Rare is the cliched situation where the hacker, wearing a skimask and 5-day stubble, intercepts your data via an online transaction. As security guru Bruce Schneier has said, making the data hard to get is not as practical an approach as making stolen data hard to use.
What do you think?
Monday, February 23, 2009
How safe is your financial data? Do you ask?
IN A PERFECT WORLD when you hand over your sensitive data to a company or person that you are enacting a financial transaction with, you are almost unconsciously believing that the information will be secured in every way. How often do you question the recipient of your data on how it will be protected?! We are getting more privacy savvy as consumers but when someone at a doctor's office or big box store asks for our social security number to complete a transaction, people generally deliver the number. When and if the company that has your data either moves locations or worse, goes out of business, you don't ever think about what they are doing with your data. You just think that is it securely destroyed and that's the end of it.
IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...
Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.
How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse
IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...
Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.
How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse
Subscribe to:
Posts (Atom)