The Business-Technology Weave

July 18, 2011  12:50 PM

European Union Considering Breach Notifications Rules

Posted by: David Scott
breach notification, breach notification law, breach notification rules, content management, content management policy, data breach, data integrity, data security, government breach, government data breach, IT security, security plans, security policy


It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification.  These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.


These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations.  In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).


As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules.  But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”


If transparency is key, as one of the stated goals, then I wonder why no mention of government?  What of government breaches?  Is there the same timely notification requirement for various agencies?  In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.


It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.


I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets.  Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem:  human error.


Joe McNamee, the head of European Digital Rights, says:  “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.


I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.


Meantime:  I’m back to government:  What is their duty in notification of breached agencies and harbored data?  Nothing I’ve read has indicated government’s oversight of… government.   


I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.


I’d like to hear from you.  What are your thoughts on “breach notification laws”?


Stay safe out there.


NP:  Elsa, Cannonball Adderley,


July 16, 2011  10:38 AM

Pentagon Loses 24,000 Files to Theft – and lessons to you

Posted by: David Scott
000 files, classified data theft, data privacy, data security, defense contractor loses files, Deputy Defense Secretary William Lynn, foreign intruder steals data, foreign intruder steals files, information privacy, pentagon loses 24, Pentagon loses files, security policy, theft of 24


The Pentagon is supposedly mounting a new cyber security initiative following the loss of 24,000 files.  They were actually stolen from a defense contractor but, as in any organization, the organization is ultimately responsible for the actions and activities of all subordinate elements:  contractors; vendors; solutions partners; individuals.


I also use the word “loss” for a very important reason:  Whether the Pentagon still has copies of the breached, stolen, files or not – they are lost in the sense that their exclusivity, their protection, and their discretion has been stolen. 


The files truly are not what they once were – and that is theft and loss.


Here in the BTW, we often speak of The Responsible Forward Edge (RFE).  It’s a proactive, aggressive, forward posture regarding survey of risk, mounted protections, and the comport with best business/IT practices.  Best practices means constantly updated practices in accordance with evolving threats and the evolving security measures to counter them.


The responsible organization does this pragmatically, for sure:  There’s budget to consider.  Other resources factor too:  time, available personnel for implementations and support, etc.  But today, there simply has to be a schedule of survey of liabilities – even if none seem to exist today, tomorrow they will:  Our environment is not static, and the number and nature of threats are not static either.


What makes the Pentagon’s hack so dismaying is that “foreign intruders” made the theft.  According to Deputy Defense Secretary William Lynn, terabytes of data have been stolen over the past decade, involving “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”


In this case, Lynn didn’t specify a country for the attack, or even whether it was a country versus the work of simple criminal hackers.  However, a large part of the Pentagon’s new cyber security initiative is to share classified threat intelligence between defense companies.  Hmmm… someone couldn’t have thought to do that a decade ago? 


This should have been routine.  A lesson for all organizations is to get your people thinking, imagining, and working together.  Organizations should have, at a minimum, quarterly meetings with a significant block of time dedicated to security.  Employees, security oriented and otherwise, should volunteer what they’ve heard regarding threats, solutions, other outcomes.  Qualified personnel can vet ideas and threats – but it’s a nice exposure, and gets the organization thinking.  Remember too to solicit and share ideas between regional offices, and between all partnering-organizations.


At the same time, IT can warn of social networking liabilities, breach conditions to avoid, and so forth; they can reinforce Acceptable Use, Content, Security, and other policies.



On this day, July 16th:  In 1926, National Geographic takes the first natural-color undersea photos.

July 13, 2011  1:05 PM

Information Privacy and Bank Debit Cards

Posted by: David Scott
ATM cards, ATM machines, bank breach, bank card breach, bank card data, bank card security, bank cards, bank fraud, bank PIN numbers, bank security, credit card, credit card breach, credit card data, financial institution, financial institution security, financial security, financial system, PIN numbers, US mail


An interesting thing happened to me on the way back from my mailbox the other day.


But first:  I had a debit card that was getting increasingly difficult to use.  The magnetic stripe on the back had a scratch on it, and I often had to swipe it three or four times to get it to read.  So, I called the bank and requested a new one.  I haven’t had to replace a card in a long, long time.  I figured the new one would come with instructions to call a number for “activation.”


Interestingly (well, at least to me), when the card showed up, the accompanying letter made no mention of any need for activation.  It did take care to tell me the card could be used at “millions of Visa ® merchant locations.”  It talked about “free access to cash” at qualifying ATMs.  Further, the letter was so helpful in telling any recipient that $300 cash was available each day, as was $1,500 in purchases.


Representing the most help, perhaps (particularly for thieves), was this informative sticker on the card itself!  [Capitalization is exactly as on the sticker] –




This debit card works at all Visa merchant locations.

Press the CREDIT button and DO NOT INPUT YOUR PIN.

Funds will be deducted from your checking account

and there will be no transaction fee.


It really is nice not to have to fuss with a PIN.  But here, we’re at a point of diminishing return:  By making the card easier to use for the consumer, we’re also opening a very insecure avenue, yielding a breach potential:  Unauthorized use of the card for THEFT.  [Those caps are all mine].

The letter had a 1-800 customer service number and I called it.  I wanted to confirm that the card was ready to use, absent any proactive activation on my part.  The representative confirmed two things:  1)  The card was ready to use, and 2)  that, upon my direct query, the card indeed had been ready all along, as delivered to my mailbox.

Couple worrisome things here.  There have been times, not too often but more than a few, where my neighbor’s mail has been delivered to my mailbox.  In fact, this has happened at several addresses I’ve had over the years.  I’m sure there has been mail of mine delivered elsewhere – in fact, I remember people walking stuff over here and there.  

In the event this card had been placed in the wrong mailbox, there is the possibility that someone would be tempted to take the card and use it.  The envelopes for these cards do not disguise the fact that they contain a card – you can readily feel a card just by picking up the envelope.  Consider too that someone could tear an envelope open without noticing it’s meant for someone else (in fact, I’ve done it).  Once open, there’s a nice sticker advertising the fact that you hold free money in your hand.

Of course, with all of the surveillance systems today, it would be distinctly unwise to use someone else’s card without authorization.  But that doesn’t preclude kids, or stupid people, or even someone adopting a disguise and walking up to a machine, from gaining some ready cash… from… you.

I don’t like it.  What do you think?  Aren’t we supposed to be getting tighter as regards security?

Also, keep this in mind:  Removing the need to call and authorize/activate a card takes a bit of a burden off the financial institution.  But… presumably any burden regarding security is something a bank is precisely supposed to be offering. 

Call it a service.   :^ )


On this day:  In 1836, U.S. Patent #1 is granted for locomotive wheels (after 9,957 unnumbered patents).


July 12, 2011  10:26 AM

Department of Justice: Forcing you to decrypt?

Posted by: David Scott
bank fraud, data encryption, data privacy, decryption, file access, file passphrase, IT passphrase, IT password, money laundering, PGP passphrase, privacy, Ramona Fricosu, Supreme Court encryption, U.S. Justice Department, U.S. Supreme Court data encryption, wire fraud


Does your right to remain silent, as protected by the U.S. Constitution’s Fifth Amendment, extend to encryption on a personal laptop?


It’s an interesting subject, and one that might be settled soon – by the Supreme Court.  A woman accused of, and being prosecuted for, a mortgage scam in Colorado is under pressure to disclose her passphrase for decrypting her laptop, which police found in her bedroom upon the raid of her home – she has refused.


The Obama administration is asking a federal judge to order the defendant, Ms. Ramona Fricosu, to decrypt the laptop.  As a slight aside, prosecutors don’t want the passphrase itself.  They want Ms. Fricosu to simply type it in, and make the files available in their decrypted form.  This may seem a minor point, but it does remove any wrinkles that may be encountered upon court rulings that make divulgence of the passphrase itself a protected item within the Fifth Amendment’s protections.


At the heart of the matter is whether a defendant can be compelled to serve up something from the privacy of their mind:  Other courts have ruled that protections extend there.  Prosecutor’s, however, liken passphrases to physical keys, and defendants can be made to produce keys to safes, for example.  It’s an interesting situation.


One could make the argument that forcing a defendant to divulge a passphrase (or password,  encryption keys, etc.) enters the realm of breaking protections against self-incrimination.  While the Supreme Court has not yet ruled in matters such as these, lower courts have – and their rulings have, essentially, gone both ways:  In one case stating that an individual did not have a Fifth Amendment right to keep files encrypted; in the other, that the defendant did – thus “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination.”

Ms. Fricosu is charged with money laundering, wire fraud, and bank fraud in an alleged attempt to gain titles to homes via falsified court documents.  She’s facing up to 30 years or more in prison. 


For the rest of us, with – hopefully – more mundane privacy concerns, we can understand a desire to keep business secrets, diaries, and privileged communications from friends and associates private. 


For us, and most definitely for business, the case does bear watching.  



On this day:  July 12, 1962, the Rolling Stones make their first public appearance (Marquee Club, London).


July 11, 2011  12:32 PM

Pre-Infected Components and Software Entering the U.S.?

Posted by: David Scott
anti-virus, botnet, computer inspection, computer survey, computer virus, intellectual property, keystroke logging, keystroke monitoring, malware, pre-infected components, security defeats, software import, spyware, virus, virus removal


According to a top Homeland Security official, testifying before a hearing of the House Oversight and Government Reform Committee, computer software and hardware is being imported to the United States pre-loaded with security-defeats and spyware.


Greg Schaffer is Acting Deputy Undersecretary for National Protection and Programs at the Department of Homeland Security (at least he’s not the temporary acting deputy under… there are those too). 


Schaffer made a disturbing statement in response to a query by Rep. Jason Chaffetz, R-Utah, who first took care to state “the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States … poses, obviously, security and intellectual property risks.”


Rep. Chaffetz then asked, “A)  Is this happening, Mr. Schaffer?  And, B)  What are we going to do to fight back against this?”

After a moment’s obfuscation on the part of Schaffer, the representative sharpened his query, “Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?”

Schaffer:  “I am aware that there have been instances where that has happened.”


The panel is considering a government proposal to tighten controls on imported computer equipment for use by critical government and communications infrastructure.* 


It would seem to me that that area would already have the highest possible standards.  How many times have we stated here that protections must lead threats, not lag, and that a proactive, provocative security awareness is necessary?


The hearing didn’t tease out whether imported equipment included consumer-grade technical components and software like retail media, laptops, desktops, consoles, etc.  However, if it’s determined that there’s a necessity to survey those imports, watch for consumer-grade items to jump in price, as cost of inspection and survey gets added to the bill.


* Meantime, the government isn’t doing everything possible to inspect and screen their own components?  In the age of botnets, key-logging software, password discovery mechanisms,  encryption-busting and other software that defeats and disables existing security programs, there’s no excuse.  The missing existence of a progressive, matching, security posture and aggressive monitoring and survey/scrub for malfeasance is unaffordable.


Further, when an aggressive program is in place, that program is affordable because there is no cold-start mount in the face of extreme security perils:  It’s kinda like riding a bike uphill; you get a good start on the stretch, and are then able to pedal into the hill… eventually, you get back on level ground and your effort eases – but you don’t relax – you’re readying for the next hill.  However, if you start on the hill, it’s tough to get going.


What has the government been doing if it is just now acknowledging import of infected components?  And… further, it is just now considering more stringent controls?  It’s past time to pedal faster.


For your environment:  True security demands an aggressive posture.  Be certain to have the right mind-set in your organization.  Review the security-themed posts here as necessary.


Keep pedaling.


On this day:  July 11th, 1798 Congress creates the Marine Corps.


July 6, 2011  5:50 PM

Data Breach at Morgan Stanley: 34,000 customers at risk

Posted by: David Scott
content management, data breach, data encryption, data management, morgan stanley, morgan stanley data breach, secure transmission of data, security policy


From Morgan Stanley comes word that two unencrypted CDs have gone missing.  They were sent, and actually delivered – to a government tax office; the New York State Department of Taxation and Finance.


However, apparently the package containing the CDs has either gone missing from the desk of the recipient – or – the package arrived at the desk, seemingly intact, but did not contain the expected CDs… depending on what article you read.  One thing seems fairly certain, being that Morgan Stanley has issued an apology and warning:  The two CDs were sent, did not reach the intended recipient, and are missing.


The CDs are password protected, but that’s mere child’s play these days for anyone who wants to break a password.  The idea that these sensitive discs, by virtue of very sensitive data, were not encrypted is quite hard to believe.  Someone was either too lazy to follow a protocol and perform the encryption, or – worse, Morgan Stanley has lax policy and standards regarding encryption and protection of data.


If one person is remiss that’s – literally – one thing.  That person can be disciplined, trained, or fired.  However, if there’s lagging policy and standards regarding data protection, handling (certified mail anyone?  Secure courier service?… etc.), and encryption – then that’s indicative of a systemic, organizational, fall down.  It’s time for a complete survey of business and IT practices, training programs, and day-to-day standards and comprehensions at Morgan Stanley.


It’s 2011.


The bank has had to notify customers that, at the least, names, addresses, earned income on investments, and tax ID numbers may be compromised.  Social security numbers frequently serve as tax ID numbers, and Morgan Stanley has offered a year of credit monitoring services for clients whose SSNs were exposed.


Morgan Stanley was notified on June 8th that the CDs were missing.  An exhaustive search was made through all facilities the CDs and associated package passed through – however, it wasn’t until June 24th that Morgan Stanley notified customers – via mail.


Remember:  Your number one asset is your reputation… your next asset is your customers.  Without those, your employees don’t have much reason to show up.  Take a look at your business processes and associated security – now.


On this day:  On July 6th, 1924, the first photograph was sent across the Atlantic by radio, from the US to England.





July 5, 2011  9:56 AM

Google and Information Privacy

Posted by: David Scott
acceptable use, content management, data breach, data security, google, google and privacy, government information request, information privacy, information security, user policy


Google has reported it gave user information to the Federal Government 94% of the time the government requested it.

These requests are allegedly parts of criminal investigations.  Still, it raises the question:  Does government have the right to demand information from a private company?

Yes, it does in any of three ways:

1.      A grand jury can send a subpoena to a company.

2.      A Federal judge can sign a search warrant; an FBI agent delivers it to the company.

3.      An FBI agent, or any Federal agent, may write his or her own search warrant; authorizing himself or herself to search the company.

This may be of interest to some readers here.  In fact, it should be of interest to all readers – and in particular, to business stakeholders.  I define “business stakeholder” very broadly:  From a temporary worker at a desk for a day, to the senior executive class, and everybody in between. 

In other words, if you’re under a business’ roof, doing business on business’ behalf, you’d better exercise care in what you’re doing:

You must secure and protect business reputation;

you must secure and protect your own.


Remember this:  Business’ #1 asset is not “our people” – as business so often likes to say:  “Our number one asset is our people.”  No.  Business’ #1 asset is its reputation:  Lose that, and your people won’t have a place to work.

Can Google give private info about what you’ve Googled to the Federal Government without you knowing it?  Well, they have been.  Here’s the number of Google’s deliveries to government requests, July through December 2010:

U.S.            4061

Brazil         1804

India          1699

U.K.            1162

France       1021

(Source:  Fox News)

Government is starting to peer into many of the things were doing, potentially invading our privacy.  Is government avoiding the 4th amendment, which protects citizens from unreasonable search and seizure, by going to a private company?  Further, what are the privacy and business implications when the government asks an enterprise such as Google for employee activities when under any business’ roof, on business time?

Does any consumer or business (the user of Google’s services) have an “unwritten contract” that Google will keep Google searches to themselves?

The answer is:  No.  There is no written, or unwritten, guarantee of discretion, and no promissory estopple.  Thus, for individual and business alike, there are serious issues and vulnerabilities.  What are Google’s standards for giving information to the government?  Do they just cave in to requests?  Do they have their internal lawyers call the government and qualify these requests to any degree?  What are the criteria for denial or acquiescence?

In some ways, the government is asking the private sector to act as their… spy, essentially.  

This is why, in the age of eDiscovery, it is essential for businesses, large and small, to have robust and clearly understood Acceptable Use policies.  Security policies.  Content Management policies.  Further, make certain that employees understand and adhere to policies – and that they know the consequences for misuse of content, search engines, and other business resources.

Stay safe out there.



NP:  Don’t Worry About Me, Sachal Vasandani

June 27, 2011  7:45 AM

Social Intelligence, Part II

Posted by: David Scott
Add new tag, internet security, interviewing, job search, job searching, online identity, online reputation, online security, online wellness, personal security,, social intelligence, social intelligence corporation, social network security, social networking


Today’s article follows on to yesterday’s Part I, where we discussed a relatively new company, Social Intelligence Corporation (SIC), and it’s offering of services to employers.  Please see that if you haven’t already.


Someone made a great point (credit Steve Doocy of Fox News):  What if you take a picture today of you hanging out with a friend, post it to a social networking account – and that friend becomes a felon in the future?  Is SIC going to deliver a future report to a prospective employer, stating that you associate with known felons?


Max Drucker, CEO of SIC, answered the question as a definite:  “Probably not.”  That’s hardly reassuring, although he does say that employers are primarily interested in the following categories for screening applicants:


-          Racist remarks

-          Clearly illegal activity such as drug use

-          Sexually explicit photos and videos

-          Flagrant displays of weapons or bombs


“Those are the things we look for, we don’t look for associations.”  But what will Mr. Drucker and SIC deliver in the event employers DO ask for associations?  I can’t say with certainty, but I know this:  SIC is in business to deliver a service.  That service is, essentially, a background check on potential employees.  SIC, and any service company, stays in business by filling the service expectations of clients – here, employers.  When employers start asking for “known associations,” companies like SIC are likely to deliver.


Michael Fertik, CEO of, makes several interesting points.  He notes that, at present, human beings at SIC are making nuanced, human, judgments about content and those people who generate it – people, in this context, who are prospective employees.  However, it won’t be long before competitor companies seek to deliver this service to employers faster, better (in competitors’ minds), and cheaper – and this will involve… automation.  Mr. Fertik’s points are well taken.


Here’s my take:  Automation frequently delivers a “dumb” report regarding content.  That is, there is no nuance, no judgment; there is lack of balance, and frequently a view to content that is a 180 degree diametric opposite of what that content might truly represent in its full context, outside the constricting view of a static report.


I made the point yesterday, in Part I, that someone might join an online group for purpose of monitoring; for example, a student might even join a hate site for purpose of a school report on such activities. 


Consider what SIC would make of that…



NP:  Two Degrees East, Three Degrees West – John Lewis/Jim Hall –


June 25, 2011  8:11 AM

Social Intelligence

Posted by: David Scott
acceptable use, content management, employee security, Federal Trade Commission, SIC, social intelligence, social intelligence corporation, social networking, social networking peril


We’ve discussed online social networking peril here at length, but there is now a new wrinkle.


In addition to keeping work accounts and personal accounts straight, and taking great care not to mix “friending” with “businessing,” employees now must contend with the Social Intelligence Corporation.


What is the Social Intelligence Corporation (SIC) and its allied mission?  Nothing short of supplying potential employers with a comprehensive report of what you’ve been doing through social networking (and anything else online):  The good, the bad, and that which will get you screened from any hope of working for whatever company to which you’re applying.


As a year-old startup, SIC rakes social media sites such as Facebook, Twitter, Flickr, et al, even blogs, and presents anything suspect to the employing agent:  Again, perhaps a company that is considering you for employment.  You mail a resume, you get a call, you interview – and at some point in the process – perhaps even upon receipt of the resume – the company engages SIC and requests your online history.


It’s hard to know if SIC is sick, or just the next step in employers’ due diligence and arsenal of tools in arriving at best employees and staffs.  It does seem a little sinister that employers, and SIC, are raking the relative party of social networking in assessing candidates.  I mean, I wouldn’t have wanted potential employers at some of my house parties back in the day – ya know what I mean?  We’ve already noted that employers have been using Google to look up names and online presence of potential employees.  This takes it to a whole ‘nother level.


Consider the case of one person:  They merely joined a Facebook group called “I shouldn’t have to press ‘1’ for English.  We’re in the United States.  Learn the language.”  Apparently, the SIC’s software identified the individual as having “…other obvious racist leaning or proclivities” merely through association.  Seems a bit heavy.  And what of someone’s membership whereby they’re merely monitoring such a group?


Just recently, the Federal Trade Commission suspended an investigation of SIC, by virtue of the fact that it appears to comply, for now, with the Fair Credit Reporting Act:  In this case, SIC must be certain that clients (companies, organizations) advise applicants when something deleterious turns up on a report, with subsequent negative impact to potential employment with that employer.


So… beware.  We’ve said it before, and I’ll say it again:  Stay safe out there.


NP:  Hungaria, Bireli Lagrene


June 24, 2011  7:47 AM

UK, France and Germany: 84% of companies have suffered breach in the past year

Posted by: David Scott
business continuity, business security, data breach, data recovery, IT security, Juniper, Juniper Networks, Juniper Networks Survey, Security Plan, security policy


From Europe comes incredible news, as reported by Juniper Networks.  Amazingly, 84% of businesses have experienced at least one data breach in the past year. 


Eighty-four percent.  Huh.  Well, at least 16% are doing something right. 


But wait – I think we can safely assume that a good many of those are surviving on dumb luck.  And, as stated here in The Weave, something bad can be transpiring at this very moment, with the organization as yet being unawares that a harming event or circumstance’s yield is just around the corner. 


According to Juniper’s survey of 1406 IT folks, 31% indicated an increase in the frequency of breaches, and 76% report that attacks have become potentially more damaging or harder to prevent, due in part to difficulty in prevention.


Of particular concern are mobile devices such as smart phones and laptops.  These privately owned elements are difficult to manage, being that they’re outside the usual realm of the enterprise’s policies and control.  In fact, 34% of those responding attributed breaches to laptops.


It can’t be emphasized enough:  Organizations need to make immediate identification of all outside access to the enterprise environment.  Once surveyed, a policy and plan set must be drafted; a respective definition for, 1)  Allowed access, acceptable use, required security features and protections –  2) paired with a plan to roll out training, ongoing user awareness, and those security features that must be harbored and adhered to at all times by anyone accessing from outside.


Anything short of this is folly.  The organization is begging for a catastrophic breach of systems, data and reputation.  Things are only going to get more challenging: 


-          Threats are going to harbor more power to harm

-          Threats are going to increase in number

-          Threats are going to stream into the organization’s face at an accelerating rate.


Get ahead of the curve now.  Survey all security policies and measures.  Do some research.  Determine your level of affordability in terms of time, attention, and resources, vis-à-vis acceptable risk.


What is “acceptable risk”?  Only your organization is going to know that for your organization.  Engage business stakeholders and IT governance, hammer out the accepted plan, and then execute. 


Get this on the table, and get it going.



NP:  You’ll Never Know, Red Garland


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: