Private Communications

No More Hide in Plain Sight

2012-01-24T10:58:00.000-08:00

A video recently posted to the Atlantic’s web site caught my attention.

Entitled, “Visualizing your Personal Data Online,” I posted the video to a couple of my social media channels along with a comment about the implied privacy implications. Shortly thereafter a follower commented that the narrator made no mention of any privacy implications in the video.

That got me thinking… although there was no specific reference, the implications were abundantly clear to me.

First, if you haven’t seen it, the video is a 3 minute visual rendering of a host of connections that can be made about you and me as we move along in the digital world. Shapes and images morph in and out of frame as the narrative flows.

I don’t know what the maker’s inspiration was, but the message I took away after watching was that the abundance of data we generate represent a constant torrent of puzzle pieces that can be collected and assembled into an ultra-high definition picture of who we are as citizen consumers. We have control over some of those pieces, but much of it is the result of doing things we take for granted: cell phone calls, email correspondence, television watching, web browsing, credit/debit card transactions, and all modes of modern travel.

Industry and consumer watchdogs have been warning of the dangers of this volume of digital detritus for years, but it wasn’t that long ago that some could credibly counter that there was simply too much information for anyone to make sense of it all. In effect, we could hide in plain sight as our personal digital deluges were creating a digital fog that was all but impenetrable.

Today, however, with the growing capabilities of Big Data analytics, that argument is obsolete. Instead of obfuscation, these puzzle pieces are coming into sharper and sharper focus, offering public and private entities remarkable (and remarkably troubling) ways to understand our behavior and profile individuals with pinpoint precision.

Law enforcement agencies are already testing the limits of these new capabilities, and marketers are fairly crowing about how much more effective they can be on behalf of their clients with access to this data.

And so I’ll say it again: Check out the video -- and its abundant privacy implications.

Privacy and those Darned Whippersnappers

2011-12-19T13:01:00.000-08:00

Just finished flipping through Forbes “30-Under-30” feature ranking the top young media influencers and up-and-comers. As you might guess, the list was full of individuals who have achieved impossible success at such a tender age. Oh to be twenty-something again, and full of promise, energy, and optimism. After all, how could so many accomplish so much in so short a time? Surely these kids haven’t experienced enough of life and gained sufficient knowledge three decades to contribute much of any value, let alone earn the recognition of a publication like Forbes.

Yet, while such thoughts may assuage the fragile ego of a curmudgeon who has likely already passed the halfway mark on his chronological journey, history suggests that these thirty feted individuals are in the prime of their creative lives. Among history’s greatest inventors and innovators, most were hitting their stride by the time they were in their twenties – even if popular legend would have us believe otherwise.

We envision Alexander Graham Bell as a grandfatherly old man in a white beard clutching his new invention while calling for the assistance of Dr. Watson, but Mr. Bell was only 29 when he filed his patent for the telephone. Likewise Thomas Edison is recalled as an old crank – the Wizard of Menlo Park – riding herd over a lab full of assistants, but he was 22 when he filed for his first patent.

Why, then, do we ignore history and marginalize the contributions that can be made by young people in this age when digital literacy is so integral to functioning in modern society? Instead of embracing the valuable input young people can offer we devalue their experience and insight.

As Peter Hinssen so clearly shows us in his book, The New Normal, the digital world that today looks so different than the analog world I and my generation grew up in is second nature to those in their twenties and younger. It’s all they’ve known, and they don’t think twice about how they interact with technology. Adopting and adapting to a networked world in flux is the way it is, and they think differently about their relationship with technology. Given that, why should we expect that an approach to defining and existing in the digital realm should come from those whose outlook has mostly been influenced in another time?

When it comes to privacy and information security, I think we do ourselves and the public a disservice when we attempt to change behavior based on the way things used to be. We should instead take our cues from those who are shaping the digital world. Facebook is a great case in point: created by college students, it was likewise embraced at first by college students (initially by design, but again once the platform was opened up to the public). The malleable nature of Facebook’s use and collection of profile information was largely reflective of the comfort level that generation has with digital sharing. But once old codgers like me got on board, we decided things had to change, and use of information had to reflect the way we wanted it.

Never mind that social networking on Facebook is strictly voluntary, and putting aside that Facebook has proven to be fairly quick to respond to user complaints, digital do-gooders decided that they should be the ones who dictate how the company should operate.

The digital age is one where ideas and innovation move faster than ever before. As history has shown, those who are exerting the most influence on the shape and direction of that age are also trying to find the courage to ask their crush to the senior prom. Rather than treat them with disdain, we should ask them what they think. And we should have the good sense and humility to accept that we may be able to learn a thing or two from their experience.

Even if they are a bunch of whippersnappers.

Privacy Needs an Iron Eyes Cody

2011-12-08T11:37:00.000-08:00

Yes, I play in the privacy sandbox less since moving over to cloud-focused EMC, but I still have regular conversations and keep track of the major issues.

In one such recent conversation I felt compelled to preface the discussion with a disclaimer: “I am not a technologist, and I am not a lawyer, but I also don’t believe that privacy issues can be solved with technology or regulations.” A bit smug, perhaps, but it’s the truth. The major privacy issues facing businesses today have very little to do with too much or too little technology, too many or too few laws. The issues are rooted in human behavior – employees who have habits that are not privacy or security friendly, individuals who are not privacy-aware, and miscreants who don’t give a fig about your privacy or mine.

When you begin with that premise, I don’t think you have much choice but to view technology and law as tools that are part of a bigger solution to the problem rather than the pillar upon which the solution must be perched. You also have to take a long view toward arriving at anything resembling a solution.

Changing human behavior across an entire culture takes time – usually a lot of time – but with persistence, patience, and the right strategy it can be done. I think of our national attitude toward pollution as an example of a successful shift in human behavior. As a kid growing up in the late ‘60s and early ‘70s, I saw the American landscape at a time when it was shockingly dirty. Trash, pollution, and urban blight were everywhere. The medians on every highway in land were garbage dumps; our rivers were open cesspools; and the sky was dark with industrial exhaust.

It didn’t happen overnight, but when we decided to do something about it, things started to change. After years of work to raise awareness of the problem, the advent of the 1970s brought about things like Earth Day, the Environmental Protection Agency and Iron Eyes Cody’s famous tear. As the Keep America Beautiful campaign said, “People start pollution. People can stop pollution.” Were laws passed? Of course, but laws didn’t clean up the environment and pick up the trash, nor did the millions of new trash receptacles fill themselves. People’s attitudes and habits had to change, and, with our collective eyes opened and consciences shocked, we did.

I believe the same approach can work with privacy. Help consumers understand that they can and should expect more from their digital experience. Make them aware of their situation and their risk; educate them and equip them with the information they need to respond to organizations; give them a voice and a way to amplify it and things will change. Consumers will also take this newfound attitude and information into the workplace where their awareness will translate into greater responsibility with the sensitive information entrusted to them, helping to curb the instances of human error leading to the compromise of personally identifiable information and other valuable data.

It won’t happen overnight, but it can happen.

Healthcare Industry Takes $6.5B Hit Over Poor Information Security

2011-12-01T07:18:00.000-08:00

Technology’s supposed to make us more efficient; more productivity for each hour we invest in a project. It also means less cost associated with the effort. Without the cost benefit, after all, why bother with efficiency?

During the last year or so we’ve seen the evidence of this productivity increase with each new round of earnings reports. This has been a fantastic year for corporate profits, even as the grass roots economy remains in the toilet. While unemployment remains stubbornly above 9 percent nationally, and with even more people out of work but off the books, companies are making record profits making and selling their products and services without adding payroll.

If you are among the un/under-employed, you might not think it’s a very fair shake, but we’ll leave that debate to the Occupy protesters and their foes in D.C. and on Wall Street. For business managers, however, it’s a pretty good deal – invest in new technology and see profits rise.

Yet a study released today by my friends at the Ponemon Institute, sponsored by ID Experts, shows that not every industry seems to understand that the cost savings isn’t just about reducing workforce, but it’s about investing in the right resources. Yes, I’m looking at you, healthcare.

For industries and organizations that deal with large volumes of sensitive information, information security is not an option, yet it seems many healthcare and related companies are trying to cut costs by ignoring their obligations to safeguard patient data and comply with regulations. They are operating in the digital age and a world of mobility and Big Data, but with antiquated policies created for a time when information moved largely on paper. According to Ponemon, the costs of poor information security and inadequate data management cost the healthcare industry $6.5 billion last year.

As the press release announcing the study points out, that $6.5 billion would have been enough to employ more than 81,000 nurses – or to equip the overworked medical administrative staffers with the right tools and training to do their jobs in a manner befitting the trust their patients put in them each day – trust, by the way, that is rapidly eroding. Hey, if you are going to spend that $6.5 billion anyway, why not invest it in the tools to protect information, preserve trust, and provide operational efficiency rather than pay fines, legal fees, and audit costs?

Do it right and the costs might actually decline next year. But I won’t be holding my breath; if I pass out, I might end up in the hospital, and I don’t trust them to keep my information safe.

Comfort

2011-08-19T04:21:00.001-07:00

Ever notice how comfortable you are in a trusting relationship?

Whether business or personal, when you trust your partner, you don't spend a lot of time worrying about what's happening when you aren't there to participate or observe. There's a confidence that allows you to focus on doing things you need to do on your own instead of spending time fretting over what you can't control.

That level of comfort doesn't happen at the outset of the relationship; it builds over time. It is the result of repeated, faithful execution of responsibility. A few components of building that kind of trust include meeting (and exceeding) expectations; keeping up respective ends of a bargain; constant and open communication.

A major breach of trust can set back a relationship and potentially even put a relationship in jeopardy. Multiple smaller breaches of trust can have the same effect.

What constitutes a breach of trust? There are obvious things, but each relationship is different, and the key to knowing (as well as avoiding and enduring those events) is communication.

Social Media Marketing (but no trust?)

2011-08-12T04:47:00.000-07:00

Flipped through a presentation from HubSpot, 100 Awesome Marketing Charts (registration required), which I found interesting, but one thing was missing: trust. No mention of trust which, in my experience, is often the critical ingredient to making a decision online.

However rigidly or loosely an individual determines trust, with all else being equal, the more trusted element - be it a search result, a targeted advertisement, a social media invite, a hot link, etc. - is the one that is most likely to be chosen.

If you are investing aggressively in an online, social, or behavioral marketing campaign, paying attention to the trust factor must be a consideration.

What do you think?

Harvard Business Review on Communicating Change

2011-07-19T06:22:00.000-07:00

Last week I wrote about Trust and the 3PT Model, and how it is essential to communicate IT-driven change down the chain of command in order to get rank-and-file buy in on major new initiatives -- or risk employee revolt and potential project failure.

Today a colleague forwarded a blog post from Chris Musselwhite and Tammie Plouffe, writing for the Harvard Business Review, entitled Communicating Change as Business as Usual, that makes much the same case, though with broader application (and the credibility of the Harvard brand).

The penultimate paragraph is worth repeating here:

"Changing the way you communicate and position change has the potential to transform the way change is perceived and embraced across your organization. Why fight the uphill battle of trying to communicate, develop and inspire your people toward making a change, when you can communicate, develop and inspire people toward making the organization — and themselves — the best in the business?"

It's worth repeating that your ability to get people to recognize change as an opportunity, rather than a threat, may be the most important thing you can do in managing a project. The unknown can be a frightening thing, but I believe optimism is contagious and that people are inclined to be inspired by leader who conveys positive confidence.

Spreading the contagion of optimism, however, requires effective communication.

Trust and the 3PT Model

2011-07-15T10:39:00.001-07:00

I read a lot about the 3PT (people process policy technology) model for establishing trust in a computing environment, and I hear that model touted as the key to establishing trust in cloud computing especially. And for the record, I agree with the 3PT approach.

But an element of 3PT that is often overlooked as it applies to the people goes well beyond training and awareness of good safe computing practice, but in helping them to see the ongoing changes in the environment that provides them with their personal security -- their income and occupation -- as an opportunity for themselves, and not just the company they work for.

If cloud computing, or any significant change in the workplace for that matter, is seen as a threat to job security, the people will become barriers to success, rather than facilitators of success. And when people mentally check out of their job, the element of risk and the opportunity for compromise skyrockets.

For an important illustration of how big a risk one checked-out individual can be to information security, look no further than Bradley Manning.

Hollis Examines Trust in the Cloud

2011-06-22T10:11:00.004-07:00

Chuck Hollis’ blog post, Harris: What It Takes To Build A Trusted Cloud, includes a line that I think is important and worth repeating: “[C]loud has the foundation to be more secure and more trusted than anything most enterprise IT organizations could do themselves.”

That’s a controversial statement in the face of the prevailing opinion that cloud computing is too inherently insecure to trust.

Let’s call BS on the fear mongers who echo that sentiment. First, cloud adoption trends show that clearer heads are prevailing. Last year Gartner said that 35% of companies had already adopted cloud in some form, and another 30% planned on doing so this year. That means that by the end of this year, assuming Gartner’s projections hold true, nearly half (35% + 30% of the remaining 65% = 48%) of companies will have moved some portion of their operations to the cloud.

Why would they do that if the cloud is such a risky place to be? Chuck’s blog examines that question in sufficient detail, but in simpler terms, cloud naysayers rely on faulty logic when uttering their lamentations. Their argument assumes that enterprises are secure environments, when the evidence clearly shows otherwise. Astute CIOs recognize that cloud adoption allows them to simplify their own IT. As my motto, O Sancta Simplicitas! suggests, I’m a big fan of simplicity. Simpler means fewer moving parts and fewer opportunities for a breakdown in security.

It also means you should choose your partners with care since you can outsource operations, but you can’t outsource liability.

Trust and Lord Stanley's Cup

2011-06-20T07:32:00.001-07:00

We’ve been a little distracted in the New England region lately thanks to the success of the Boston Bruins. Now that I’ve resumed activity on this blog I’ve been wracking my brain trying to make a connection between the team winning the Stanley Cup and the issue of trust, but the connection wasn’t nearly as difficult as I was making it seem.

Consider the statement made by hockey great Wayne Gretzky who once explained his prolific success as a goal scorer by saying, “I skate to where the puck is going to be.”

The Great One’s advice is logical, but how do you know where the puck is going to be?

At times it may be a simple matter of calculating speed and trajectory, but most of the time the skater must have trust in a teammate to execute on a set play in such a way that the skater knows where the puck will be delivered in advance of a pass being made. Likewise, the passer needs to trust that the skater will be at the right place at the right time, giving him confidence that the pass will be completed.

Trust, after all, is a transactional relationship. Without trust it becomes difficult to invest in another party or object to achieve a desired goal. If I trust the ladder, I’ll climb the rungs in order to reach the desired height. If I trust the aircraft and its pilot, I’ll climb on board to reach the desired destination. If I lack trust in either, I won’t get very far.

The Bruins trusted in each other to be where they needed to be when they needed to be there, whether that meant skating to the appointed position, standing up for one another when play got chippy, or simply keeping a cool head when emotions threatened to take over. It took seven games, but for a team that was, by all objective accounts, over-matched in terms of pure hockey skill, that trust was rewarded with a championship trophy.

Today, with so much attention being paid to data security, information privacy, and operational integrity, trust has become a major transactional gate. It is difficult, if not impossible, to accurately measure trust, and recent events conspire to cause more companies and individuals to give some thought to whether they do or do not trust the parties with which they are considering doing business. Ignoring the critical trust component may well result in an embarrassing security event, the result of which will be a loss of trust, loss of customers, and loss of business opportunity.

We’ll explore the issue of trust in future editions of this blog.

I'm Baa-aack!

2011-06-14T14:26:00.000-07:00

After a couple years of focusing my blogging efforts on providing content for the Ponemon Institute, I’ve decided to revive Private Communications.

For five years I worked as an independent contractor/consultant in the area of privacy and communications. And while I gave up the glamorous life of self employment this past March in order to take up a new (and decidedly less public) challenge at EMC, it doesn’t mean that I’m out of the privacy game. To the contrary, EMC’s focus on cloud computing and big data means there will be plenty of opportunities to put my wealth of knowledge and experience to use. Issues like trust, and governance, risk and compliance (GRC) are all issues that intersect where EMC is and is headed.

I will speak for myself in this forum and not for my employer. I have no role in policy here, nor do I have any authority make statements on behalf of EMC. I may be inspired by some of the things we’re doing, but don’t flatter me by thinking I have any special insight specific to EMC. I don’t.

If you decide to make any investment decisions based on anything I write here, you are a fool.

An Unscientific Poll on Social Nets and Information Security

2009-08-13T18:05:00.000-07:00

This morning I, along with identity theft expert John Sileo, delivered a webinar on the security and privacy impact of social networking. A timely topic and, judging by the number of people attending (102 on the live broadcast), of interest to a lot of folks.

Given the length of time (45 minutes) we really had to treat this in a broad manner, aiming to raise awareness more than provide any detailed description of how various utilities may have specific impacts on information security.

(You can view the recorded presentation here, if you are interested.)

Rather than rehash the issues discussed during the webinar, I thought it might be worthwhile sharing the results of the polling we did during the presentation. The methodology was unscientific, but interesting just the same.

Attendee use of the “Big Four” social networking sites (Facebook, MySpace, LinkedIn, Twitter):
10% not users
33% used one
33% used two
18% used three
5% used four
(Due to format constraints we didn’t ask which specific utilities were the ones being used)

What percentage of employees estimated to be users of online social networks?
40% said 75% or more
27% said 50-75%
30% said 25-50%
3% said under 25%
0% said zero

What is the primary use of social networks within the attendees’ company?
4% said sales tool
46% said PR/brand awareness
0% said customer service monitoring/engagement
19% said internal communications/team building
31% “Hello? Is this thing on?”

Attendees’ view of their organization’s awareness of the infosec/privacy risks associated with social networking:
24% said policy & training are fully developed
28% said there’s a plan in place, but it is insufficient
2% said they are in the planning stages
16% said they need to get moving

All of these results were interesting to me. I was surprised that only 23% (aggregate) of attendees said they used three or more of the Big Four, but perhaps I’m just exposing my personal bias given my use of Facebook, Twitter, and LinkedIn. But the poll result that I found most fascinating was the last one.

Although far from reliable, that only 24% of those people responding to our webinar poll believed their organization had a fully developed plan in place to address the risks associated with social networking was surprising to me. Nearly half of the organizations (48% aggregate) don’t have a plan in place, and 28% have a plan, but one that is insufficient to meet the risks we discussed.

At the end we outlined the steps toward implementation of a working security strategy:
• Acknowledge
• Understand
• Decide
• Develop
• Educate
• Reinforce

If these figures, along with an abundance of anecdotal evidence, mean anything, it is that we have a long way to go before most companies can move beyond step two and start making informed decisions about data privacy and security in the age of online social networks.

Did I Just Use the term "Big Brother?"

2009-05-12T13:18:00.001-07:00

Yes, I know it's well beyond cliche at this point, but I've put the term "Big Brother" into circulation in my latest piece at Spot-On: Big Brother's Riding Shotgun.

I hope the piece is thought provoking. I'm more than a little disturbed at how quickly state and federal agencies seem to have embraced GPS tracking technology, and how little protection you and I seem to have.

To be clear, I don't have a problem with convicted criminals being fitted with GPS anklets as a condition for parole or other release programs, but warrantless use of GPS to track suspects? Mandatory use of GPS to assess road taxes?

What's also disturbing is how public agencies seem more than aware of the chilling implications for privacy and liberty (they acknowledge the issue in every circumstance), but how little they worry about the effects of adopting tracking technology for their ends. If it means a new way of collecting tax revenue, their logic seems to go, sign us up... consequences be damned.

I just don't like the direction this trend is headed. I'm also more than a little concerned at the lack of public outcry. To steal my own closing statement, have the Son's of Liberty lost their voice?

Gambling with Laptop Security

2009-04-27T07:03:00.000-07:00

I'm now blogging at Ponemon.org in my capacity there as senior privacy analyst. My observations on two recent studies related to laptop computer security are the focus of my first post there.

Rather than simply cut-and-paste the entire post, here's the highlight:

In the first study we found that 49% of those surved believed the the cost of the laptop computer itself was of equal or greater value than the information held by the laptop computer.

According to our second study, the average replacement cost of a lost laptop computer was $1,500. The average total cost as a result of the loss of a laptop computer was just under $50,000.

How many breaches must occur due to the loss of a laptop computer before this simple message gets through to the business community?

You Have Zero Privacy -- Enjoy It!

2009-04-23T09:31:00.000-07:00

Maybe this is cheating, but since my most recent column at Spot-on.com is privacy related, I figured I might as well post a link to it here.

You Have Zero Privacy -- Enjoy It!

Tax Time

2009-04-14T17:26:00.000-07:00

With all the attention being paid to scams and schemes based on tax refund hoaxes aimed at tricking folks into forfeiting their personal information, it strikes me that the biggest risk to taxpayers this time of year is the government itself.

Privacy & the Octomom

2009-03-31T08:45:00.000-07:00

According to the LA Times, bunch of folks just got canned by Kaiser Permanente for accessing the medical file of "Octomom" Nadya Suleman at the company's Bellflower Hospital . In total, 15 folks got the axe and another 8 were disciplined for inappropriate use of privilege to view information in Suleman's records.

It's a good start, and I applaud KP for taking a stand on this issue. Meaningful accountability is often absent when data security is at stake. With a broader perspective, however, the Ponemon Institute has identified a lack of accountability as a big problem in addressing data security at the corporate level.

According to the 2006 study, National Survey on Managing Insider Threats, 31 percent of companies responding to the study reported no single source of accountability for maintaining data security. The result? When a breach happens, fingers get pointed (usually down the chain to the poor souls in IT security), but no one suffers any meaningful consequences.

Unless and until folks in the big offices, whose titles are preceded by the letter "C," put their own skin in the game, there won't be much progress in addressing this problem.

Good Question

2009-03-27T08:09:00.000-07:00

Twenty folks showed up for my presentation at yesterday's SecureWorld Boston expo. I was among those in the 2:30 slot -- last one of the show -- which meant many folks had bolted once the expo floor closed (at 2:30), so I was happy to see that many people stick around to hear me.

The talk lasted about 40 minutes and the post-presentation Q&A took another 15 or so. One question (roughly paraphrased) stands out in my memory.

"If the problem of insider data loss is so prevalent and so well known, why aren't more companies doing something about it?"

Good question. Wish I knew the answer.

I've got a few ideas, most of which are related to a sense that companies are hoping that "it can't happen here," but I also think it's more complicated than that. I'll explore some other possibilities in future posts.

Feel free to share your own ideas here via comments.

Mike

Spinney is at SecureWorld Boston

2009-03-25T13:37:00.000-07:00

A little late in pulling the lever on the Mike Spinney Self-Promotion Machine (known in the trades as the SSP-3000), but figured another reminder might be in order.

I'll be giving a presentation tomorrow on identifying and addressing an organization's overlooked privacy and compliance risks at SecureWorld Boston at the Hynes Convention Center tomorrow. I'll be representing the Ponemon Institute and using some interesting findings from a number of our recent studies to highlight some things that (according to our data) don't seem to be getting enough attention.

If you want to know what these pitfalls might be, you'll have to be in the audience.

My session begins at 2:30 and runs until 3:15. If you are at the show, swing by and say hello.

This will be my last speaking engagement for a while. Not that I've been burning up the asphalt, but three sessions in a 45-day jaunt is enough (IAPP KnowledgeNet in Boston, INTERPHEX 2009 in NYC, and SecureWorld Boston).

Besides, the ponds around here are nearly ice-free and in a few weeks I'll want to spend my spare time terrorizing the bass and panfish with a fly rod.

Privacy v. Security

2009-03-24T17:10:00.000-07:00

One thing was clear during last week's RFID Security Alliance INTERPHEX panel discussion: there are still many for whom privacy and security are interchangeable terms.

Granted, there is an area of critical overlap, but security and privacy are not the same things.

Others have explored this topic in detail, so I won't rehash the issue much, but in the context of our topic, protecting an individual's privacy -- access to and use/mis-use of their personal health information -- isn't the same as preventing someone from detecting whether they might have a product that is tagged with an RFID chip.

It's a highly nuanced topic and sometimes the best approach is to leave the nuance out of it and simply answer the question. I think we did that pretty well.

If you want to read more about Privacy v. Security, check out these folks:

Julian Sanchez
Bruce Schneier
Jennifer Granick

Drop me a line if there are other worthwhile explorations of this rich topic you think I should include.

Privacy, RFID, and Pharma

2009-03-11T06:52:00.000-07:00

Looking ahead to next week, as I and the other RFID Security Alliance panelists prepare for our discussion at INTERPHEX 2009 on the implementation of RFID in the pharmaceutical supply chain, one of the questions that we hope to address pertains to fear.

There seems to be a lingering unease with RFID within the pharmaceuticals industry, largely due to RFID's bad press, and centering on the question, does investing in RFID add a data security risk and patient privacy risk while attempting to tackle other issues (logistical cost reduction, counterfeit prevention, addressing drug safety issues, etc.).

Are these fears legitimate? Are there other factors at issue with RFID?

Drop me a line and let me know what your concerns are and we'll try to address them on March 17 during our discussion.

Fighting Fire with Fire

2009-03-10T18:21:00.001-07:00

You are a powerful federal agency with a longstanding beef against a company that has thumbed its nose at you (and, it can be argued, continues to do so). What do you do? You fight fire with fire and mock them by producing an advertisement that spoofs that company's own marketing vehicle.

The Federal Trade Commission released a send-up of the (annoying) series of advertisements promoting a supposedly free service for obtaining a copy of you consumer credit report.

Here's a copy of the FTC's advert (which it says is a public service announcement).

The notorious credit monitoring company issued a statement in response shortly after the FTC's release. Here's a line from the release: "[company] provides paying members with continuous access to their credit report and credit score with a paid membership."

Yes, I am intentionally avoiding any mention of the company's name (no SEO props here), which is also its Web address, but the fact that the company -- the very name of which claims to be free -- says it provides its "paying members" with certain services is at the heart of the FTC's longstanding feud. If you've ever dealt with that company, you'd have a sense of why I'm rooting for the FTC on this one.

Facebook's Privacy Conundrum

2009-03-08T14:33:00.000-07:00

As a Facebook subscriber, I try to be aware of the fact that everything I do on that popular social networking platform is subject to broad public exposure. for a while now I've been amused at the way FB users seem hyper-sensitive about Facebook's privacy policy, yet blissfully unaware at their own willing forfeiture of the very privacy about which they purport to be so concerned.

An article ran this weekend in the New York Times that addresses this conundrum somewhat, though I think the treatment of this phenomenon in the article is more superficial in preference to its discussion of Facebook's demographics -- including the tendency for younger users to treat their privacy cavalierly (the Ponemon Institute has identified this "privacy age gap" in a number of studies over the years).

The author opens the essay by predicting that the position of Chief Privacy Officer will no longer exist at Facebook in ten years. To the contrary, I think Chris Kelly may have one of the most interesting CPO jobs in the world, operating in a privacy laboratory unlike any other, constantly working to find the balance in creating a social networking utility that is so trustworthy and respectful of subscriber privacy that those subscribers feel secure enough to share the details of their lives within its pages.

Add Another Event to Your Calendar

2009-03-06T06:04:00.000-08:00

I'll be speaking later this month at Secure World Expo in Boston on March 26. The topic of my discussion will be "Data and Compliance at Risk: Assess and Address Your Organization’s Data Security Needs."

It's a 45 minute session (2:30pm - 3:15pm), so not a lot of time to go into the details of this rich topic, but plenty of time to give an overview that should serve as a roadmap for helping attendees get a clearer picture of what they need to do in order to understand their data security and privacy needs.

If you are going to be in the Boston area, or are already planning on attending Secure World Expo, swing by the session and say hello.

P2P Breach is just the Tip of the Iceberg

2009-03-02T09:58:00.000-08:00

When news broke last week that sensitive data related to the president's Marine One helicopter had fallen into Iranian hands, I was interested. When I heard that the breach was related to peer-to-peer networking, my first thought was Tiversa. When I heard they were the ones who had uncovered the breach, I was not surprised.

I had the privilege of working with Tiversa last year through a Ponemon Institute study on the risks of P2P to data security and, while I can't disclose the specifics of our conversations, it's safe to say that this breach is just the tip of the iceberg. Folks just aren't aware of the security implications involved with opening up direct access to files on a computer operating P2P technology. Clearly, this level of ignorance is present at startlingly high levels of government and industry.

Apparently compromising national security is worth it for access to free music.

Catch Me Next Month

2009-02-24T10:44:00.000-08:00

Catch me next month in New York at the Javits at the pharmatech trade event, Interphex. I'll be part of a panel discussing the use of RFID in the pharmaceuticals industry, offering some insight on the privacy implications of that technology. The panel includes:

· Louis Parks, President and CEO, SecureRF Corp.
· Andrew Strauch, Vice President, Product Marketing and Management, MIKOH Corp.
· Bikash Chatterjee, President and CTO, Pharmatech Associates Inc.
· Michael McCartney, Founder and Principal, QLM Consulting
· Mike Spinney, Principal, SixWeight (that's me!)

Our session takes place on Tuesday, March 17 from 3:00pm - 4:00pm, and is sponsored by Domino Amjet.

If you are thinking about attending Interphex and want to drop in for the discussion, let me know. Following this LINK will take you to a conference registration page that gives you a 15% discount.

Hope to see you there.

Mike

Data at Higher Risk During Down Economy?

2009-02-23T04:56:00.000-08:00

Data loss due to the actions of insiders is a well-known problem. Every company has employees, and employees – being human – are prone to make mistakes. They email information to unauthorized recipients, they leave laptop computers in airports, they drop their PDFs in taxis, they take information home to get some work done over the weekend and they connect to non-secure networks or open their computer to the Pandora’s Box of peer-to-peer networks…

Consistently, research by the Ponemon Institute and other groups has confirmed this to be true. Insiders are responsible for the vast majority of all data breaches. The Ponemon Institute’s most recent Annual Cost of a Data Breach Study puts this figure at 88 percent.

My gut tells me that a foundering economy would exacerbate this situation, but my gut (and the collective gut of everyone who has thought about this situation) isn’t considered credible evidence by anyone making decisions in the corner office. That’s why the Institute has released a new study that examines this situation – and the results are pretty interesting.

Jobs at Risk = Data at Risk (sponsored by the good folks at Symantec) has a number of interesting findings. In short, 59 percent of employees who lost or changed jobs over the last year reported taking sensitive information with them when they left – 79 percent of whom knew they were doing so against company policy. In cases where the employee had negative view of their former employer the likelihood for data theft was 61 percent, but for those with positive view the rate of theft was only 26 percent.

One critical takeaway from this study has to be that this is a preventable problem. There’s a sentiment within the data security community that data loss at the hands of insiders is merely a cost of doing business. As they do with paperclips and ballpoint pens, employees are going to access and swipe information and there’s not much that can be done about it. That’s a defeatist conclusion that is simply not supported by these findings.

Most of the individuals stealing information are non-IT staff who lack the technical sophistication to effect clever schemes to defeat IT security protections. They are, by-and-large, administrative(16%), sales (30%), and contract employees (13%) who are motivated by financial pressure and job-loss anxiety.

Given the markedly lower rate of theft among employees who had positive feelings for their former employer, simply doing a better job building positive employee relationships would go a long way toward dissuading folks from making bad exit decisions. Such a program should include the development and communication of clear and enforceable policies related to data handling – including consequences for data theft.

Employees are stealing information because they recognize data has immense value in today’s economy. They regard this information as their “parting gifts,” but if they know that stealing information might put their severance package at risk, they’ll think twice.

Of course, a thorough data loss prevention program must include an investment in the appropriate technology tools. DLP technology, properly deployed, can prevent the vast majority of accidental and intentional data theft events.

I'm Back...

2009-02-22T14:54:00.000-08:00

Sorry for neglecting this blog for so long. I've got plenty to say but have been saying it in other, usually less public, forums. I've got a lot of work to do to bring folks back into the fold but I hope to be able to do so over time.

Mike

Call me Nostradamus

2007-07-06T12:10:00.001-07:00

Just caught this story from The Hill in which Sen. Joseph Lieberman calls for more surveillance cameras.

Yeah, the dateline is July 1, my post on this topic was July 1, and today is July 6, but I hadn't seen the article or heard his comments prior to making this observation (which I actually made publicly on June 30 during the RIM Renaissance conference). Besides, it didn't take Nostradamus or much imagination to make such a prediction.

I will point you to this quote from Mr. Lieberman, though:

“I think it’s just common sense to do that here much more widely. And of course, we can do it without compromising anybody’s real privacy.”

What exactly does "real privacy" mean? What does Lieberman think it means, and is that the same as what you or I think it means? And, ominously, do we want Congress to determine what it means under conditions of high anxiety over a possible terror threat? Debate still rages over the long-term implications of the Patriot Act. Let's not feel pressured to jump to a decision on surveillance and DNA only to suffer under the same burden of regret.

Mike

Chilling Implications

2007-07-01T18:08:00.000-07:00

I turned on the television Friday morning to news of the failed terror attack in the UK. While the MSNBC report cycled through a video loop of images from the scene, and as Joe Scarborough and his team provided as much as was known at the time and the few updates that were available, one thing struck me.

The news reports made much of the fact that the London is, perhaps, the most CCTV/surveillance camera-saturated city in the world, and that the lack of an explosion meant there would be forensic evidence to be checked against Scotland Yard's extensive DNA library, and that both factors would likely contribute to quick arrests in the case.

Good news for investigators in the United Kingdom, but chilling implications for those of us here in the United States.

I know this event will influence the ongoing liberty/security debate here in America. As a nation we're already paranoid about some future act of terror, and we're constantly being told that we need to fear this shadowy enemy called terrorism. If the events of this past weekend result in a stronger push for and greater acceptance of remote security camera networks, and an undermining of opposition to extensive DNA cataloging, it will not be welcome news.

Using fear as a means of achieving legislative change is poor public policy. Loss of liberty should never be tolerated by patriots.

Adding Audience

2007-05-21T07:13:00.001-07:00

About a year ago I started writing for Spot-On.com, an eclectic opinion mill that has been steadily gaining audience and influence. I started out with a tech-focus, but have since concentrated on political and social issues, reflective of my grumpy Libertarian perspective. I enjoy the opportunity to strech my legs and give voice to a point-of-view that is often ignored. Every once in a while I'll get a validation boost when an email comes my way, or when something I've written gets the attention of an outside authority, such as this editorial from Dental Economics magazine.

Well, news this morning of a syndication deal with WashingtonPost.Newsweek Interactive means that I and the rest of my Spot-On.com colleagues will add significantly to our audience. Since I write about privacy issues occasionally, I hope to make the most of this fantastic opportunity to not only carp about what's bugging me politically, but also continue to raise awareness over important privacy issues.

Mike

Shameless Self Promotion

2007-05-04T11:14:00.000-07:00

Before the weekend, thought I'd post a link to my latest at Spot-On, a piece dealing with how well government agencies are doing in keeping the public trust. Or not.

Mike

Apples & Oranges

2007-05-01T15:38:00.000-07:00

While I haven't been blogging about the TJX breach, I have been tracking the incident and there's a curious element to the response that has not gotten much attention in the news.

While it's clear that TJX was caught off guard by the breach from a communications perspective -- their public comments have often been inaccurate, contradictory, and misleading (likely not intentional, just symptomatic of their lack of preparedness). But one thing the discount retailer has done very well is amp up the marketing.

This article in Bank Technology News examines what may at first seem to be a contradictory response from consumers, but actually makes perfect sense. I've heard a number of people question consumer response, wondering out loud why affected shoppers continue to spend money at TJX. After all, hasn't research shown that consumers will bolt a vendor that doesn't respect privacy?

It's an apples and oranges comparison, actually. Consumers, above nearly all else, want convenience and a good deal. As a discount retailer, TJX stores know all about cutting price, and when they found themselves in the spotlight, while their corporate spokespeople were stuttering their way through explanations and interviews, their marketers were buying air time and (I suspect, though I can't tell for sure since I don't shop there) lowering prices. Here in TJX's back yard, the television is busting with commercials for the various TJX stores.

Ponemon Institute research showed the fallout for banks that fail to respect customer privacy, but banks are not able to manipulate costs the way a retailer can. Retailers have more and different options. Besides, a long-term relationship with a retailer is more of a series of short-term decisions. Choosing to do business with a bank is a more serious commitment on the part of the consumer, and requires a completely different level of commitment on the part of the bank.

In her article, Holly Sraeel understands and articulates the difference.

Prior Proper Planning...

2007-04-19T12:09:00.000-07:00

You know the Seven Ps of Preparation, don't you? Prior proper planning prevents p*ss poor performance. (Some would substitute the coarser word in that phrase with "pretty", but I'm an ex-Navy man and that's the way I learned it.)

Getting back to the issue of preparation, I had the privilege of introducing Beth Givens of the Privacy Rights Clearinghouse to members of the Ponemon Institute's RIM Council today during the monthly RIM conference call. Beth pointed us toward an excellent article from February's Law.com. The article by White & Case lawyer David Bender, entitled "Why You Must have a Security Breach Response Plan," serves as a great thumbnail for any organization that may be wondering what they need to do should they experience a breach.

Of course, I'm pleased to see that David has included a couple bullets related to communications. The communications portion of David's checklist requires it's own plan to make certain an organization is prepared to let the public and other audiences know what's going on and to do so in a manner that is consistent with the truth and in keeping with the law. It is possible to say the wrong thing even if intentions are good, but with a plan in place in advance, the chance for such occasions are minimized.

New Thinking

2007-04-15T16:36:00.000-07:00

When I read blog entries such as this one at ZDNet, I get both amused and frustrated at the lack of critical thinking that drives opinion on these and other important issues. You'd think it's an either/or proposition, and that the only available options outside of inaction are both evil and unacceptable. Yet, while hand-wringing goes on over current practice and worst option alternatives, no one's talking about other available approaches to the vexing challenge of maintaining watch lists without violating privacy.

IBM's Jeff Jonas figured the solution out a while ago and writes about it often in his blog (which is worth reading for a host of reasons). This entry is worth reading for a safe, innovative take on the issue of managing watch lists effectively, and without the troublesome privacy issues that most folks are worried about.

Been There, Done That

2007-02-11T15:20:00.000-08:00

I’m usually quicker on the uptake on issues like this, but I’ve been very busy with other aspects of my business that I’ve neglected my blogging. So, for those of you still paying attention…

A couple weeks ago, Computerworld ran an article entitled Are Privacy Notices Worthless?

Hmmm. Where have I read that before? Oh, yeah… back in August when I wrote Has Notice Failed? (registration required) for the 1to1: Privacy newsletter. Sure, Computerworld may have a bigger readership, but the fact that my Kilroy was there to greet Jay Cline and his readers when they arrived nearly six months later makes me feel better about the whole thing (and just a touch superior).

I guess you could say I’m the Macomber Bombay of the privacy world. Aren’t familiar with Macomber Bombay? Good luck with a Google search, since the ancient archives of MAD Magazine don’t seem to have made it online yet, but Bombay was the fictional, unknown photographer for Life who was waiting at the summit of Mt. Everest to get the photo of Edmund Hillary’s historic ascent, among other first human achievements chronicled on film.

To be clear, I’m not busting on Cline. The piece he wrote for Computerworld was excellent. I’m just contorting my humble frame to pat myself on the back. I should be careful lest I strain a muscle. After all, pride cometh before a fall.

Simple Reminder

2006-12-21T06:52:00.000-08:00

I just came across an interesting story from yesterday’s Chicago Tribune. Seems a resident of Chicago’s West Side was able to pilfer some financial documents from a dumpster outside the offices of SFX Baseball. The story made the news because SFX Baseball handles contract negotiations and other financial matters for professional baseball players, and the suspect in this case had accumulated PII on 91 major leaguers, including stars Jim Thome, Moises Alou, and Pedro Martinez.

The story should serve as a reminder to everyone of the importance of shredding any and all documents that might provide ID thieves with a piece of your identity puzzle.

You’ve got to wonder what the folks at SFX Baseball were thinking when they didn’t shred. It’s one of the simplest ways to protect against data and identity theft. Shredders are cheap, and there are even shredding services that will come to your office to ensure proper disposal of documents.

Heck, in some places you can even find shredding kiosks where, for a little pocket change you can buy a few minutes of heavy-duty shredding.

I’ve gotten fed up with tracking each new data breach story. There have been so many that I’d end up with a terminal case of carpal tunnel syndrome if I commented on each one, but this one caught my attention, and because the holidays are a time when people seem to be handling more financial documents than usual, it was a convenient excuse to provide a simple reminder to shred.

It’ll be interesting to see SFX Baseball’s reaction to this boneheaded blunder.

Speaking Their Language

2006-12-18T10:48:00.000-08:00

Recently, during a conference call in which I and a number of privacy luminaries discussed the challenges of integrating privacy-related strategies within marketing campaigns, the conversation turned to language.

I’ve discussed this phenomenon a few times in the past, but in this instance it became clear that successfully communicating privacy’s value is about more than simply expressing facts and figures to colleagues, but about understanding and speaking in their language.

What does that mean? Marketers want to know that what you are selling as a privacy advocate means higher conversion rates for their efforts. They aren’t as worried about compliance as you are because that’s a check box, not a strategic initiative. They need a compelling argument to convince them that they can be more successful at what they do. Making the case that following a few simple guidelines will establish a trust-based relationship, and that a trust-based relationship is a more profitable relationship is the key. Give them the data, such as studies by Ponemon and Yankelovich, then show how you will work with them to achieve desired results.

This is a challenge that extends well beyond the bounds of the privacy community, mind you. Seeing things from the other guy’s perspective, anticipating questions and taking the burden of proof upon yourself in order to establish the terms of debate is the way arguments are won.

Recommendation: Be sympathetic to the challenges your colleagues face and take the initiative to be a partner in solving problems. Don’t assume that, because you understand the issue, your colleagues will, too. Make your case, commit to working with them on their terms, then follow-through.

The Quest for the Holy Grail

2006-12-01T15:18:00.000-08:00

A recent article in The NewStandard, which bills itself as an independent online newspaper untainted by the corrupting influence of corporate mammon, carried an article dated November 27 with a provocative headline:

"Marketers Still Free to Stalk Consumers Online"

Written by Megan Tady, the, article describes the activities of Internet companies and online marketers as “predatory behavior,” and reports that the US Public Interest Research Group (US PIRG) and the Center for Digital Democracy (CDD) have filed a 50-page complained with the FTC in an effort to enlist the aide of the feds to put a stop to their attempts to achieve one-to-one communications with consumers.

What a bunch of nonsense.

The complaint is based on the faulty premise that interactive marketing, by definition, requires that companies spy on consumers. It's ridiculous and dangerous assumption, and one that ignores the concept of customer choice. It also removes a huge incentive for companies to place a premium on treating customer information with respect.

I often shop for fly fishing gear at the online properties of Orvis, LL Bean. I have done business with both stores for years, I trust both to respect my personal information, and when they communicate with me, I’d rather they stick to telling me about the stuff I’m most likely to buy. And as long as that trust is not violated, I’ll continue to do business with both companies and to provide them with information about my preferences so they can better serve my needs.

Orvis and LL Bean don’t need to “spy” on me because they’ve earned my trust. That trust translates to a competitive advantage.

In effect the article attacks the holy grail of marketing by saying that companies, rather than target customers and potential customers with highly specific messaging, should instead go back to the mass mail model – send postcards to tens of thousands of "residents" in a particular zip code and hope for a strong enough return to make a profit off of the effort.

In marketing they call it “spray and pray,” and it is far more maddening than behavioral targeting. Regulating away a company’s ability to target based on behavior would be counter productive; it would eliminate an important tool that responsible companies are already using to provide consumers with better service.

Behavioral targeting isn’t about spying, it’s about two-way communication and it’s about achieving a positive one-on-one experience.

Value of Privacy Savvy Gains More Ground

2006-11-13T07:32:00.000-08:00

Word of privacy's value is getting around to an ever-widening circle. I recently wrote in 1to1 Privacy of the eye-opening experience I had at a business breakfast when a personal security expert spoke of how easy it is to obtain personally identifiable information - the building blocks of a credit profile.

To hear the gasps of those in attendance was a reminder that, while many of those with whom I interact daily are acutely aware of privacy issues, there remains a great deal of ignorance even within groups who should know better.

Last month I spoke with Daryl Gayle of Target Marketing magazine and had a chance to advocate for greater cooperation between marketers and privacy pros. The results of that discussion can be found here.

There's still plenty of work to be done, but as more and more eyes open to the importance of implementing strong privacy values throughout an organization, I believe that strength of the pro-privacy argument will be self-evident and momentum will build on its own - because it's the right thing to do.

You've Got To Define It Before You Can Fine It

2006-11-07T16:15:00.000-08:00

Today, over at Revenews, Peter Figueredo posted a brief comment on the Federal Trade Commission's recent $3 million settlement with adware company Zango.

Albeit briefly, Peter points out the need for a clear definition of the term "spyware." I agree - wholeheartedly.

Depending on how you define it, spyware runs the gamut from innocuous to annoying to criminal. As a word, it is highly evocative and can be used to stir fear and create bias among certain audiences. As a communications consultant I appreciate the strategy behind using words to achieve certain objectives, but I also believe that -- in the long run -- truth is the most effective tool in communicator's chest. Exaggeration, obfuscation, and other means of distortion only serve to undermine the credibility of those who use them, no matter how noble the cause or intent.

Spyware is a serious problem. Devious individuals with malicious intent have become highly skilled at exploiting security vulnerabilities, including human ignorance, to plant nasty code on computers. When that code is designed to steal information such as passwords, account information, PII, and more, then use that information to steal money or commit fraud, that's serious business and represents an accurate depiction of what I believe spyware to be.

Law enforcement authorities and regulators need the power to deter and prosecute bad actors, but without a clear definition, it will be difficult to go after purveyors of spyware. Before you fine it, you've got to define it.

In April of 2004 the FTC convened a workshop on spyware, one goal of which was to draft a standard definition for the term. According to the workshop's transcript, it was lively discussion, but 30 months later we are still no closer to that goal.

If the industry doesn't do it, and soon, the issue will be decided through the courts by the team with the most persuasive lawyers. If that happens, no one will be happy.

Monthly Privacy Updates

2006-10-12T07:33:00.000-07:00

The American Bar Association has initiated a monthly privacy update that will cover significant developments in privacy law and legislative activities. The first event will be Monday, October 16, from 1p - 2p ET. Options for attending include on-site in Washington, DC, or via teleconference.

For more information about participating in Monday's update, click here.

The ABA's events calendar can be viewed here.

Thanks to Reed Freeman's Privacy and Information Security News for this item.

Mike

Personal Privacy Evangelist

2006-10-04T17:51:00.000-07:00

I attended breakfast with members of the Wachusett Chamber of Commerce down the road in Sterling, Mass. this morning. I noted a day earlier that Robert Siciliano was to speak at the event, and I wanted to see the man’s presentation.

If you haven’t heard of Siciliano yet, you will soon (besides within this blog post). Siciliano is a personal security consultant who has taken up a vigorous crusade of educating regular folks about identity theft and securing PII. Earlier this year I had occasion to trade emails with Siciliano as a source for a story I wrote on whether or not credit monitoring services were of any real value as an ID theft prevention tool.

Siciliano is an evangelist. Much of his presentation consisted of headlines, facts, and figures that I’ve been familiar with for a long while, and although he covered no new ground for me, I was fascinated by his talk for two reasons.

The first was the passion he brought to the subject. Clearly, this guy has immersed himself in the issue, and he was able to make his point without much hyperbole, but merely relying on the facts to tell their own story.

The second was the reaction from other attendees. My eyes were opened to just how little people understand the issue of personal information security. As Siciliano illustrated how easy it is for criminals to assemble pieces of an individual’s identification and create an alias for themselves with that information, I watched as others around the room literally gasped and sat with eyes wide open, mouths agape.

More shockingly, there were representatives from a number of financial services organizations who were among the most affected by Siciliano’s revelations.

As privacy professionals, one of our biggest challenges is in education. Unless and until greater awareness, based on fact and reason, is generated about the issue of identity fraud and personal information security, we will continue to see more people victimized. The problem is that, while the chances are they will suffer because of their own ignorance, those of us who serve them will pay the price through the erosion of trust.

ID Theft Underground Exposed

2006-09-29T07:54:00.000-07:00

The Washington Post's Brian Krebs has a very interesting post in his blog, Security Fix.

Check it out here.

Mike

A Taste of Things to Come

2006-09-27T06:45:00.000-07:00

I’m writing a new article for the 1to1: Privacy newsletter that will open some eyes. The article will appear in the October issue.

I won’t go into a lot of detail since that would be unfair to my editor, but I want to give readers of this blog a little taste. You can subscribe (free) to the newsletter, by the way, so if you don’t already get it, browse on over and do so.

The inspiration behind this article is the cumulative effect of four recent Ponemon studies. The first three, on the subject of data protection, offered insight into the root causes of poor data protection and ways to successfully address this situation. The fourth study examined the attitudes of marketing executives when it comes to privacy functions and initiatives.

Taking the full measure of these studies, there are some interesting conclusions that can be drawn, and I discuss these theories with Larry Ponemon, architect of the surveys, as well as Nick Copping, co-CEO of ZOOM Marketing, and noted privacy consultant Alan Chapell of Chapell & Associates.

Whether you are a privacy pro struggling to work with a seemingly stubborn marketing department, or if you are a marketer wondering how to balance the requirements of privacy policy with the expectations of a successful marketing campaign, I hope this article sparks the sort of conversation that serves as your first step toward reconciliation of your individual goals.

If I or any of my associates can be of any help in this effort, don't hesitate to get in touch.

Mike

Sweet Confirmation

2006-09-20T08:00:00.000-07:00

Earlier this week the CMO Council announced the results of a new study, entitled Secure the Trust of Your Brand: How Security and IT Integrity Influence Corporate Brands. The study investigates precisely what the name implies: the impact of security on brand influence.

Many of the findings in Secure the Trust, which was sponsored by Symantec and Factiva, were in keeping with similar studies, offering support for a number of points we know to be true either from the research of other groups, or anecdotally. For example, we know that poor security, evinced by news of a breach, can erode brand confidence and that multiple breaches are likely to prompt significant customer defections. We also know that poor security can negatively affect stock performance.

Some of the findings, however, were new and interesting. In addition to the CMO Council’s analysis of media coverage of breaches (which, as a comms analyst, I found compelling), there was one point that stood out, which was summarized in the press release announcing the study:

“While both corporate marketers and business executives indicate emphatically that security concerns are rising for their companies and their customers, just 29 percent of marketers say that their company has a crisis containment plan in case of a security breach. Furthermore, although 60 percent of marketers believe that security and IT integrity provide an opportunity for brand differentiation, 60 percent also say that security has not become a more significant theme in their company’s messaging and marketing communications.”

That first sentence jumped out at me. Only 29 percent have a crisis containment plan.

That’s a startling figure, but I was glad to read it. Glad because, as a consultant who follows this game, I have seen in the public response to breaches that many companies react in a way that suggests strongly unpreparedness. I would not have guessed that number was that low, however, so I was also glad to have quantifiable evidence to back up my own beliefs.

If you are among the 71 percent of companies operating without a crisis containment plan, you need to get in touch with me…

Twice Bitten

2006-09-15T06:22:00.000-07:00

Got a letter last week that I received with mixed emotions. It was a breach notice letter from the Carlson Companies, an organization I do business with regularly.

I say "mixed emotions" because, while such letters are never good news, the arrival of one is not shocking. I'll even go so far as to say that receipt of a breach notice letter should be an expected event for most people.

I debated writing about this particular letter because of my ongoing business relationship with the company, but eventually decided to go ahead. Two reasons that made my decision were the fact that I don't think it's right for me to blog about one breach that affects me, but not discuss another. If I'm going to be fair, I need to discuss any and all breaches in which I have a stake.

The other reason was because, after a detailed reading, I think Carlson's response to their data loss incident is excellent, and can serve as a model for other organizations facing similar circumstances.

There's an ironic twist to this particular letter. My association with Carlson is through their Peppers & Rogers marketing division which, in partnership with the International Association of Privacy Professionals, publishes the 1to1: Privacy newsletter. I am a regular contributor to that newsletter.

In brief, the letter informs me that "an employee on a field assignment had a laptop stolen from a locked rental car." A common occurrence. I'll reference an August 15 Vontu-sponsored study by the Ponemon Institute (with whom I work) in which it was found that 81 percent of companies have experienced the loss of a laptop computer in the last twelve months. My personal information, including name and Social Security number, were on that laptop.

I'll summarize what I like about the way Carlson handled this incident:

The letter is brief. All the information I need to know is presented on one page.
The letter is to the point. There's no unnecessary talking around issues.
The letter doesn't induce panic. The letter deals with facts, not fear, and presents the situation in such a way that I have a realistic understanding of my situation.
The letter takes responsibility. Carlson doesn't attempt to dodge here, and they provide me with information to take advantage of a 12 month credit monitoring service, at their expense, that includes daily monitoring and alerts, $25,000 ID Theft insurance, and more.
The letter arms me with useful information. Carlson offers advice and points me to resources that I should be aware of knowing that my PII has been put at risk.

Finally, when I read the Carlson notice letter, I'm not overwhelmed with a style of writing that tells me it was written by a team of lawyers. The letter is written in a professional and easy-to-understand voice.

I'm sure Carlson would have rather not found themselves in a situation requiring that they send such a letter, but unlike other notices I've seen and received, their reaction stands out.

Summer's Over

2006-09-11T07:44:00.000-07:00

Astronomically speaking we still have ten days of summer left, as the autumnal equinox doesn't occur until September 21. Meteorologically we may have a month or more of summer weather remaining, though it will come in increasingly shorter spurts (recall that I am writing this from my home in Central Massachusetts). But for practical purposes, my daughter returned to school today, so summer is over.

I half joked to a friend yesterday that I shaved, got a hair cut, and sent those clothes that needed it to the cleaners in preparation for a return to business as usual.

I apologize (again) for my less-than-faithful attention to this blog. I had enough going on that made an unannounced hiatus from blogging a convenient thing to do.

In the meantime, I've posted plenty over at Spot-On and had a byline appear in Inc. Magazine. That, plus my work with the great folks at the Ponemon Institute and my appointment as co-chair for the Boston Chapter of the International Association of Privacy Professionals KnowledgeNet. So, you see, I haven't been lazing around the last 90 days or so.

Lucky for me summer was a quiet one for privacy. Hardy a blip to comment on, unless you count minor events like AOL's search term fiasco, HP's emerging pretexting scandal, Sovereign Bank's laptop theft, AT&T's hack, the Department of Education's technical glitch, Chevron's laptop loss...

Oh, and I have personally been affected by my second exposure this year. Having already been put at risk by the Department of Veterans Affairs, I got a letter in the mail last week telling me of another breach that could have exposed my PII to unsavory elements. More on that in my next post.

Reasons, not Excuses

2006-06-28T13:25:00.000-07:00

Yes, yes... I know it's been 20 days since I posted anything of note here.

Once again, please accept my apologies.

The reasons for my delinquency are manifold, but the two primary reasons are:

1. I've been creating content for www.spot-on.com, where I will be among the regular stable of contributors beginning in July, and

2. I've been asked to join the Ponemon Institute to work with that firm on their communications needs

Both opportunities have me excited. Spot-on because I'll be part of a fast-growing, Internet-based opinion mill with some influence. Chris Nolan is to be commended for what she's created, and I'm humbled to have been asked to be a part of it.

And, of course, getting together with Larry Ponemon, for whom I have the utmost respect, is a dynamite stroke of luck for me. Larry's groundbreaking research on issues of privacy and trust has been influential in the development of my personal philosophy and approach to communications.

Those are the reasons, but they aren't excuses, so I'll get back to regular postings this week.

Apologies

2006-06-20T13:13:00.000-07:00

It's been a busy week. A lot has happened, and I'll inform of some developments in the next few days. I'll also get around to (finally) finishing my critique of the VA's Q&A, as promised.

Thanks for your patience.

VA Notification Letter Critique

2006-06-08T19:16:00.000-07:00

The letter I received from the VA notifying me that my personally identifiable information may be at risk following the May 3 theft of an employee’s laptop computer is a mixed bag. I’ll outline the letter for you here:

For starters, the letter is short. Six paragraphs in length, fitting nicely on one side of a sheet of standard 8.5” x 11” bond paper, it’s not the sort of lengthy missive that is more likely to get wadded than read, so that’s a plus.

Paragraph One gives a brief description of what happened, tells me that my PII was “potentially exposed to others,” and points out that no health or financial information was included in the breach. Paragraph Two continues the tale, informing that the FBI and VA inspector general are on the job investigating. Without getting into a dissertation about the veracity of the letter’s account, I think it’s an opening that gives the letter proper context without raising unnecessary fear or shrug off responsibility.

Paragraph Three points to resources made available for veterans who may be concerned about the safety of their PII, or who believe someone is using their information for nefarious reasons. A web site, and phone number with hours of operation is noted.

Paragraph Four cautions the recipient about possible schemes fraudsters may use to obtain more information by calling or emailing under the guise of a federal agency. This is an especially important point since many of the 26.5 million vets may be inclined to fall for such social engineering techniques believing they are helping a government agency protect their financial safety.

Paragraph Five is a mea culpa, and Paragraph Six closes with an explanation as to why the IRS was the mailing agency along with assurance that the IRS shared no address or financial information with the VA.

Overall, I like the letter. There’s no unnecessary detail, no fear-mongering, and no finger pointing. What’s missing from the letter, however, is the availability of credit monitoring and other protective/precautionary services. I realize this is because the VA has not yet ponied up to absorb the cost of such services for all the affected vets, but I believe that service should be standard practice in such cases.

Also, in Paragraph Five, the VA states “we want to reassure you we have no evidence that your protected data has been misused.” First, I’d hardly call the data “protected” since the lack of protection is why I’m getting this letter in the first place. Second, it’s unlikely that the compromised data would, just over a month after the theft, already be seeing fraudulent use.

More on that when I look at the Q&A…tomorrow.

Room for improvement, certainly, but a good effort - especially considering we're talking about a federal agency and 26.5 million points of contact. I'll give it a B+.

Privacy, European Style

2006-06-08T05:43:00.000-07:00

Here's a quick reminder to anyone working in or with companies within the EU:

Privacy Laws and Business, the premiere European privacy organization, is holding their annual (19th annual!) privacy conference from July 3-5 at St. John's College in Cambridge, UK.

For more information, click here:

Privacy Laws & Business 19th Annual International Conference

This is one of the best privacy conferences in the world, particularly if you deal with the intricacies of moving sensitive data across international borders.

Quick VA Breach Update

2006-06-07T18:54:00.000-07:00

I thought I'd let you all know I got a letter in the mail from the VA today letting me know about breach. I took a quick look through, but will examine the letter more closely tomorrow. The notification includes a one-page letter and a two-page Q&A.

I've already spotted some things I don't like, and I'll share specifics with you after a thorough analysis. Communications with customers/constituents is a critical part of the process of building trust and especially with bridging the trust gap.

Private Communications Interviewed for Podcast

2006-06-07T14:44:00.000-07:00

While I'm at the point where I feel like commenting on the spate of breaches involving mobile data is getting redundant, I was asked to comment on the incidents for a podcast at TechTarget's SearchSecurity.com, so I thought I'd provide the link to you all.

Breach Podcast

SearchSecurity editor Bill Brenner, who picked up on my angst following disclosure of the VA breach, invited me to participate in this week's podcast, which I was more than happy to do.

Sacrificial Lambs?

2006-05-31T17:56:00.000-07:00

According to reports in the Washington Post, among other news organizations, Michael H. McLendon, deputy assistant secretary for policy with Veterans Affairs, "resigned" as a result of the May 3 data breach announced May 22, just prior to Memorial Day. Veterans officials have also notified the civil servant from whose home the data was stolen that he will be terminated as a result of the breach.

Swift action, but is it merely window dressing for a practice that, according to this story in Information Week, has been going on for years? If this individual was known to have been transporting sensitive data since 2003, how many others have been doing the same thing?

McLendon and the unnamed VA employee have lost their jobs, but did the axe fall high enough and often enough to send the message that the VA is serious about revising its data security policy? I can only hope that is the case and that Veterans isn't just scapegoating these two individuals for the sake of saving face, while others equally culpable remain entrenched at the public trough.

Only time will tell if the VA and other federal (and state) agencies finally get it, or if sloppy data security will remain de facto policy.

In God We Trust, but the Government's Blowing It

2006-05-23T05:39:00.000-07:00

Bob Sullivan's excellent work via his Red Tape Chronicles blog continues with this report on the theft of the PII of nearly 27 million U.S. military veterans discharged since 1975.

There are plenty of reports available on the story, so I won't go into the details beyond the basic: a Veterans Affairs employee downloaded the files to a laptop in order to do some work at home. The employee's home was burglarized and some stuff stolen, including the laptop and disks containing the veterans' information.

As a veteran, discharged from the U.S. Navy in 1987, this one hits home. There's a very good chance my information is on the stolen disk. But I'm not here to gripe about the fact that I now have to pay closer attention to my credit records.

Government institutions have a lousy record when it comes to protecting data. Taking state government out of the equation (including state colleges and universities), federal agencies had lost the records of more than 668,000 individuals since the Privacy Rights Clearinghouse started keeping track back in February of 2005. The list of federal breaches includes the Department of Justice (80k), U.S. Air Force (33k), U.S. Marine Corps (207k), Department of Agriculture (350k), and the Federal Deposit Insurance Corporation (6k). It doesn't include an April 28, 2006 breach at the Department of Defense in which an unknown number of personal records was compromised.

Add this week's 26.5 million veterans and the federal government accounts for at least one third of the 81+ million data records the PRC says have been compromised since ChoicePoint.

This doesn't mean that Congress has lost its moral authority to draft and enact federal data protection and notification law, but it does mean that the federal government needs to quickly and forcefully address its own shortcomings with regard to data protection.

As we know, consumers prefer to do business with companies they trust. Larry Ponemon's research has consistently confirmed that fact. Citizens should also be able to trust the governmental institutions that they must do business with each day. Furthermore, government has a responsibility to be accountable to the People and to work each day to earn and build that trusting relationship. In addition to the major issues of the day, it is "little" things like this news that erode confidence in government, and that's a dangerous proposition.

(As an aside, it's just a hunch, but it would not shock me at all to learn at some point down the road that this was a case of insider data theft made to look like a burglary.)

Somebody Stop This Guy

2006-05-19T17:24:00.000-07:00

Don't mean to harp on the RFID issue, especially as it relates to the ongoing conflict between CASPIAN and anyone developing or using the technology, but this latest development offers a great illustration of what I mean when I say the industry needs to be more aggressive -- and smarter -- about the way it communicates.

RFID is a technology. It is neither good nor evil, but the latter characteristic has been applied to RFID by CASPIAN, and they are relentless in their efforts to demonize RFID. Capitalizing on the natural inclination of people to fear or mistrust things they don't understand.

I'll grant you that some uses of RFID do evoke the dreaded "creepy factor," and CASPIAN exploits this dynamic very well.

And it's easy to do when someone like Scott Silverman is on the loose.

Silverman is chairman and CEO of Applied Digital, parent company of VeriChip Corporation, makers of the infamous VeriChip implantable RFID capsule.

Recently, Silverman was interviewed on FOX News discussing VeriChip's potential use in the fight against illegal immigration.

CASPIAN gleefully makes a transcript of that interview available for you to read.

I have to believe that Mr. Silverman is acutely aware of the controversy that surrounds his company's product; I have to believe that Mr. Silverman is acutely aware of the volatile combination of implantable RFID and the government; I have to believe that Mr. Silverman is acutely aware that there is no shortage of people who utterly fear the potential for abuse of his company's product.

Why, then, does he go on national television and make statements like:

"...obviously, [VeriChip] can be applicable for the immigration issues we face today as well."

A clear reference to use of an RFID chip to track people.

"[Implantation is] an election on the part of the immigrant or an election on the part of the government."

Perhaps a misstatement, but implying that either an individual or the government can decide who to implant and track.

Making matters worse, Silverman absolutely bungles his description of how VeriChip works by speaking technoese. The words and phrases he uses (application, serial port, scanner/proprietary scanner, database, passive device) do nothing to placate a paranoid public and demonstrate any real value behind the technology. Silverman is talking with, among others on the show, New York Giant running back Tiki Barber and potentially millions of average Americans; he's not addressing a conference of the IEEE.

Observation: Silverman appears to have a poor grasp of how to effectively use communications to build trust and confidence in a situation that clearly calls for such an approach. That, or his apparent indifference is an indication of institutional arrogance. Either way, you can almost hear the collective cringe of the RFID industry upon the realization that, with every such interview, the challenge of overcoming RFID's negative perceptions grows more difficult.

RFID Panel Post-Mortem

2006-05-18T06:00:00.000-07:00

Last night's RFID panel discussion went very well. Tony Imbriaco of iAnywhere Solutions opened with an excellent overview on the technology that included a wealth of real-world examples of how RFID is providing real value to business.

The panel I moderated took that discussion closer to ground level, with each of the panelists offering greater detail on various elements of RFID deployment, including network level infrastructure, readers and edge devices, necessary intelligence, and integration into end-user environments.

Of course the privacy issue was on the minds of the audience, who wanted to know what was being done to protect patient privacy in healthcare and consumer privacy in retail settings. Similar inquiries came in related to Viisage's combination of RFID and biometrics in their border security products.

It all underscored what I've known for a long time: not enough is being done to educate the public on the critical issues related to RFID (and biometrics and other technologies).

There was a healthy audience, especially in consideration of the rains and flooding that have affected the Merrimack Valley and a great deal of coastal New England this week. Kudos to the organizers for putting on an illuminating event.

Observation: I still believe strongly that the greater good available through RFID is being obscured by the protests of a vocal minority, but I also believe that companies involved in the development and marketing of RFID need to change their approach to discussing the subject.

Too often, technology companies seem incapable or unwilling to convey concepts in non-technical terms. Industry lexicon, jargon, acronyms, and cliche are the order of the day. It doesn't have to be that way.

Translation of complex technological concepts into Plain English is not difficult. Illustrating ideas with analogies taken from everyday examples is a must. Even if the communication is intended for an industry audience, this approach will help establish clear communication as a habit.

I think the panel took a step in that direction last night, but as an industry there is a long way to go.

Panel Discussion on RFID

2006-05-11T18:15:00.000-07:00

I've been asked to serve as moderator for a panel discussion on RFID next week, Wednesday, May 17 at 5pm at the Merrimack Valley Venture Forum at UMass Lowell.

For more information on the event, or to register if you are in the area and want to attend, click here.

Representatives from Viisage, Radianse, Reva Systems, and ThingMagic make up the panel of experts.

Should be an excellent event. A lot is happening in RFID these days, including some developments at IBM related to simple privacy protection, and RFID useage standards established by a consortium of companies that includes Procter & Gamble, Eli Lilly.

I'll return to that topic in the near future. For now, the focus is shameless self-promotion.

I've been a member of the MVVF for a short while and have found these monthly topical panel discussions to be interesting, informative, and timely. This one should be no different. Hope to see you there.

Brain vs. Brawn

2006-05-04T03:32:00.000-07:00

According to an Associated Press report , spammers have figured out a way to identify email addresses registered to anti-spam service Blue Security’s “do-not-spam” list. Individuals owning those addresses have been getting spammed more heavily as a result. Blue Security offers this service to consumers and, non-complying spammers may be subject to a bombardment of replies to the spammer's host, potentially resulting in a shut-down. Think of it as a reverse denial of service attack. As you might imagine, Blue Security has been the target of denial of service attacks from those who don't like what they are doing.

The approach taken by the spammers to defeat Blue Security's plan is simple: run addresses through Blue Security’s encrypted checklist and then correlate the matches against the spammer's original list. Technically, Blue Security’s list has not been hacked, but over time, spammers have been able to compile a fairly extensive list. It's a logical and simple work-around. Spammers are at work trying to punish those with email addresses registered through Blue Security with aggressive and frequent emails threatening even more spam.

This incident demonstrates the difficulties involved in controlling, policing, and otherwise regulating the online world.

In 2003, the US Congress passed legislation creating the Do Not Call Registry. Do Not Call would prove to be hugely successful and wildly popular with the general public. Some lawmakers, ignorant of the fundamental differences between telephone service and email as a means of communication, decided that they might win public approval if they authored similar legislation aimed at stopping spam. A "Do Not Spam" registry was floated, but ultimately wiser minds prevailed. The FTC and other federal authorities have taken to prosecuting US-based spammers through existing law, such as those designed to prevent fraud and deceptive business practices.

Observations: I don’t have specific communications recommendations for this piece of news apart from pointing out the challenges of dealing with spam and making bold, absolute claims if you are in the business of stopping spam. I’ll point out, however, that for all of Blue Security’s technical acumen, the spammers’ work-around here is decidedly low tech. That’s typical, and we’ve seen time and again how digital miscreants will use cunning techniques such as social engineering to defeat even the most sophisticated security systems. People are often the weakest link in the security chain – especially if they are ignored when implementing programs. Proper training and awareness programs can fix this problem.

There Ought to be a Law...

2006-04-24T06:19:00.000-07:00

Put the emphasis on the "a" in that title. A law, not 50 different laws.

I'm talking about federal privacy breach legislation. California's SB 1386 broke important new ground when it went into effect, and as we've already discussed here, that landmark law has had national impact over the last 14+ months. However, where SB 1386 rolled back the curtain on information security, exposing a serious and very real problem with the stewardship of private data, the 22 (at last count) states that have followed suit have done little more than complicate the situation. As organizations work to determine how to comply with the various aspects of each state's nuanced take on breach notice, the likelihood that loopholes will be exploited to prevent costly and, these organizations will argue, unnecessary notification, each new state law will be counterproductive in the aggregate.

It's clear to me that an overarching federal law is necessary to clear up the confusion, establish a single national standard, and simplify the process for everyone - businesses and consumers alike.

From a communications perspective, I'm surprised to see how few companies have stepped out with an opinion on this issue. Consumer-facing organizations with a stake in this issue seem reluctant to speak out for fear of sounding anti-consumer. Software vendors and consultancies with a compliance play have been largely silent on this issue as well, perhaps not wanting to seem mercenary in their objectives.

But it doesn't have to be that way.

Joseph Ansanelli, CEO of data protection player Vontu, has been active on this issue for a number of years, testifying before Congress and offering a thoughtful perspective that can be seen in this opinion piece recently published in the Cyber Security Industry Alliance newsletter.

Ansanelli gets bonus points for the fact that he's not a Johnny-come-lately to this issue, which isn't often the case with cause-of-the-day communications, the public relations equivalent to ambulance chasing. I've followed Vontu for a number of years, going back to my earliest work with the IAPP, and have had the privilege of working with them on a few projects recently, so I guess I'm a little biased, but as a comms consultant and also a privacy geek, I've seen the rush to adopt the latest buzzwords and a lot of companies' ham-fisted approach to this "strategy" can have the opposite effect, undermining credibility.

Vontu's credibility comes from their consistent and clear long-term commitment to the issue of data protection.

Recommendation: More organizations, especially startups, can learn from this approach. Most of the companies I've worked with over the years have been possessed of a clear passion for solving problems, but lack the patience that is necessary to wait for their evangelical efforts to pay off. Whether the pressure to build a high media profile comes from investors or from a "grass is always greener" mentality, results not realized in six (or fewer!) months are considered as evidence of failure and the search is on for a new cause du jour. That can be a mistake, especially in cases where the original passion of a founder may simply be early in the development phase. Trusting in instinct may involve a serious test of patience, but commitment to the truth is a long-term strategy.

Trend Setting Me

2006-04-10T12:38:00.000-07:00

Is it mere coincidence that, within a few short days of discussing RFID and privacy in this very forum, MIT has launched a website where those very issues will also be examined?

Probably, but give an easily bruised ego a break, will ya?

The site is a joint venture between the august tech school and access control vendor/developer HID Global.

As of this moment the site is populated mostly with base-line information on RFID, with no active dialog underway. I expect that will change in the near future.

Keep your eyes peeled.

Tabs and Tags

2006-04-06T04:44:00.000-07:00

Getting back to the issue of RFID, I attended the IAPP’s Boston KnowledgeNet meeting yesterday afternoon, on the subject of “The Language of Privacy.”

Jean-Paul Hepp, CPO with pharmaceutical giant Pfizer, was one of the speakers. Mr. Hepp discussed a number of the privacy issues he faces every day, including the sensitivities of marketing medicines to those who might benefit from their use. Perception, as you might imagine, is a huge issue, and pharma companies must take extra care to ensure patient privacy is protected.

The ways in which this is accomplished is a discussion for another post. Suffice to say it is a complex and fascinating process.

I asked Mr. Hepp about the challenges Pfizer faces relative to the use of tagging medicines. His answer, in which he gave a brief history of the genesis of Pfizer’s use of RFID, was illuminating.

The popularity of Viagra, and the flood of counterfeit products, prompted Pfizer to adopt RFID as a means of implementing quality control as well as to identify fake pills from the real thing.

Of course, the tandem of a sensitive medical issue – erectile dysfunction – and the issue of a technology that can reportedly be used to spy on people results in a volatile combination, and Hepp told of the frustration in dealing with the so-called advocates who used Pfizer’s RFID program as the fulcrum in an anti-RFID campaign.

Guess who the most vocal advocate was? If you said CASPIAN, congratulations: you’ve obviously been paying attention.

Cost and practicality dictate that tagged medicine not go beyond the pharmacy shelf. When medicines are sold to individuals, pills are transferred to amber pill bottles.

Observation: There is a compelling case here for Pfizer to take their message to the public and explain the benefits of their anti-counterfeiting program to the public. A quick and unscientific search for information on this issue reveals an abundance of coverage, but the overwhelming majority of publicity is found in technology trade publications, pharmaceutical industry publications, and other non-consumer outlets. Reaching out to a broader consumer audience is important here in order for Pfizer to establish rapport with potential customers and to build trust with that important audience.

Spy(ware) vs. Spy(ware)

2006-04-04T08:16:00.000-07:00

Isaac Scarborough, of Chapell & Associates, wrote about the Workshop on Spyware that convened recently at the Information Law Institute at New York University.

I wasn’t able to attend the workshop, but I have a strong interest in the subject: one of my clients is beleaguered adware vendor Direct Revenue.

Scarborough chronicles one of the workshop’s panel discussions on what to do about spyware and commented that the discussion wasn’t as much about what spyware is as it was about how to stop it.

The obvious problem with this approach, however, is found in the lack of a broadly accepted definition of spyware. Scarborough mentions that panel moderator, NYU Law professor Harry First, joked about the "malleability" of the language used to describe spyware.

But that malleability is precisely what is at the heart of the adware/spyware debate.

The American Heritage Dictionary defines spy thusly:

Noun: (spī) Inflected forms: pl. spies (spīz)
1. An agent employed by a state to obtain secret information, especially of a military nature, concerning its potential or actual enemies. 2. One employed by a company to obtain confidential information about its competitors. 3. One who secretly keeps watch on another or others. 4. An act of spying.

It would follow, logically then, that spyware would be defined as some type of software or device that obtains secret information. Keyloggers, Trojan horses, dialers and other means of collecting an individual’s personal information clearly fall within that definition. Adware, however, is where the lines get blurry.

Ad serving applications that merely show a few pop-ups per day, usually in exchange for the privilege of using some free software product, typically don’t fall under this category. Rogue distributors of adware may well exploit browser security vulnerabilities to illegally upload bundles of adware in order to engage in click fraud – often resulting in serious performance degradation and a debilitating deluge of pops – but the problem has nothing to do with spying.

Some “advocates” take advantage of the lack of a clear definition of the term spyware to whip up fear and foment negative emotion. Meanwhile, organizations intent on tapping into the lucrative online marketing industry through the use of behavioral marketing and ad serving technology are hampered by the stigma associated with their craft.

Observation: To be clear, unauthorized/non-consensual downloads cannot be allowed to happen without some form of retribution, and illegal activity must be punished appropriately, but until the industry adopts and supports clear definitions for spyware and adware, no one (but the lawyers and fear-mongers) will win. Defining the issue in clear terms, and aggressively defending those terms by calling out misrepresentation of the problem to suit the needs of any particular entity, is the first step in confronting the illegality and dangers of spyware.

CASPIAN's Disproportionate Influence

2006-03-28T08:26:00.000-08:00

Two of the most active organizations in RFID are Wal-Mart and CASPIAN.

Wal-Mart, the world’s largest retailer, is a major force behind the early success and adoption in RFID. The company’s mandate that suppliers adopt RFID tagging to help drive cost out of the supply chain has been well-chronicled. If you are a developer of RFID or related technologies, you probably started high-fiving colleagues and hugging complete strangers when Wal-Mart used its bully pulpit to give RFID a real shot in the arm (no pun intended. Okay, pun a little bit intended).

Then there’s CASPIAN. That acronym stands for Consumers Against Supermarket Privacy Invasion and Numbering. CASPIAN hates the idea of item-level tagging, and they make no secret of that fact. Whenever there’s an RFID initiative, you can be certain that CASPIAN will be there to give its side of the story, warning of spying and Big Brother and describing end-times scenarios.

When VeriChip’s implantable medical RFID chip won FDA approval you didn’t have to be named Nostradamus to see a response from CASPIAN in the future.

When nightclubs in Europe started programs extending VIP treatment to patrons who agreed to be tagged with ID/debit chips powered by RFID, the technology’s detractors were quick to point out that their worst-case scenario was coming to pass.

The problem is, organizations like Wal-Mart have been relatively silent in response to CASPIAN's aggressive campaign against RFID. Wal-Mart and other pro-RFID organizations have invested heavily in the technology and in RFID-enabled programs, but have not spent much to promote their investments. Instead, the industry and its proponents seem resigned to allowing RFID to be buffetted by the detractors in the belief that, eventually, RFID will simply become an unstoppable juggernaut.

That scenario will likely play out over the next few years. Meantime, there are a lot of smaller organizations without the means to be patient who could benefit from a healthy nudge along and the support of a coordinated campaign to boost RFID's image.

Observation: CASPIAN is a headache to the RFID industry, but the industry has no one to blame but itself. CASPIAN has set the terms of debate and has succeeded in painting RFID with a broad and sinister brush. Rather than engage CASPIAN in the open, establish standard terminology for the industry, and aggressively counter CASPIAN’s efforts, the RFID industry as a whole has instead turned introspective, seemingly afraid to meet the challenge.

Organizations that have staked their success on RFID need to clearly communicate the value that technology brings to their products in clear and real terms. Sci-fi visions of device-to-device communications are not what this discussion is about. Instead, the dialog needs to confront misinformation, allay fears, and describe how RFID is improving product and performance today. RFID and its purveyors need to earn the trust of the public, and trust is earned through open, honest communication.

By the way, CASPIAN may be right to raise many of the issues they do, and CASPIAN’s voice is an important one in this debate. But it should not be the dominant voice, nor should the RFID industry allow CASPIAN to go unchecked.

Of Privacy, PII, and Bicycles

2006-03-23T18:00:00.000-08:00

As often happens, when news breaks of a significant privacy breach, I find myself discussing the issue with one of my privacy pals.

I think I’m a pretty smart guy, and well-informed on privacy issues, but I always feel a little bit smarter upon the conclusion of a conversation with one of these guys.

I like to think I’ve provided the same benefit to my friends, but I know I’ve gotten the better of the deal. (By the way, does it make me a privacy geek to admit that I enjoy talking about the latest breach?)

This morning, when news broke about Fidelity’s breach of privacy following the theft of a laptop computer containing retirement information and PII for nearly 200,000 HP employees, I turned to Richard Purcell of the Corporate Privacy Group.

Immediately we discussed the issue policy and awareness. I wanted to know his view on whether corporate data protection policy (and awareness) was keeping pace with the realities of an increasingly mobile workforce. That was all Richard needed to hear.

“Wells Fargo, SAIC, Ford Motor Co, Boeing, UC Berkley, Metro State Denver, Bank of Rhode Island, Brazos Higher Ed, UW Medical Center, UCLA, MCI, Medco Health, Ameriprise... the list goes on and on.”

In moments he rattled off a list of organizations that have recently reported the theft of laptop computers containing unencrypted PII.

The problem is that knowledge workers are encouraged (perhaps even expected – or pressured) to take their work with them in order to be more productive, but little thought has gone into the ramifications of data on the hoof. Transfer sensitive customer files onto a laptop and you’ve just increased your risk factor exponentially.

Richard compares the situation to bicycle theft.

“Laptop thefts have occurred over many, many years. They are obvious targets due to their high perceived value and mobility. They are stolen not because of the data they contain, but for their intrinsic resale value. That's obvious. Bicycles are in the same category. Leave your bike unlocked somewhere, and someone is going to steal it. No-brainer.

“Is there a lesson here? Duh. Lock it! Lock down the laptop whenever unattended and encrypt the data. Better, don't put such data on laptops - use the machines to link over secure transmissions to servers where the stored data is securely accessible. If you absolutely must put PII onto a laptop system, and can't encrypt it, then de-identify it – make sure the data does not point specifically to a known person.

And finally, like the bike analogy, don't expose yourself to double jeopardy by placing valuable stuff in easily stolen containers. I would never put my wallet in a pouch on my unlocked bicycle. Yet, we continually hear about just that kind of stupid (yes, it is nothing short of stupid) behavior in these stolen laptop stories.”

See what I mean? I’m feeling smarter already.

Richard’s point is that many organizations make the issue more complex than it needs to be. Writing policies related to mobile data may seem to be a daunting task, but it should take no more than the application of a little common sense.

That said, policy and training are among Corporate Privacy Group’s specialties, and I wanted to hear more.

“Most policies are just now coming up to date with the fact that devices are ‘in the wild,’ including not just laptops, but phones, media devices, and PDAs that have between 1GB and 40GB of memory. I have a simple 6GB device that can act as an external drive. No problem fitting a file with 200k+ personal records on that little puppy.

“So there's a mix of policies; the important thing is that practices are just not keeping pace. It is hypocritical for companies to, on the one hand, require data to be locked down, and, on the other hand, set difficult deadlines that force employees to indulge in risky behavior (like putting large files on their laptops to take home and work on over the weekend).

“Companies have to accept that putting 200k+ records on a laptop is like putting trade secrets on that same laptop. Management would never tolerate having their pre-audit financials wandering around on unprotected devices. For the same reason, they have to treat PII as a valuable asset that is always protected, even if that causes a bit of difficulty in accessing the data. So be it - cost of doing business.”

Recommendation: From my perspective, crisis communications starts with crisis prevention. Understanding risk and addressing risk factors with smart policy and thorough practice – including top-to-bottom training and awareness – is the first step. It’s a lot more pleasant preventing a data breach than it is explaining to your customers, partners, lawyers, and regulators how such a thing could have happened and what you are going to do to keep it from happening again.

Finally, it’s time this discussion moved front and center. Mobile data is data at risk. In Richard’s words, “it's a big deal to start banging the gong on mobile PII - anytime any asset goes mobile, additional safeguards are needed - it's elementary.”

RFID Viruses? More Hype than Horror

2006-03-20T12:21:00.000-08:00

In a world where technology remains arcane to most, some would have us believe a boogieman lurks behind every microchip, that a looming techno-enabled disaster is one keystroke away, and every innovation carries with it the potential to usher in the End of the World as We Know It. Enough real threats do exist in the form of viruses, worms, Trojans, spyware, and other malware that such claims are given credence in the eyes of the uninformed, and it becomes easy to get caught up in the hysteria when new reports of cyber-terrorism arise.

We saw this phenomenon recently when the Kama Sutra worm spread around the globe. Many claimed that piece of malware would be the equivalent of the Black Plague for the world’s computers, but that worm’s dreaded deadline came and went without the expected dire results.

Radio frequency identification (RFID) technology has been the target of doom prophets almost from the moment it arrived on the scene. Conspiracy theorists have used RFID to foment talk of secret military programs established to implant tracking chips in innocent civilians, or devious marketeers riding shotgun in black helicopters alongside their evil government counterparts, tracking shoppers all the way home courtesy Big Brother’s latest and greatest scheme.

The most recent example of such overwrought fear-mongering comes in the guise of a paper, written by a group from the University of Amsterdam entitled "Is Your Cat Infected with a Computer Virus?"

This paper theorizes that it is possible for an RFID tag to carry a virus and, in exceptional circumstances, to spread that virus via vulnerable RFID readers and middleware.

The problem with this paper, written in academic style to create a sense of credibility, is that it is full of assumptions and based on highly specific conditions that must be met in order for such a virus to be created and have any hope of spreading.

Most folks in the RFID industry are calling balderdash on this paper.

The code described in "Is Your Cat Infected with a Computer Virus?" works only within the environment constructed specially for the purpose by the authors of the paper. There are no known vulnerabilities in any middleware system similar to those described in the paper.

Because the authors failed to find an exploitable vulnerability in any RFID systems, they deliberately build a system that would allow their virus to spread.

To be fair, the authors claim their paper is offered mostly as a proof of concept, and it is theoretically possible for any data storage device can carry viral code, but that does not mean the virus will be able to spread successfully on its own and, in this case, the authors of Is Your Cat Infected failed to show that an RFID virus can actually spread in the real world.

There are plenty of actual threats to worry about that we don't need to get caught up in the hype of bogus hazards like the RFID virus.

At least not yet…

Radioactive

2006-03-14T09:17:00.000-08:00

I’ve not been avoiding the issue of privacy and RFID, but it’s one that needs to be addressed. There is so much fear surrounding this technology and the many uses – real and fictional – that issues related to privacy, and how to communicate effectively when you are a supplier or user of RFID, need to be addressed.

But where to begin?

I guess the best way to begin is by asking, what is RFID? The short answer is Radio Frequency IDentification. With that answer come even more questions, and this is where things get sticky.

RFID is most closely associated with microchips that send low-power signals that can be read passively by receivers to track things, most often items that move along a supply chain. Think in terms of the barcode that UPS uses and that allows you to track your packages to and from their destination. There’s no doubt that RFID’s potential in this context is huge. The cost and efficiency improvements made possible by RFID are only just now being explored, and once the actual cost of RFID chips is lowered to the point of economic viability, you’ll see this industry take off.

But RFID is also associated with spying. There’s a pervasive fear that RFID chips will find their way into products that will allow others (whether criminal, governmental, or commercial) to track people and learn more about us than we’d like. The recent practice of RFID chip implantation in human subjects is doing little to quell such fears.

The idea of implantation and other methods of tracking individuals has been described as the “creepy factor.” I keep looking for examples of companies whose fortunes are tied to the success of RFID using public communications to address the creepiness of RFID, but I’m missing it if it’s out there.

I’ll track RFID more closely in the coming weeks, but wanted to get the discussion started. Your thoughts and suggestions on this subject are appreciated.

Search Questions

2006-03-08T04:18:00.000-08:00

I’ve been following the discussion around search for a while. It’s a fascinating issue, but I’d be lying if I told you I understand it. Most folks happily type in all manner of search terms into their engine of choice and browse to whatever returns are offered, and they do so without thinking of the implications.

There are a couple of interesting nuggets to consider, however, that make this a curious affair. Google’s market cap is, as of this writing, $107.71 billion. The Department of Justice seems to have a keen interest on what terms people are typing into their search window. Clearly there’s value to the information the public plugs into these “free” tools.

I have many questions, and few answers. Random though they may be, here are my questions:

1. If my search terms are not traceable, why does the DoJ care? I know there's a lot of mumbo jumbo about simply wanting to look for patterns in search traffic, but it just seems like a canard to me. My opinion is that it’s all about setting precedent. I think the feds want to establish that precedent so that they can have easier access to this information in order to conduct more specific data forensics in the future.

2. Why would Google put up such a fight against the US government about cooperating in a supposedly innocuous scheme, but seemingly cave in to the demands of the Chinese government to engage in broad censorship? It appears to be a matter of pure greed, and it doesn't jibe with Google's "do no evil" morality statement. Evil isn't a matter of relativism, and we are judged by the company we keep. Not that Google should act as an arm of the U.S. Department of State, but if our national strategy to confront and beat Communism in China is to do so through economics, I’d like to see more cooperation. Censorship is antithetical to the idea of "do no evil." Period.

3. Why would Google et al want to indefinitely save my search terms, anyway? Unless there's a specific service they plan on offering, one that helps me find things if I have a pattern of looking for the same things over and over again (I keep hearing of such a service, but haven't seen it offered yet), the idea that an engine as popular as Google's would want to assume the cost and burden of saved search data seems without reason. There's got to be a purpose ($$) behind it.

4. Secrecy and inconsistency seem to be creating a growing sense of discomfort among consumers around the issue of search tools. Google takes most of the heat, but the fact is all the major players (and a ton of sketchy minor players) are engaged in aggressive strategies to use search as a foot in the door to consumer desktops. Spyware/malware/adware becomes part of this discussion as well, and that’s a topic no one but the so-called advocates want to raise. Secrecy doesn't engender trust. That's why people are finding it hard to trust either of the major entities in this debate. The feds haven't exactly covered themselves with glory on issues of personal privacy lately, and Google is clearly more about making large coin than they are about doing no evil.

I, like most computer users, use Google because it works and it seems to work better than most search services. I don't tend to enter sketchy search terms, so I don't think much about it, but I do wonder about it – moreso now than ever. I would be uncomfortable using Gmail, though, for these very reasons.

Personal communications are an issue where content is a very real concern, not because the content of my email would land me in hot water but simply because it's personal communication. Google still has plenty of questions around their Gmail policy.

The prevailing opinion is that the confrontation between Google and the DoJ over access to search terms was a calculation by Google to establish themselves as a champion on privacy and the little man. I think, however, that Google had already agreed to hand over the data requested by the feds - just as Yahoo!, MSN, and other search organs had already done, and changed their minds as a PR ploy. That's speculation on my part, based on the speculation of others. Too much is still not known to draw any solid conclusions.

I'm not close enough to the issue to know the answers, and I'm not so sure I've got all my facts square to even post this much, but it is a fascinating discussion and I’m curious as to what you all think.

Q&A With Schwab CPO Janet Chapman

2006-03-04T05:38:00.000-08:00

In response to the announcement of Charles Schwab’s security guarantee, I contacted Janet Chapman, the company’s chief privacy officer.

I was interested in learning more about Schwab’s view of privacy, how closely the privacy organization interacts with marketing, and the connection between communications and trust. Conducting a brief Q&A, I have shared my new insight with you below.

Note Ms. Chapman’s comments related to privacy training and the direct line for queries on privacy issues. Her comments indicate a strong level of understanding and commitment to privacy throughout the organization and how effectively communicating with the customer on such issues leads directly to greater trust. As Larry Ponemon’s research has shown, a trusting relationship is a more profitable relationship.

Private Communications: Please describe how Charles Schwab’s privacy organization works with corporate communications/marketing.
Janet Chapman: The Privacy Office reports into the Central Marketing Division and the Chief Marketing Officer, who sits on Schwab's Executive Committee. When I assumed responsibility for the Privacy Office 3 years ago, it was agreed that privacy should be viewed as a strategic imperative and that this would be better enabled within the marketing organization. In Marketing, the privacy function can be more preemptive and proactive. Also, this arrangement helps facilitate good employee communication, embedding privacy awareness throughout the organization

PC: Can you provide any examples of how Schwab’s investments in data protection and privacy have paid off in terms of customer trust?
JC: A central theme for Schwab’s Privacy efforts is client education – being proactive in helping clients become educated about I.D. theft prevention and helping them protect themselves. We've focused on this after checking in with our customers and learning what they care about. In 2003, we surveyed our customers to find out if they care about privacy and learned that 96% of respondents rated privacy as Very Important or Important. ID theft prevention was their top concern.

In 2004, we rewrote our privacy policy and annual notice, adding a section on ID theft prevention. We also overhauled and expanded our privacy training for Schwab employees. We created a special team of client service representatives and gave them specialized training about ID theft prevention and advice to give clients who think they may have been victimized

We also added more in-depth information on schwab.com and our affiliates' Web sites about such topics as: how to prevent ID theft, how to detect a Phish, and we increased the prominence of ID theft protection information. We encourage our clients and other consumers to visit our Privacy Information Center on schwab.com by clicking on the “Protect Your Account" button on the client log-in page, www.schwab.com/privacy .

To make it easier for clients to ask questions, we also introduced a Privacy e-mailbox for clients to directly contact Schwab with privacy/security concerns. We believe that our clients trust us because of our advocacy on their behalf.

PC: The Charles Schwab security guarantee is a bold move for an organization of your size. How did this come about and can you offer any insight as to the underpinnings of the program that give you the confidence to offer the guarantee?
JC: Our historical practice has always been to take care of our clients in instances where unauthorized account activity has occurred. With rising public concern over identity theft and account security, we realized the importance of articulating that practice as a public promise. Our clients need to know their money is safe at Schwab.

PC: The security guarantee is less than one week old. What has the response been like from customers? Potential customers? Competitors? Industry analysts?
JC: The response has been universally positive, including the response from our own employees.

That's What I'm Talking About!

2006-03-01T13:39:00.000-08:00

If you track privacy closely, you know that issues related to identity theft and credit fraud are near and dear to the heart of the privacy professional. If you follow my blog (and who doesn’t?), you know I’m an advocate of building programs that help to instill brand confidence through open discussion of those issues.

Don’t kid yourself – your customers know all about the dangers. What they don’t know is what you are doing to protect them.

You can imagine my glee when I read last week that financial services firm Charles Schwab announced a security guarantee program that puts Schwab’s money where Schwab’s mouth is.

The bottom line to this program, from the consumer perspective, is that Schwab has made an investment in their security and privacy protection programs and are so confident in the efficacy of those systems and programs that they have effectively eliminated the financial risk to consumers.

Now, that’s what I’m talking about!

Schwab’s is a powerful message, and one that resonates with their audience. Note the lack of technical detail. It’s unnecessary. All that the customer needs to know is, “what does this mean for me?”

Kudos to Schwab.

Lest you think I’m late to the story, I’m currently engaged in conversation with Schwab’s privacy team on this very issue. I had hoped to have a brief “interview” to share with you by now, but we’re getting there and I will share that Q&A with you as soon as we’re done.

Who Got Hurt?

2006-02-23T05:09:00.000-08:00

A friend of mine is a writer with a major national publication. We keep in regular contact, and every so often I’ll try to interest him in a story. He’s an excellent scribe and has specific criteria for following up on the leads I give him. One question he often asks is, “Who got hurt?”

That question came up a while ago when we were on the topic of privacy protection. It’s a big issue, I argued, and businesses that don’t pay attention to data protection, that fail to gain consumer trust, will suffer. I pointed out research that showed trusted companies turn customers into regular customers, and regular customers into more profitable customers.

“Who got hurt?” he asked.

I continued with my high falutin’ concepts and cited more studies.

“Who got hurt?” he asked again, elaborating to explain that credit fraud is nothing new, but that if I could point to a situation where mismanagement of personal information resulted in someone getting hurt, physically, he’d take a closer look at my idea.

Today I found that story. It’s a sad case from this past weekend in which a fugitive from California managed to elude detection during a background check to gain employment at a car dealership. He then used his position as a car salesman to access customer files and track down a female customer at her home, where he raped her at gunpoint.

There are so many ways to analyze what went wrong here, and no easy answers. I’ll start with the breakdown of a system that could have – should have – identified the perpetrator as a fugitive. What happened next would be pure speculation, and, while credit and personal information in an atmosphere such as an auto dealership may be treated cavalierly, a salesman in that situation must have access to privileged information in order to help the customer complete a transaction. Information – personal information – is essential to doing business these days.

We rely on certain systems to filter out and create distance between us and untrustworthy individuals. We trust that states and businesses follow the rules and do their best to prevent worst case scenarios. It doesn’t always work that way.

Locally, a waiter in a Holden, Mass diner was arrested after skimming patrons’ credit cards and using the information to charge over $100,000 before getting caught. (Sorry…reports are currently only available online via subscription sites.). The thief worked at the establishment only three weeks before quitting, apparently figuring he’d swiped enough info to live richly at the expense of others.

Analysis: People are getting hurt, physically and financially. Consumer trust is being assaulted from all sides. There’s a real need to take action to prevent these sorts of things from happening. The answers aren’t easy, but they are necessary. Open communications with the public about these issues and how you are working to protect them and their trust has to be a part of your communications strategy.

Cut Me Off a Slice of That

2006-02-21T06:13:00.000-08:00

This is a little off topic, but it was revealed last week that the Bush Administration spent $1.6 billion (with a B) on public relations over the past two and a half years.

The money was spent on a variety of efforts, from ad buys to paying for consultants to underwriting the writing of conservative commentators. My first thought was "where can I get me some of that?" But this is not the forum for delving into the politics of this spend, and no one wants me to go off on a rant of my personal views, but I did find some of this flackery to be interesting.

In particular, the $250,000 given to Armstrong Williams (as well as other money spent on other columnists) to tout Bush's No Child Left Behind policy, which gets into a growing area of PR/marketing called "Word of Mouth Marketing," or WOMM.

This practice first came to my attention a couple years ago when it was revealed that some firms were paying teen 'net denizens to talk up products within their online peer groups. Researchers had identified influential personalities and paid them money and with free swag to drop mentions of certain products.

Since that time, the ethical considerations of WOMM have been raised. Does enlisting teens and targeting a teen audience violate the Child Online Protection Act (COPA), for example?

I'd be remiss if I didn't point to some of Alan Chapell's thoughts on this subject.

The world of PR is changing. Issues that weren't a concern even a year ago are now emerging as a potential boon to buzz-building, or potentially damaging to credibility. One-on-one communications is becoming more and more important, but how this is carried out can be the difference between success and failure. Bush gets caught paying off supposedly independent voices. His credibility takes a shot. Marketers get caught paying teens to tout their wares. Credibility takes a shot.

It's likely that the strategies and tactics employed to create word-of-mouth buzz will evolve quickly in the coming months. There is no real book of precedent to build upon here, so it will take creative thinking to accumulate a set of new practices, and a lot of trial and error to determine what works.

Recommendations: What a great opportunity to innovate, but while throwing caution to the wind in a brainstorm session is fine, before moving forward with any new strategies, it is incumbent upon decision makers to do their best to follow each to its manifold end result and figure out which contingencies may result in a loss of credibility. Trust in communications is essential, and we do ourselves and our clients no favors when, enamored by a newly minted brainchild, we fail to conisder all possible outcomes.

Happy Anniversary, ChoicePoint

2006-02-17T04:43:00.000-08:00

Data privacy changed dramatically on February 15, 2005. That was the day the world learned that data aggregator ChoicePoint sold 150,000 or so consumer dossiers to Nigerian scam artists posing as small businesses.

Because some of those dossiers contained credit profiles of California citizens, provisions of that state’s data protection law, SB 1386, were evoked, requiring ChoicePoint to notify about 35,000 people that they were at risk of credit fraud and identity theft.

That’s when things started getting interesting.

Observers, including journalists and privacy advocates, started pressuring ChoicePoint for more information. If the breach included information for 35,000 Californians, how many files from the other 49 states were included? Why weren’t those individuals being notified?

Initially, ChoicePoint dug its heels in the ground. The company had done no wrong, it said, and was tricked into selling the consumer data. Furthermore, ChoicePoint was cooperating with authorities to help track down the real criminals. But as the volume of protest rose, eventually ChoicePoint relented and sent notices to all those they said had been affected by the incident.

Significantly, ChoicePoint’s actions in the days following the February disclosure established a precedent with major implications. Since that time, organizations whose consumer data has been compromised have been under pressure to disclose such breaches, even when California SB 1386 has not come into play. Many states have either passed or are currently debating law modeled after SB 1386, and Congress is debating a federal law on the issue of consumer data protection. We can agree that much good has come of the ChoicePoint breach.

But this is a blog that examines communications, and it is important to note that, from a public relations standpoint, ChoicePoint did everything wrong related to the breach.

The sale of information to the Nigerians, according to ChoicePoint, happened months earlier. They knew they had a potential crisis on their hands, and they had plenty of time to prepare for any number of crisis contingencies related to the breach. From everything I was able to observe at the time, there was no plan in place. Or, if ChoicePoint did have a plan, it was a lousy one.

ChoicePoint blamed the Nigerians, claiming no responsibility for the lack of a process requiring it to vet the legitimacy of its transactions. Even when it became clear the breach had affected consumers across the country, ChoicePoint clearly didn’t want to take the time and expense to do the right thing and treat everyone equally. It would comply with California law, but everyone else was on their own.

Their attitude immediately following the disclosure was less than contrite. It was downright arrogant, but that arrogance only served to keep the spotlight on ChoicePoint, until the pressure got to be too much. Market reaction also came into play as ChoicePoint stock took a major hit.

Ironically, within a few weeks, and while ChoicePoint was still dealing with their public relations fiasco, Bank of America lost storage tapes containing 1.2 million customer records – including federal employees and members of Congress. BoA’s breach was nearly ten times larger than ChoicePoint's, but BoA moved quickly to take responsibility and initiate notification as well as other steps to help protect consumers. Instead of taking the heat off of ChoicePoint, the BoA breach offered contrast to ChoicePoint’s reaction. BoA’s reputation certainly took a hit, but the damage was minimal. ChoicePoint remained (and remains) imprinted in the public’s memory as the poster child for bad data protection behavior.

To be fair, ChoicePoint has gotten its act together since that time. They hired a high-profile chief privacy officer, former Transportation Security Administration executive Carol DiBattiste, empowering her with real authority over issues related to compliance and data protection. ChoicePoint has also instituted sweeping change within the organization to address the conditions that led to the infamous breach. Their public communications have improved, as well, and they have made an effort to keep the public and market informed of these ongoing changes.

Observation: Where to begin? Any organization should, as a matter of course, conduct an objective audit of its operations and consider all the worst case scenarios and have a crisis communications plan in place, especially for situations where the worst case involves potential harm to people. ChoicePoint seemed to have had no such plan. Under these conditions you simply cannot wing it and expect to emerge unscathed. ChoicePoint’s reputation suffered severe damage, and it remains tainted by the incident. Going further, it is critically important to understand where your risk lies and take steps to address those areas before there is a problem.

What is the objective?

2006-02-13T04:17:00.000-08:00

I promised an analysis of the Boston Globe's notification letter, stemming from the January 30 disclosure of subscriber credit card and bank routing data.

In general the letter, dated February 2, seems to cover all the bases, but there is one critical element missing from the letter (I'll transcribe the text in a separate post): addressing the concerns of the subscriber.

The letter begins with a synopsis of the situation, offers a brief explanation of the Globe's actions following discovery of the breach, then moves on to tell the recipient what he/she should do to protect themselves. There is a second page addendum entitled "Steps to take to protect your credit and identity."

Here is the problem I have with the letter:

The Globe is the party responsible for the breach, yet the emphasis of the letter is to place a burden on the affected subscriber. Apart from a closing paragraph that offers "our sincerest apologies for any inconvenience or concern that this incident may have caused you," there is no hint of regret on the Globe's part, or any attempt to address the most basic of questions most people would have upon learning of the breach. In fact, the weak mea culpa is followed by the line "Your business is very important to us." Not your safety or your financial well-being, but your business.

Speaking with my mother-in-law, she had many questions related to identity theft and credit fraud raised by the incident. Her questions, I imagine, were shared by the more than 200,000 subscribers who also received the letter. The Globe missed an opportunity to demonstrate true concern for these people.

Was the disclosed information sufficient for an individual to make fraudulent purchases? Was enough information disclosed to allow someone to create new credit accounts? What are the chances of credit fraud/identity theft happening to me as a result of this incident? Precisely what information was and was not disclosed? How did the incident happen and what steps is the Globe taking to ensure it does not happen again?

Recommendation: When a data breach occurs and people are affected, there is a loss of trust that takes place. The Ponemon Institute's recent 2006 Privacy Trust Study for Retail Banking shows that a single breach can result in 34 percent of a bank's customers losing faith in the bank's ability to protect personal information. It's not a far leap to conclude a similar loss of trust would be suffered by other businesses. Therefore, communications following an incident should do their best to offer sincere apologies, anticipate and answer questions, and demonstrate to the customer that decisive steps are being taken to safeguard their interests and ensure similar incidents do not take place again. Information to help the affected should be offered as a service, not positioned as the vendor's way of unloading responsibility.

And, of course, a plan should be in place to deal with such incidents before they happen. An audit should be undertaken to identify data management practices and policies, as well as the technologies deployed to protect data and enforce policy. And training and awareness programs developed and delivered to ensure a top-to-bottom understanding of each person's responsibility as part of the chain of data protection.

How does this happen?

2006-02-09T05:31:00.000-08:00

Late in 2004 the Canadian Imperial Bank of Commerce made news when West Virginia junk dealer Wade Peer disclosed he'd been receiving confidential faxes from the bank containing customer account information.

Peer said he'd been trying to get the bank to stop because of the nature of the information and because the transmissions were so numerous as to disrupt his business.

At the time I recall thinking, "how does one manage to accidentally fax information to the wrong machine?" Especially in the CIBC/Wade Peer case, where a West Virginia salvage yard would seem to be an unlikely number for a Canadian bank to have in its Rolodex.

Similar incidents have been reported since that story first broke, and now this week we learn that Brigham & Women's Hospital in Boston has been faxing patient data to an investment bank across town.

As with the CIBC case, the recipient of Brigham & Women's faxes attempted, to no avail, to get the hospital to stop.

This is the second high-profile breach of personally identifiable information to come out of the Hub in the last two weeks. We're already following the Boston Globe's disclosure of more than 200,000 credit card accounts.

In the Brigham & Women's case, the breach goes beyond the usual credit data. Yes, published reports say that names, SSNs, and other PII necessary for credit and identity fraud were part of the transmissions, but medical data were also included, including information related to test results for sexually transmitted diseases.

How has Brigham & Women's responded to the breach so far? Not well.

The investment bank says they've contacted Brigham & Women's a dozen times over the last six months, and each time they have been told that the problem would be resolved. But it hasn't. Being called out in the media has gotten the attention of someone at Brigham & Women's, prompting them to issue a statement, which I have not found on the hospital's web site, nor have I been able to find via Google.

Considering the nature of the information disclosed, one would think that a hospital - especially one with Brigham & Women's stellar reputation - would want to reassure past and future patients that potentially damaging information will not be made public as a result of a stay in their facility. For the moment, I'll assume that the hospital is taking steps to identify and contact all affected patients. But apart from brief statements in the press, there is no such evidence.

So how does something like this happen? A clerical error, most likely. The wrong number saved on the office fax happens to reach the wrong fax machine elsewhere but, because the fax report indicates a successful transmission, no one notices. Until that is, the recipient calls the hospital to notify someone. At that point it would seem to be an easy problem to fix: find the erroneous number and change it.

In my opinion, the error is symptomatic of a larger problem: lip service paid to the issue of data privacy, but no pervasive action within the organization to raise awareness of how such breaches might occur. Had the seriousness of this issue been communicated within Brigham & Women's, from the top down through to all levels of the organization, the problem might not have happened in the first place, and would almost certainly have been fixed upon initial discovery.

Recommendation: Training and awareness. Technology is often the focus of data security, but the weakest link in this chain has been shown again and again to be people. And while a hospital clerk may have pushed the button in this case, the responsibility rests at the top of the organization. Without adequate support from the boardroom, security rarely filters down through to where it is needed most. Helping everyone in an organization understand their role in maintaining proper security and data privacy is an organizational imperative, and it starts at the top.

Against the Gods

2006-02-07T12:45:00.000-08:00

I've been reading a fascinating book by Peter Bernstein called Against the Gods: the Remarkable Story of Risk. It's the story of the role risk has played in the history of the human race.

The book leads with a fascinating hypothesis - that before the concept of risk was formed, we as a species were creatures of habit, fear, and superstition. If one of our ancient ancestors successfully accomplished a task by doing one thing, he and all his tribe would continue to do that thing. When variables (such as weather) caused a different outcome than the expected, action was taken to appease the forces responsible.

The emergence of the concept and subsequent mastery of risk is what propelled our species over mountains and across the seas, led to the advancement of scientific discovery and the sophistication of the arts.

The mastery of risk is still a factor in business, and an important one in the realm of privacy, where those companies responsible for managing and protecting sensitive data seek ways to measure their level of risk, and then take the necessary steps to minimize their exposure to the downside.

Dr. Larry Ponemon has done a number of excellent studies to show the importance of responsible data management (and the consequences of failing to manage data responsibly), and many companies out there tout their ability to help organizations mitigate risk associated with data management, but I haven't seen a formula or methodology that helps companies truly measure their level of risk.

The Ponemon Institute conducted a post-mortem study of data loss events from 2005, based on disclosures under California SB 1386, and found that it can cost companies as much as $1,000 per data file when a privacy breach occurs, and that the average total cost for such a breach is about $14 million. The potential for an organization to come out on the bad side of risk, however, is much different than that organization's total exposure. A lack of understanding of the level of risk often leads to poor decision making. A lack of knowledge related to the factors contributing to an organization's level of risk can also lead to bad decision making.

But as companies in possession of PII go racing for the panic button, there is an opportunity for solutions providers to communicate their value. When that value is offered in terms that are attainable -- described in ways that put the problem/solution equation in real terms rather than merely offering jargon-addled hyperbole -- the effort to establish credibility is made simpler.

Recommendation: Direct, simple communication works best when dealing with elusive, intangible concepts. Identify the problem within a context that makes sense, show the risk involved, and draw clear lines between the problem(s) and the ways you can address the issue. Back it all up with credible, corroborating research from trusted sources.

And if you have a formula for calculating an organization's level of risk, let me know.

Boston Breach, Continued...

2006-02-06T04:11:00.000-08:00

Continuing to look at the Boston Globe/Worcester Telegram & Gazette breach, I learned that my mother-in-law was one of the affected subscribers. I spoke with her at length last week when I learned of her situation.

I suspect my mother-in-law's experience is fairly representative of most whose credit card or banking data was compromised by that event on the morning of January 30. She heard of the breach from a news report and found out on her own, four days later, that her credit card data was among those on printouts used to wrap bundles of the paper for morning delivery.

After calling the Globe's hotline to confirm, she took appropriate action with her credit card company, but when I spoke to her she seemed to have more questions about the integrity of the personally identifiable information. Was her Social Security Number disclosed? What about her address?

She still has not received a notification letter from the Globe, but I will obtain a copy of that document when it arrives and offer an analysis of its content.

Massachusetts does not have a credit breach notification law, but precedent set nearly a year ago by ChoicePoint all but demands that organizations responsible for the breach of PII in their care take steps to notify affected consumers. Senator Jarrett Barrios is calling for a new state law to address the situation. Federal lawmakers are all but certain to pass a national law that will supersede individual state laws addressing this issue.

Once I have had a chance to read and analyze the Globe's letter of notification, I'll give you my thoughts.

Lead by Example

2006-02-02T05:30:00.000-08:00

I promised myself I wouldn't overdo it in the opening days of this forum, but in my original draft of "Shameless" I closed with a local breach that is making national headlines. I felt I had to give the event more play, so I cut it out and pasted into this entry.

Four days ago, here in Massachusetts, the Boston Globe and Worcester Telegram & Gazette experienced a breach of their own when printouts of subscriber credit card data and checking account routing numbers were used to wrap bundles of newspapers Sunday night for Monday morning delivery.

How are two newspapers handling the communication of this event with their subscribers and the public in general? Thus far I haven't seen anything that impresses me. A press release and a story by their own staff. The Associated Press story (linked above) and other stories, such as the one carried by cross-town rival Boston Herald suggest little effort beyond the minimum to reassure potential victims about what is being done to protect them and minimize their risk. Meanwhile, reports that spokespeople for the papers are refusing requests for interviews with broadcast media are circulating.

Suggested course of action? The Globe and T&G should lead by example here. They should actively engage their customers and the public to discuss the issue and what they are doing to address the situation, and they should respect the requests of their colleagues in the media. They learned of the breach the morning of January 30 and, with 24 hours to prepare for disclosure, both papers should have had a notification plan in place that included a thorough media strategy.

Four days into this event there is no evidence to suggest that either organization, both of which are owned by the New York Times, gave any thought to a crisis communications strategy beyond meeting their minimum obligation. It's a missed opportunity for a pair of newspapers that dominate their markets and, as such, have a unique platform for communicating to their customers and the public.

Shameless

2006-02-02T04:26:00.000-08:00

I'll begin this dialog with a shameless bit of self promotion, but one that conveys the motivation behind this effort.

Last May I was interviewed for an article in the Peppers & Rogers newsletter Inside 1to1: Privacy on the importance of communicating issues related to privacy. In the article I made the point that, like a nervous parent addressing the birds and the bees with a child, many companies are uncomfortable with raising the issue of privacy protection with their customers. They put it off and hope that things will take care of themselves.

Unfortunately, as with sex, obtaining an education on the street may have dire consequences. And the regret of many a parent is that they didn't have the first conversation, because the one they are now forced to have is a lot more painful.

Would you prefer that your customers learn what steps you are taking to protect them, or hear sensational stories of credit fraud and identity theft, hackers and spyware, and become fearful of building a more trusting (read: profitable) relationship with you?

Communication is the key to establishing a trusting customer relationship, whether that customer is a grandmother living in some dusty Midwestern town, or a Fortune 500 corporation in the heart of New York City.

In the coming weeks I'll revisit some of the data breaches that have happened since ChoicePoint to see what we can learn from those cases, and I'll track other events as they happen to offer analysis and recommendations in as close to real time as a blog allows.

I suspect there will be no lack of examples. The Privacy Rights Clearinghouse has tracked more than 100 privacy breaches, exposing more than 50 million files containing personally identifiable information since ChoicePoint.

The hits just keep on coming.

About Me

2006-02-01T06:40:00.000-08:00

I figure I should start things off with a little bit about me so that you'll know why I feel qualified to blog on issues related to PR, privacy, and data security.

I've been a writer and public relations flak for the better part of the last 15 years. Not that length of service necessarily defines me as a maven on any particular topic, but it at least demonstrates that I'm smart enough to have remained consistently and gainfully employed or otherwise engaged during most of my adult life.

Prior to that I spent four years as an intelligence analyst for the US Navy. There were a few intervening years spent narrowly avoiding serious injury in construction as well as working my way through college at the University of Southern Maine. I'm also a passionate fly angler, spending as much time as I can find casting to any number of species that swim in the waters of my native New England (striped bass, largemouth bass, sunfish, and pickerel, primarily), or traveling to places such as Alaska or Nova Scotia for different challenges afield. Often gratuitous, occasionally relevant, you'll notice angling references in my work from time to time.

In April of 2003 my career path brought me to York, Maine and the International Association of Privacy Professionals where I served as newsletters editor until July of last year. Today I am happily knocking around as a consultant and freelance writer.

During my 27 months with the IAPP I had an opportunity to become intimately involved in one of the more formative business issues in recent years: data privacy.

At first glance data privacy seems (and seemed to me at the time) to be one of those esoteric subjects that deserves little more than obligatory consideration; leave it to the lawyers, and don't take too much of my time.

But timing is, indeed, everything.

I joined the IAPP shortly after the appointment of Trevor Hughes as executive director, and at a point when numerous events were converging and gathering critical mass. Regulations such as HIPAA, GLBA, and SOX were nearing critical deadlines; the emergence and early adoption of RFID technology was happening; California's SB 1386 was about to become law, putting a number of events in motion that would culminate with the ChoicePoint debacle... it was a fascinating and exciting time to get involved, and under Trevor's leadership, the IAPP quickly established itself as the leading voice in privacy.

Before long, I found myself immersed in the issues and involved in the community. My writing and opinion on various issues were finding an audience and gaining respect. I met people who would have a profound impact on my work and who would become friends as well as colleagues. I achieved certification as an Information Privacy Professional (CIPP).

Most importantly, I maintain an active dialog with my friends and colleagues within the privacy community. We often discuss the hot topics of the day, and it is that dialog I hope to share with you. In addition to my opinions, observations, and occasional rantings about privacy and data security, I'll share insights from my network.

I look forward to sharing this space with you, offering my insights, and introducing you to some of my friends. Over time, I hope to have an influence on your perspective, and I look forward to hearing what you have to say.

Mike