Reasons, not Excuses

Yes, yes... I know it's been 20 days since I posted anything of note here.

Once again, please accept my apologies.

The reasons for my delinquency are manifold, but the two primary reasons are:

1. I've been creating content for www.spot-on.com, where I will be among the regular stable of contributors beginning in July, and

2. I've been asked to join the Ponemon Institute to work with that firm on their communications needs

Both opportunities have me excited. Spot-on because I'll be part of a fast-growing, Internet-based opinion mill with some influence. Chris Nolan is to be commended for what she's created, and I'm humbled to have been asked to be a part of it.

And, of course, getting together with Larry Ponemon, for whom I have the utmost respect, is a dynamite stroke of luck for me. Larry's groundbreaking research on issues of privacy and trust has been influential in the development of my personal philosophy and approach to communications.

Those are the reasons, but they aren't excuses, so I'll get back to regular postings this week.

Apologies

It's been a busy week. A lot has happened, and I'll inform of some developments in the next few days. I'll also get around to (finally) finishing my critique of the VA's Q&A, as promised.

Thanks for your patience.

VA Notification Letter Critique

The letter I received from the VA notifying me that my personally identifiable information may be at risk following the May 3 theft of an employee’s laptop computer is a mixed bag. I’ll outline the letter for you here:

For starters, the letter is short. Six paragraphs in length, fitting nicely on one side of a sheet of standard 8.5” x 11” bond paper, it’s not the sort of lengthy missive that is more likely to get wadded than read, so that’s a plus.

Paragraph One gives a brief description of what happened, tells me that my PII was “potentially exposed to others,” and points out that no health or financial information was included in the breach. Paragraph Two continues the tale, informing that the FBI and VA inspector general are on the job investigating. Without getting into a dissertation about the veracity of the letter’s account, I think it’s an opening that gives the letter proper context without raising unnecessary fear or shrug off responsibility.

Paragraph Three points to resources made available for veterans who may be concerned about the safety of their PII, or who believe someone is using their information for nefarious reasons. A web site, and phone number with hours of operation is noted.

Paragraph Four cautions the recipient about possible schemes fraudsters may use to obtain more information by calling or emailing under the guise of a federal agency. This is an especially important point since many of the 26.5 million vets may be inclined to fall for such social engineering techniques believing they are helping a government agency protect their financial safety.

Paragraph Five is a mea culpa, and Paragraph Six closes with an explanation as to why the IRS was the mailing agency along with assurance that the IRS shared no address or financial information with the VA.

Overall, I like the letter. There’s no unnecessary detail, no fear-mongering, and no finger pointing. What’s missing from the letter, however, is the availability of credit monitoring and other protective/precautionary services. I realize this is because the VA has not yet ponied up to absorb the cost of such services for all the affected vets, but I believe that service should be standard practice in such cases.

Also, in Paragraph Five, the VA states “we want to reassure you we have no evidence that your protected data has been misused.” First, I’d hardly call the data “protected” since the lack of protection is why I’m getting this letter in the first place. Second, it’s unlikely that the compromised data would, just over a month after the theft, already be seeing fraudulent use.

More on that when I look at the Q&A…tomorrow.

Room for improvement, certainly, but a good effort - especially considering we're talking about a federal agency and 26.5 million points of contact. I'll give it a B+.

Privacy, European Style

Here's a quick reminder to anyone working in or with companies within the EU:

Privacy Laws and Business, the premiere European privacy organization, is holding their annual (19th annual!) privacy conference from July 3-5 at St. John's College in Cambridge, UK.

For more information, click here:

Privacy Laws & Business 19th Annual International Conference

This is one of the best privacy conferences in the world, particularly if you deal with the intricacies of moving sensitive data across international borders.

Quick VA Breach Update

I thought I'd let you all know I got a letter in the mail from the VA today letting me know about breach. I took a quick look through, but will examine the letter more closely tomorrow. The notification includes a one-page letter and a two-page Q&A.

I've already spotted some things I don't like, and I'll share specifics with you after a thorough analysis. Communications with customers/constituents is a critical part of the process of building trust and especially with bridging the trust gap.

Private Communications Interviewed for Podcast

While I'm at the point where I feel like commenting on the spate of breaches involving mobile data is getting redundant, I was asked to comment on the incidents for a podcast at TechTarget's SearchSecurity.com, so I thought I'd provide the link to you all.

Breach Podcast

SearchSecurity editor Bill Brenner, who picked up on my angst following disclosure of the VA breach, invited me to participate in this week's podcast, which I was more than happy to do.