Tuesday, March 31, 2009

Privacy & the Octomom

According to the LA Times, bunch of folks just got canned by Kaiser Permanente for accessing the medical file of "Octomom" Nadya Suleman at the company's Bellflower Hospital . In total, 15 folks got the axe and another 8 were disciplined for inappropriate use of privilege to view information in Suleman's records.

It's a good start, and I applaud KP for taking a stand on this issue. Meaningful accountability is often absent when data security is at stake. With a broader perspective, however, the Ponemon Institute has identified a lack of accountability as a big problem in addressing data security at the corporate level.

According to the 2006 study, National Survey on Managing Insider Threats, 31 percent of companies responding to the study reported no single source of accountability for maintaining data security. The result? When a breach happens, fingers get pointed (usually down the chain to the poor souls in IT security), but no one suffers any meaningful consequences.

Unless and until folks in the big offices, whose titles are preceded by the letter "C," put their own skin in the game, there won't be much progress in addressing this problem.

Friday, March 27, 2009

Good Question

Twenty folks showed up for my presentation at yesterday's SecureWorld Boston expo. I was among those in the 2:30 slot -- last one of the show -- which meant many folks had bolted once the expo floor closed (at 2:30), so I was happy to see that many people stick around to hear me.

The talk lasted about 40 minutes and the post-presentation Q&A took another 15 or so. One question (roughly paraphrased) stands out in my memory.

"If the problem of insider data loss is so prevalent and so well known, why aren't more companies doing something about it?"

Good question. Wish I knew the answer.

I've got a few ideas, most of which are related to a sense that companies are hoping that "it can't happen here," but I also think it's more complicated than that. I'll explore some other possibilities in future posts.

Feel free to share your own ideas here via comments.

Mike

Wednesday, March 25, 2009

Spinney is at SecureWorld Boston

A little late in pulling the lever on the Mike Spinney Self-Promotion Machine (known in the trades as the SSP-3000), but figured another reminder might be in order.

I'll be giving a presentation tomorrow on identifying and addressing an organization's overlooked privacy and compliance risks at SecureWorld Boston at the Hynes Convention Center tomorrow. I'll be representing the Ponemon Institute and using some interesting findings from a number of our recent studies to highlight some things that (according to our data) don't seem to be getting enough attention.

If you want to know what these pitfalls might be, you'll have to be in the audience.

My session begins at 2:30 and runs until 3:15. If you are at the show, swing by and say hello.

This will be my last speaking engagement for a while. Not that I've been burning up the asphalt, but three sessions in a 45-day jaunt is enough (IAPP KnowledgeNet in Boston, INTERPHEX 2009 in NYC, and SecureWorld Boston).

Besides, the ponds around here are nearly ice-free and in a few weeks I'll want to spend my spare time terrorizing the bass and panfish with a fly rod.

Tuesday, March 24, 2009

Privacy v. Security

One thing was clear during last week's RFID Security Alliance INTERPHEX panel discussion: there are still many for whom privacy and security are interchangeable terms.

Granted, there is an area of critical overlap, but security and privacy are not the same things.

Others have explored this topic in detail, so I won't rehash the issue much, but in the context of our topic, protecting an individual's privacy -- access to and use/mis-use of their personal health information -- isn't the same as preventing someone from detecting whether they might have a product that is tagged with an RFID chip.

It's a highly nuanced topic and sometimes the best approach is to leave the nuance out of it and simply answer the question. I think we did that pretty well.

If you want to read more about Privacy v. Security, check out these folks:

Julian Sanchez
Bruce Schneier
Jennifer Granick

Drop me a line if there are other worthwhile explorations of this rich topic you think I should include.

Wednesday, March 11, 2009

Privacy, RFID, and Pharma

Looking ahead to next week, as I and the other RFID Security Alliance panelists prepare for our discussion at INTERPHEX 2009 on the implementation of RFID in the pharmaceutical supply chain, one of the questions that we hope to address pertains to fear.

There seems to be a lingering unease with RFID within the pharmaceuticals industry, largely due to RFID's bad press, and centering on the question, does investing in RFID add a data security risk and patient privacy risk while attempting to tackle other issues (logistical cost reduction, counterfeit prevention, addressing drug safety issues, etc.).

Are these fears legitimate? Are there other factors at issue with RFID?

Drop me a line and let me know what your concerns are and we'll try to address them on March 17 during our discussion.

Tuesday, March 10, 2009

Fighting Fire with Fire

You are a powerful federal agency with a longstanding beef against a company that has thumbed its nose at you (and, it can be argued, continues to do so). What do you do? You fight fire with fire and mock them by producing an advertisement that spoofs that company's own marketing vehicle.

The Federal Trade Commission released a send-up of the (annoying) series of advertisements promoting a supposedly free service for obtaining a copy of you consumer credit report.

Here's a copy of the FTC's advert (which it says is a public service announcement).

The notorious credit monitoring company issued a statement in response shortly after the FTC's release. Here's a line from the release: "[company] provides paying members with continuous access to their credit report and credit score with a paid membership."

Yes, I am intentionally avoiding any mention of the company's name (no SEO props here), which is also its Web address, but the fact that the company -- the very name of which claims to be free -- says it provides its "paying members" with certain services is at the heart of the FTC's longstanding feud. If you've ever dealt with that company, you'd have a sense of why I'm rooting for the FTC on this one.

Sunday, March 08, 2009

Facebook's Privacy Conundrum

As a Facebook subscriber, I try to be aware of the fact that everything I do on that popular social networking platform is subject to broad public exposure. for a while now I've been amused at the way FB users seem hyper-sensitive about Facebook's privacy policy, yet blissfully unaware at their own willing forfeiture of the very privacy about which they purport to be so concerned.

An article ran this weekend in the New York Times that addresses this conundrum somewhat, though I think the treatment of this phenomenon in the article is more superficial in preference to its discussion of Facebook's demographics -- including the tendency for younger users to treat their privacy cavalierly (the Ponemon Institute has identified this "privacy age gap" in a number of studies over the years).

The author opens the essay by predicting that the position of Chief Privacy Officer will no longer exist at Facebook in ten years. To the contrary, I think Chris Kelly may have one of the most interesting CPO jobs in the world, operating in a privacy laboratory unlike any other, constantly working to find the balance in creating a social networking utility that is so trustworthy and respectful of subscriber privacy that those subscribers feel secure enough to share the details of their lives within its pages.

Friday, March 06, 2009

Add Another Event to Your Calendar

I'll be speaking later this month at Secure World Expo in Boston on March 26. The topic of my discussion will be "Data and Compliance at Risk: Assess and Address Your Organization’s Data Security Needs."

It's a 45 minute session (2:30pm - 3:15pm), so not a lot of time to go into the details of this rich topic, but plenty of time to give an overview that should serve as a roadmap for helping attendees get a clearer picture of what they need to do in order to understand their data security and privacy needs.

If you are going to be in the Boston area, or are already planning on attending Secure World Expo, swing by the session and say hello.

Monday, March 02, 2009

P2P Breach is just the Tip of the Iceberg

When news broke last week that sensitive data related to the president's Marine One helicopter had fallen into Iranian hands, I was interested. When I heard that the breach was related to peer-to-peer networking, my first thought was Tiversa. When I heard they were the ones who had uncovered the breach, I was not surprised.

I had the privilege of working with Tiversa last year through a Ponemon Institute study on the risks of P2P to data security and, while I can't disclose the specifics of our conversations, it's safe to say that this breach is just the tip of the iceberg. Folks just aren't aware of the security implications involved with opening up direct access to files on a computer operating P2P technology. Clearly, this level of ignorance is present at startlingly high levels of government and industry.

Apparently compromising national security is worth it for access to free music.