A social network user suffered a federal criminal prosecution in 2008 for violating the site’s terms of service. However, this prosecution was grounded in the assumption that a private company’s terms and conditions enjoyed a standing within, and were incorporated to, the federal criminal code (the assumption was made absent any formal ascertaining of that standing for terms/conditions of service/use, by any proper oversight authority – a relevant court).
The court, in this case where the prosecution was attempted, held that this interpretation could not withstand Constitutional challenge, and entered a judgment of acquittal. Further, the highest federal legal authority (short of the Supreme Court), the U.S. Justice Department, now holds that these sorts of prosecutions will not be attempted.
Commercial sites collect and analyze data about their customers for purpose of marketing, service, and sales. Mere visitors also may have data collected regarding them. Recognize that the sites must disclose types of data, and the purpose for its collection and associated use. On the federal level, the Federal Trade Commission (FTC) will pursue violators of consumer privacy rights, or ones that mislead consumers by stating uses of data and associated protections that are not true reflections of use and security. At the state level, attorneys general make these enforcements of consumer protection laws.
What of children? They are consumers of web services too – just by virtue of “surfing” the web. The Children’s Online Privacy Protection Act (COPPA) provides an extra measure of protection for them. When a website is “directed to children,” or whose operator knows that the site is collecting information from children, it must not do so without parental consent. There is no formal definition of “directed to children” by rule or statute; the enforcer of COPPA, the FTC, has been seen to interpret this as meaning “directed primarily to children.”
Now Playing: Brubeck, Time Out.
It may surprise some readers that the Federalist Papers were written anonymously; published and signed as “PUBLIUS.” James Madison, John Jay, and Alexander Hamilton (maybe others) utilized this pseudonym in the production of 85 essays supporting ratification of the U.S. Constitution.
More recently, the State of Ohio and its legislature attempted to ban anonymous political literature. The law was struck down by the U.S. Supreme Court, which stated: “The right to remain anonymous may be abused when it shields fraudulent conduct. But… in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”
That’s an important recognition and right. But recognize this too: There is no right to express one’s views anonymously online.
At the same time, a certain de facto anonymity can exist and is quite common. Many forums, blogs, news articles, etc., allow login and submission for anonymous posting. One can also submit pseudonymously through simple account/free-mail creation. Yet, a practical means of identification does still exist. For example, an entity can contact a forum’s host, checking the IP address of a user; the ISP can then be contacted, and various logs can at least narrow the search considerably. This can be employed upon discovery of violation of intellectual property rights, defamatory comments, criminal activity, and so on.
Fortunately, there are State and Federal laws that help to discourage invasions of privacy online. The Electronic Communications Privacy Act (ECPA) prohibits access to any computer absent proper authorization. The Computer Fraud and Abuse Act (CFAA) makes it illegal to access any “protected computer without authorization, or exceeding authorized access.” Then there is the CAN-SPAM Act. This law requires all unsolicited commercial e-mail to provide an ability to opt-out.
Fortunately, most states now have data breach notification laws. Companies that harbor the private information of individuals must notify them in the event of any breach of privacy.
We’ll continue in the coming days…
Now Playing: Josh White sings Ballads – Blues; original 1957 pressing of this LP on Elektra. Carver C-1; Carver M-500t; Thorens TD-125 w/ Shure v15v xMR. Peerless in Jensen cabs.
It’s rather interesting to monitor what’s happening in the UK right now. Data protection legislation is moving forward. And… business there supports data protection legislation.
A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws: Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved. [Source: Sophos].
Here in the U.S., I rather doubt business is keen on more legislative oversight. Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned. In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.
However, I do like the breach notification idea. It serves a couple purposes that come readily to mind:
– Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business.
- Also, healthy exposure, and just that potential, help to motivate business in the currency of their ongoing security measures.
Particularly for small/medium business, and smaller government agencies such as those at county/municipality level: Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity? And (or), do you have strong security partners in the form of vendors and allied security products?
How do readers here feel about it? Would you welcome new legislation? Are you confident regarding security in your organization?
The Washington Post recently reported that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing and communications.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use Policy (AUP): Make certain people in your organization are not opening security vulnerabilities. Then review your Mobile Policy. Folks shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address. If your org has a Bring Your Own Device (BYOD) Policy, ensure that it is updated to support the AUP, the MP, and all other security policies and documentation sets.
They also shouldn’t be posting comments to boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism.
Make everyone in the organization a virtual security officer.
Whether we wish it or not, our lives are becoming ever more open, and the most intimate details of our personal lives are being made available in a very public way. Apps capture and compile information about our likes and dislikes, our shopping habits, where we go and how, etc.
If you use social networking, such as the seemingly ubiquitous Facebook, it’s not just what you choose to share – it’s also what your friends post and discuss about you. Even if you eschew social networking, we’re on store cams – smartcams – which include facial recognition on an increasing basis. Even our property is not immune from a privacy intrustion of sorts: Entities such as Google are photographing that, from cars and satellites no less.
Imagine this: You’re walking through town, a smartphone at your waist – facing front. It scans, captures and processes the faces streaming past you. You not only capture who they are, their names, but where they live, and work. You can know their interests, their professional associates and friends, as well as their educational and any criminal background.
Consider this: It is thought that most under-30 police officers have Facebook pages. Does this inhibit undercover police work? What of the future?
In the coming days, we’ll explore areas where a certain anonymity may be granted (and therefore an expectation of online privacy), and conditions whereby anonymity may be broken. That is undergoing a bit of research on my part, and we’ll pick this “thread” back up in the coming days…
[Note: These are my present understandings regarding specific areas of internet law; you will want to vet this material to your own satisfaction, and will also need to monitor this ever-changing environment. - DS]
Many readers here will be aware of the internet’s beginnings: From research and development of the early ‘60s by the Advanced Research Projects Agency, yielding the ARPAnet, on through the Department of Defense’s work, giving rise to the DARPAnet (check here if interested), we eventually arrived at today’s Internet.
By 1991, a limited internet was operating beyond governmental development, and serving a degree of academic user body, and that infrastructure evolved into the large widespread commercial use we see today.
In examining the period comprising the early 1990s onward and the Internet’s associated use, we can realize that Internet law has had a generation to develop. Of particular interest to both individual users and business are National and International laws regulating the Internet’s use – here we’ll concentrate on two things: 1) Online contracts and 2) Privacy.
Changing Terms: An important principle to understand:
Hardcopy Contracts, Purchase Orders, Requests for Proposals (RFPs), etc.
Be aware of an emerging trend and practice: Increasingly, organizations are issuing hard-copy form contracts and other similar documentation that do not have all terms and conditions printed on them. Instead, they incorporate these by reference to the organization’s website. The date of the hardcopy item, with associated signatures, determines which version of the posted terms and conditions applies. Watch for this situation to supplant “fine print,” comprehensive, contracts and documents. Hardcopy forms don’t have to be changed as often when “offloading” the details to a web reference.
This sort of “Hybrid” documentation has been challenged on the grounds that specific terms and conditions are not sufficiently conspicuous. However, courts have already upheld the validity of these incorporations by reference; there only need be a clearly identified website in the document, and that website indicated as harboring the proper provisions.
Next Up: Online Privacy.
According to security firm Rapid 7, approximately 94 million personal files of Americans have been exposed by government agencies since 2009 – those that we know about, that is.
There are likely even more, given the fact that many states do not require agencies to report breaches.
As to the Feds: According to a recent Government Accounting Office (GAO) report, 18 of 24 surveyed Federal agencies had poor security controls, deemed not of sufficient standards for securing our personal information.
Private business has nothing to brag about either. Breaches were up 58% in 2011 over 2010, and 2012 will beat last year.
None of this surprises me: From a recent visit, I know for certain that a certain high-profile Fortune 100 firm simply does not enforce their policy requiring all users to log out of computer systems at end-of-day, or during extended absences from their desks/work areas. It’s rather extraordinary: People who are gone for the day remain logged in throughout the office, with a variety of proprietary, confidential, client, and personal information displayed. So much for systems that employ individual and group securities, and associated access/enablements. (Lest anyone wonder why automatic logouts are not employed, I wonder too).
IdentityForce ™ estimates that 86% of data breaches are not IT-related (that is, due to faults within IT systems, processes, or protections), but rather are due to remises of policy and training.
It has always been my view that matters of human error, and simple lack of care, are the better part of so-called “breaches” – and in those instances are better described as data exposures. Regardless, organizations seem to be at increasing risk, rather than decreasing, for allowing sensitive data to reach the wrong parties.
Is your organization at risk? It’s time for a survey – even if you feel you’re fairly tight. Survey your environment, and you can pretty much figure that your Acceptable Use, Security, and Disaster Recovery plans, policies and postures are due for modernization and updating.
Then train your personnel for appropriate behaviors and contingencies… essentially, today, everyone should be a virtual security officer…
Keep this important BTW tenet in mind: In the realm of risk, unmanaged possibilities become probabilities.
From Part I, our goal for the course of best business-IT outcomes is to gain the ready-agreement by both sides for fully sanctioned progressions, for delivery of best solutions, within best business and IT practices. And, all of this must be done in service to best ROI, TCO and TtV considerations. In getting to a best business-IT environment, an ability to sell will be key. In achieving this, we can use the Engage; Qualify; Overcome; and Close model. But first -
Most folks here are well-familiar with concepts and related goals, of best Returns-on-Investments (we want to maximize our returns [profits; efficiencies reinvestments, etc.], and Total Cost of Overhead (we want to drive those costs down as much as possible). But what of TtV – Time to Value?
In the matter of TtV, we want to serve the present as efficiently as possible through the delivery of timely projects, with on-target solutions, that serve business, as well as IT goals. Too, we want to plan our future effectively, with upcoming deliveries happening on-time – in fact, if we can get solving and serving things into place even faster than anticipated, so much the better.
However, a qualifier here is that we do things efficiently, and as rapidly as possible, within all legal, ethical, and safety-consideration elements, at all times. We also don’t want to stress people and projects in service to timelines and pressures that are unrealistic, or just too aggresive. Given those cautions, TtV is very important, and should always be “collapsed” to the shortest time possible, with associated prudency.
So – business needs deliveries from IT; short and long-term: Technical systems and enablements that grant effective conduct of business.
IT needs exposures from business stakeholders in order to deliver enabling things: What does business want/need? When? How will we (IT) deliver that? (What budget are we allowed? Who from business is available to engage?)
For both business and IT: How do we negotiate changes? How do we lobby for more resources? How do we adjust budgets (either up or down)? How do we lobby for time? We “sell” – and get the other party to “buy.”
Everything ultimately involves a sale.
So – how to sell? There are four basic steps:
1) Engage: Engagement in a business environment is formally achieved through meetings, both ad hoc and on schedules (such as regularized ones in service to any project’s general management, and others, such as Weekly Meetings, for example). There are also many one-on-one meetings, whereby a business stakeholder or IT person simply schedules a meeting, or “drops by” to discuss an issue or initiative. Engaging in a direct sense is not particularly challenging for readers here, but quality of engagement can be. Remember to engage with positivity, from an informed and ready posture, and bring solid contributions for the advancement of the organization’s initiatives and business.
2) Qualify: When either business or IT engages, for purpose of advancing an idea or specific initiative, one side must qualify the other (in order to “sell” the other side on cooperation, in service to the goal). Is the other side (party, group, individual, department, etc.) informed, or do we need to set fundamental understandings first? Are they qualified to hear and digest what I want to present (and sell)? If I’m asking them to make changes, to spec something up, to hold something back in prioritizing something else… are they able to do that? Do they have decision authority, or will they have to seek approval up the line? Qualify that. Will they need additional budget? Qualify that. Can they ramp up – do they have the people, knowledge, and time to do it? Qualify that. Will they need to lobby their management chain for additional budget, or do they have power and sanctioning authority within their group to direct dollars to the considerations under discussion? Qualify that. Qualify, and thus know.
3) Overcome: Whether it’s business or IT speaking within their respective discipline (one IT group to another, for example), or across to the other (business stakeholders delivering requirements to IT, as another example) – the “buying” party (hopefully) may have objections. “We can’t fund Initiative X this Quarter, because we have Initiative Y underway, and we’re experiencing cost overruns.” Here, assuming a meritorious case for progressing, overcoming the objection may involve something like this – IT: “Well, we have an extreme security vulnerability here; we need your department’s engagement in sewing this situation shut. Can we lobby for more budget this Quarter? We’ll help you to make the case with senior management.” A business department might respond: “Sure; let’s get all of the reasoning and documentation together; we’ll juggle priorities and get the necessary resources – obviously this is important.”
4) Close: Cement the agreements – the “buying” of the “sell” – by documenting all agreements and necessary actions. Make assignments, and agree to deliveries, standards, and dates.
Go into any business or IT discussion with a solid understanding of the process above. Have ready answers in service to the model.
Remember: to engage with positivity, for positive pursuits and positive results. Qualify the other side as being best positioned to receive your “pitch” upon that engagement. Be prepared to face objections, so that you can cite your case in overcoming those objections, for purpose of getting on the necessary path for progression to the goal(s).
Close the sale by securing and documenting all agreements, responsibilities, standards and deliveries.
IT says: Why can’t I get business folks to focus? Why don’t stakeholders engage? We don’t know what business wants. Business doesn’t know what it wants. (!)
Business folks say: Why doesn’t our IT department listen to us? Why is this project lagging so badly? Why didn’t my requirements make it into this “solution”? Why is this project costing so much?
In fact, as to that last: At the outset of projects it’s often difficult to set realistic budgets. Consider the simple business concerns: Controlling cost is important to any organization, so it’s not difficult to understand that appropriate budgets must be lobbied, argued for… sold. In other words, IT must sell business on the idea that a budget is spec’d appropriately, realistically. In turn, business is constantly selling to IT: We need this module; we need these modules to do this; no, we can’t modify this particular business routine in service to a budget ceiling… etc.
For either side of teams – Business vice IT – an important communication and collaboration mechanism is the ability to sell… and to do that, you have to know how to sell, and you have to know what selling is.
Selling is exposing someone, or groups of someones, to something they may need, or may want. The side doing the selling may know that the other side wants or needs something – and that other side may know it too, or may not. For example: Business often doesn’t know it needs a more robust security posture, and corresponding set of solutions (in service to a rapidly changing environment). Prying budget dollars in this circumstance can be difficult. It requires “selling” business on the notion that a change must be made, and that an investment is necessary.
Correspondingly, business must often “sell” IT on the idea that a revisit to proposed solutions is in order: a more robust budget is simply not available, and IT must apply imagination in reducing cost; Business may suggest – or demand – that IT shop around for more effective solutions partners, vendors, products, etc.
So – how to sell? There are four basic steps:
In Part II, we’ll take a look at this four-step process for selling. Our goal: Gaining the ready-agreement by both sides for fully sanctioned progressions, for delivery of best solutions, within best business and IT practices. And, all of this must be done in service to best ROI, TCO and TtV considerations. Stay tuned.
There’s seemingly no limit on time-wasting elements in today’s modern organization: Social networking; Twitter; idle web surfing; checking in on mobile devices; fooling with freeware, discussion groups, and on and on and… on…
What of that earliest electronic potential of a timewaster? E-mail.
A recent study and news release by the University of California, Irvine, has provided some interesting info. Employees who took a break from e-mail found that after 5 days, their stress went down, their productivity went up, and they had increased focus.
The study also found that in an environment lacking e-mail, workers switched windows less frequently – 18 times per hour, vs. 37 when e-mail was present.
The study made no mention if other “temptations” remained in the environment, such as those things mentioned in the first paragraph. (For those, you can consider limiting social networking, etc. to breaks and lunch, for example – unless those types of accounts are indigenous to your marketing efforts, and so forth. But get a handle on personal use of these things).
No matter how distracting e-mail might be, it ain’t goin’ nowhere. There are a few helpful suggestions, though. Productivity experts recommend against checking e-mail first thing in the morning. Rather, concentrate on priorities as listed in a To Do list. Some organizations are also having “e-mail vacations” – some specified time and measure during the day where workers are directed to stay out of e-mail, and to focus on work.
Of course, not everyone has the luxury of ignoring e-mail first think in their morning, nor can they do it during the day, either. Co-workers, clients, customers, etc., expect timely responses to e-mails. “We were having a vacation” isn’t going to sound too professional during the workday, now is it?
Organizations need to spell out guidance and expectations in strong Acceptable Use, Security, and Business Practices policies. For e-mail, just determine the general requirement for responses – if something isn’t marked “Urgent” or “High Importance,” then perhaps you can open it later – a quick perusal of Senders and Subjects in the morning will let you know if you can delay e-mail administration ‘till 10 or 11 a.m., and you can settle in with a cup of something, and tackle those reports, or even visit with someone in person to settle some nagging project questions. Get up and stretch those legs – a little physical relief goes a long way to reducing stress, and a simple walk across the office, or to another floor, can be refreshing.
Try to create a little balance, in other words. Remember that checking any account too frequently rather defeats the purpose of these enabling sorts of things – instead of being efficient, you’re wasting time and achieving a diminishing return. Check perhaps once an hour, instead of the constant “flip” to e-mail, social networking, discussion groups, etc. It’s tempting (I know), but not really necessary, unless you’re awaiting something urgent.
What are your thoughts?