Friday, September 29, 2006

ID Theft Underground Exposed

The Washington Post's Brian Krebs has a very interesting post in his blog, Security Fix.

Check it out here.

Mike

Wednesday, September 27, 2006

A Taste of Things to Come

I’m writing a new article for the 1to1: Privacy newsletter that will open some eyes. The article will appear in the October issue.

I won’t go into a lot of detail since that would be unfair to my editor, but I want to give readers of this blog a little taste. You can subscribe (free) to the newsletter, by the way, so if you don’t already get it, browse on over and do so.

The inspiration behind this article is the cumulative effect of four recent Ponemon studies. The first three, on the subject of data protection, offered insight into the root causes of poor data protection and ways to successfully address this situation. The fourth study examined the attitudes of marketing executives when it comes to privacy functions and initiatives.

Taking the full measure of these studies, there are some interesting conclusions that can be drawn, and I discuss these theories with Larry Ponemon, architect of the surveys, as well as Nick Copping, co-CEO of ZOOM Marketing, and noted privacy consultant Alan Chapell of Chapell & Associates.

Whether you are a privacy pro struggling to work with a seemingly stubborn marketing department, or if you are a marketer wondering how to balance the requirements of privacy policy with the expectations of a successful marketing campaign, I hope this article sparks the sort of conversation that serves as your first step toward reconciliation of your individual goals.

If I or any of my associates can be of any help in this effort, don't hesitate to get in touch.

Mike

Wednesday, September 20, 2006

Sweet Confirmation

Earlier this week the CMO Council announced the results of a new study, entitled Secure the Trust of Your Brand: How Security and IT Integrity Influence Corporate Brands. The study investigates precisely what the name implies: the impact of security on brand influence.

Many of the findings in Secure the Trust, which was sponsored by Symantec and Factiva, were in keeping with similar studies, offering support for a number of points we know to be true either from the research of other groups, or anecdotally. For example, we know that poor security, evinced by news of a breach, can erode brand confidence and that multiple breaches are likely to prompt significant customer defections. We also know that poor security can negatively affect stock performance.

Some of the findings, however, were new and interesting. In addition to the CMO Council’s analysis of media coverage of breaches (which, as a comms analyst, I found compelling), there was one point that stood out, which was summarized in the press release announcing the study:

“While both corporate marketers and business executives indicate emphatically that security concerns are rising for their companies and their customers, just 29 percent of marketers say that their company has a crisis containment plan in case of a security breach. Furthermore, although 60 percent of marketers believe that security and IT integrity provide an opportunity for brand differentiation, 60 percent also say that security has not become a more significant theme in their company’s messaging and marketing communications.”

That first sentence jumped out at me. Only 29 percent have a crisis containment plan.

That’s a startling figure, but I was glad to read it. Glad because, as a consultant who follows this game, I have seen in the public response to breaches that many companies react in a way that suggests strongly unpreparedness. I would not have guessed that number was that low, however, so I was also glad to have quantifiable evidence to back up my own beliefs.

If you are among the 71 percent of companies operating without a crisis containment plan, you need to get in touch with me…

Friday, September 15, 2006

Twice Bitten

Got a letter last week that I received with mixed emotions. It was a breach notice letter from the Carlson Companies, an organization I do business with regularly.

I say "mixed emotions" because, while such letters are never good news, the arrival of one is not shocking. I'll even go so far as to say that receipt of a breach notice letter should be an expected event for most people.

I debated writing about this particular letter because of my ongoing business relationship with the company, but eventually decided to go ahead. Two reasons that made my decision were the fact that I don't think it's right for me to blog about one breach that affects me, but not discuss another. If I'm going to be fair, I need to discuss any and all breaches in which I have a stake.

The other reason was because, after a detailed reading, I think Carlson's response to their data loss incident is excellent, and can serve as a model for other organizations facing similar circumstances.

There's an ironic twist to this particular letter. My association with Carlson is through their Peppers & Rogers marketing division which, in partnership with the International Association of Privacy Professionals, publishes the 1to1: Privacy newsletter. I am a regular contributor to that newsletter.

In brief, the letter informs me that "an employee on a field assignment had a laptop stolen from a locked rental car." A common occurrence. I'll reference an August 15 Vontu-sponsored study by the Ponemon Institute (with whom I work) in which it was found that 81 percent of companies have experienced the loss of a laptop computer in the last twelve months. My personal information, including name and Social Security number, were on that laptop.

I'll summarize what I like about the way Carlson handled this incident:

The letter is brief. All the information I need to know is presented on one page.
The letter is to the point. There's no unnecessary talking around issues.
The letter doesn't induce panic. The letter deals with facts, not fear, and presents the situation in such a way that I have a realistic understanding of my situation.
The letter takes responsibility. Carlson doesn't attempt to dodge here, and they provide me with information to take advantage of a 12 month credit monitoring service, at their expense, that includes daily monitoring and alerts, $25,000 ID Theft insurance, and more.
The letter arms me with useful information. Carlson offers advice and points me to resources that I should be aware of knowing that my PII has been put at risk.

Finally, when I read the Carlson notice letter, I'm not overwhelmed with a style of writing that tells me it was written by a team of lawyers. The letter is written in a professional and easy-to-understand voice.

I'm sure Carlson would have rather not found themselves in a situation requiring that they send such a letter, but unlike other notices I've seen and received, their reaction stands out.

Monday, September 11, 2006

Summer's Over

Astronomically speaking we still have ten days of summer left, as the autumnal equinox doesn't occur until September 21. Meteorologically we may have a month or more of summer weather remaining, though it will come in increasingly shorter spurts (recall that I am writing this from my home in Central Massachusetts). But for practical purposes, my daughter returned to school today, so summer is over.

I half joked to a friend yesterday that I shaved, got a hair cut, and sent those clothes that needed it to the cleaners in preparation for a return to business as usual.

I apologize (again) for my less-than-faithful attention to this blog. I had enough going on that made an unannounced hiatus from blogging a convenient thing to do.

In the meantime, I've posted plenty over at Spot-On and had a byline appear in Inc. Magazine. That, plus my work with the great folks at the Ponemon Institute and my appointment as co-chair for the Boston Chapter of the International Association of Privacy Professionals KnowledgeNet. So, you see, I haven't been lazing around the last 90 days or so.

Lucky for me summer was a quiet one for privacy. Hardy a blip to comment on, unless you count minor events like AOL's search term fiasco, HP's emerging pretexting scandal, Sovereign Bank's laptop theft, AT&T's hack, the Department of Education's technical glitch, Chevron's laptop loss...

Oh, and I have personally been affected by my second exposure this year. Having already been put at risk by the Department of Veterans Affairs, I got a letter in the mail last week telling me of another breach that could have exposed my PII to unsavory elements. More on that in my next post.