The state of Florida is making money by selling information:  Personal information.

How personal?  Oh, it’s just folks’ names, addresses, dates of birth, and their associated vehicles.  Why would a state do this?  Well, for money.  For $63 million last year.

Florida is selling it to companies such as Lexus Nexus and Shadow Soft.  Further, according to Ann Howard of the Florida Department of Highway Safety and Motor Vehicles:  “Per federal mandate, there are companies that are entitled to this information.  Insurance companies, for example, are entitled to this information.  Employers are entitled to this information.”

It would seem to me that insurance companies are entitled to this info contingent upon my engagement of them for purpose of possibly procuring insurance from them.  Otherwise, why do they get carte blanche access?

It is good to know that the companies must sign contracts with the state to affirm that they won’t harass people.  That’s good – right?  Of course, information privacy does the same thing (protecting against harassment), except that it does so perfectly (assuming privacy is maintained), without the injection of human frailties and foibles.

Back to Ann Howard:  “This information cannot be sold to a company that plans to solicit business, such as companies that want you to come to their ice cream store or companies that want you to buy their vehicles.”  Well, now that we’ve injected some standards into the story, I’m much relieved.  Not. 

The willy-nilly spread of your personal information, without your self-directed interest and returns, merely increases the number of domains available for breach and theft of it.

It’s important to note that the state is not selling what’s been characterized as “sensitive” information such as social security numbers and drivers license numbers.  However, I’m of the belief that my name, where I live, what I drive, and my date of birth (often used as an authenticator) is extremely personal – and sensitive. 

A Florida judge has said that what the state is doing is legal.  Thoughts?

NP:  Wild Man Blues, Nicholas Payton, jazz24.org

The Pentagon is supposedly mounting a new cyber security initiative following the loss of 24,000 files.  They were actually stolen from a defense contractor but, as in any organization, the organization is ultimately responsible for the actions and activities of all subordinate elements:  contractors; vendors; solutions partners; individuals.

I also use the word “loss” for a very important reason:  Whether the Pentagon still has copies of the breached, stolen, files or not – they are lost in the sense that their exclusivity, their protection, and their discretion has been stolen. 

The files truly are not what they once were – and that is theft and loss.

Here in the BTW, we often speak of The Responsible Forward Edge (RFE).  It’s a proactive, aggressive, forward posture regarding survey of risk, mounted protections, and the comport with best business/IT practices.  Best practices means constantly updated practices in accordance with evolving threats and the evolving security measures to counter them.

The responsible organization does this pragmatically, for sure:  There’s budget to consider.  Other resources factor too:  time, available personnel for implementations and support, etc.  But today, there simply has to be a schedule of survey of liabilities – even if none seem to exist today, tomorrow they will:  Our environment is not static, and the number and nature of threats are not static either.

What makes the Pentagon’s hack so dismaying is that “foreign intruders” made the theft.  According to Deputy Defense Secretary William Lynn, terabytes of data have been stolen over the past decade, involving “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”

In this case, Lynn didn’t specify a country for the attack, or even whether it was a country versus the work of simple criminal hackers.  However, a large part of the Pentagon’s new cyber security initiative is to share classified threat intelligence between defense companies.  Hmmm… someone couldn’t have thought to do that a decade ago? 

This should have been routine.  A lesson for all organizations is to get your people thinking, imagining, and working together.  Organizations should have, at a minimum, quarterly meetings with a significant block of time dedicated to security.  Employees, security oriented and otherwise, should volunteer what they’ve heard regarding threats, solutions, other outcomes.  Qualified personnel can vet ideas and threats – but it’s a nice exposure, and gets the organization thinking.  Remember too to solicit and share ideas between regional offices, and between all partnering-organizations.

At the same time, IT can warn of social networking liabilities, breach conditions to avoid, and so forth; they can reinforce Acceptable Use, Content, Security, and other policies.

On this day, July 16^th:  In 1926, National Geographic takes the first natural-color undersea photos.

Does your right to remain silent, as protected by the U.S. Constitution’s Fifth Amendment, extend to encryption on a personal laptop?

It’s an interesting subject, and one that might be settled soon – by the Supreme Court.  A woman accused of, and being prosecuted for, a mortgage scam in Colorado is under pressure to disclose her passphrase for decrypting her laptop, which police found in her bedroom upon the raid of her home – she has refused.

The Obama administration is asking a federal judge to order the defendant, Ms. Ramona Fricosu, to decrypt the laptop.  As a slight aside, prosecutors don’t want the passphrase itself.  They want Ms. Fricosu to simply type it in, and make the files available in their decrypted form.  This may seem a minor point, but it does remove any wrinkles that may be encountered upon court rulings that make divulgence of the passphrase itself a protected item within the Fifth Amendment’s protections.

At the heart of the matter is whether a defendant can be compelled to serve up something from the privacy of their mind:  Other courts have ruled that protections extend there.  Prosecutor’s, however, liken passphrases to physical keys, and defendants can be made to produce keys to safes, for example.  It’s an interesting situation.

One could make the argument that forcing a defendant to divulge a passphrase (or password,  encryption keys, etc.) enters the realm of breaking protections against self-incrimination.  While the Supreme Court has not yet ruled in matters such as these, lower courts have – and their rulings have, essentially, gone both ways:  In one case stating that an individual did not have a Fifth Amendment right to keep files encrypted; in the other, that the defendant did – thus “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination.”

Ms. Fricosu is charged with money laundering, wire fraud, and bank fraud in an alleged attempt to gain titles to homes via falsified court documents.  She’s facing up to 30 years or more in prison. 

For the rest of us, with – hopefully – more mundane privacy concerns, we can understand a desire to keep business secrets, diaries, and privileged communications from friends and associates private. 

For us, and most definitely for business, the case does bear watching.  

On this day:  July 12, 1962, the Rolling Stones make their first public appearance (Marquee Club, London).

I was reading an interesting article the other day, Apple, Google Under Fire at Hearing. 

You may read the article for yourself, and I recommend it.  But of interest to me, and hopefully others here, is the tracking that is performed by Google and Apple for optimization of services.  This tracking can have privacy implications:  Google and Apple (and by extension, anyone hacking critical data) can establish your whereabouts – either pinpointing, or exposing, virtually your exact location.

You can certainly harbor your own thoughts and opinions regarding the level of liability in all of this – but before anyone makes a hasty determination of privacy liabilities, or lack thereof, consider:  There are all manner of folks who benefit from not being located at any given moment in time.  There are former spouses who don’t relish being tracked.  There are people with some measure of public profile who like to get out and about without generating a scene.  What of witness relocation?  Further, there’s potential for government abuse in this realm.  Other examples abound, and further, others will evidence themselves in time.

It’s an interesting puzzle:  How to manage the balance of delivering beneficial information to the consumer based on location (such as GPS and navigational assists; location and distance to pizza – you get the idea…)  -  while at the same time providing protection to consumers’ privacies?

No less an authority than Trevor Hughes, Executive Director of the International Association of Privacy Professionals, has some interesting things to say regarding privacy:

“You know, it seems to me that there are real risks for organizations out there today, and you can knowingly violate privacy law or the expectations of privacy of your consumers…”.

And:

“I think it speaks to a larger issue in the marketplace, and that is we all have to become privacy professionals [emphasis added – DS] at some level.  We all have to have a broad environmental awareness of how data can create risks for our organizations.”

Further:

“If your customers don’t trust your privacy, they don’t trust you.  And that has implications far beyond just the law; it has real implications for your business.”

When we see Mr. Hughes speak above about risks to privacy – how data “can create risks for our organizations,” and that these things have “real implications for your business”(that is, liabilities)  – he’s actually talking about… SECURITY.  BUSINESS SECURITY.

I don’t like to blow my own horn (wellll… actually, I do.  I lean on it sometimes…), but I’ve long made the point:  All activity must now be viewed through security’s prism.  Everyone in the organization must become a mini-security officer:  Do it now. 

I posit that, rather than everyone being a privacy professional, we really need everyone to be a security officer – that condition encompasses issues of privacy, protection, and the ensuring of best outcomes for business all around.

I’ve stated this here before at The Exchange, I stated it in my 2006 book, and I continue to counsel all businesses with whom I consult that they must do this.  They must qualify every employee to view all activity through security’s prism, and to take appropriate safeguards before triggering any action.  It becomes natural, efficient, and ensuring.  It’s fairly simple to effect.

Breach of privacy – whether exposing business methodologies and secrets, or client, customer, consumer confidences, histories, and critical business/personal data – is a breach to security and direct threat to business continuity.

Update plans and training:  Security; Acceptable Use; Content Management; Business Continuity; Disaster Awareness, Preparedness, Prevention and Recovery; and others of your own.  Be certain to conduct semi-annual or quarterly refreshers:  Most organizations likely have regularized refresher training, or monthly All-Staff meetings, where security and privacy concerns can easily be accommodated without too much overhead to the organization’s time and other resources.

If I may quote I.T. Wars:  Sooner or later, everyone in the organization will be made a mini-security officer:  Do it now.

Word to the wise.

On this day:  In 1965, the Kinks arrive in New York City to begin their first U.S. tour. 

You say To-MAY-to, I say To-MAH-to…  one thing’s for certain:  When it comes to organizational security we cannot call the whole thing off.  Today, any business that has a single computer has an interwoven Business-IT security challenge.

I was speaking with a colleague who works in Washington, DC last evening.  We were talking about the interwoven (mutually reinforcing, mutually vulnerable) security means, methods and practices in the business-technology realm – the Weave.

Amazingly, his Fortune 500 ® company deals with clients who mount discussions and attempt whole solutions with virtually NO security considerations.  None, that is, until the client is brought back on balance by my friend’s company’s project managers and allied teams.  Unfortunately, there are other solutions providers in the mix and often his company has to deal with security considerations across a broad range of other “solutions,” associated providers, and competing lines of authority.

Consider this:  Almost any discipline in the physical world considers security up front.  Adding a room to your house?  The strength of the materials necessary has long been established – but beyond that, you or your contractor will consider how the room attaches to the existing structure; the floor will be sound, as will the walls, extended roof… etc.  Adding a deck?  The first consideration?… 

The size, number and strength of the supports holding the deck up.   The size of the deck will yield the potential capacity of people, therefore pointing to the size, strength and number of the supports.  You are securing the people’s safety who will be standing on that deck – before you even start to build. 

In any circumstance, there must be a virtual “security prism” through which every activity and construct is viewed.  The same goes for today’s IT-Business solutions:  Security must be Job One.  And yet, security lags and is often a sidebar consideration – or overlooked entirely.

It’s not difficult to find a great example – one that potentially touches us all.  According to a study by the Ponemon Institute (sponsored by Compuware), most banks are lacking critical data, privacy and security controls.  I picked banking because that should hit home – we likely all have bank accounts, and some measure of money and associated personal data associated with them, and we’d like to think those things protected and secure!  But…

Even though the survey found that 76% of organizations have a data protection plan, only 47% of those same organizations review new software apps and databases for privacy concerns and compliance to law prior to placing them in operation.  If that were the case 30, 20, maybe even 10 years ago, that would be one thing.  Today, it is stunning.

The survey also found that over 83% of financial service companies use live information, such as customer and employee data, for developing and testing.  More than half of these companies admit a lack of appropriate protections for real data in these circumstances.

What about vetting business partners when sending data to third parties regarding customers, employees and others?  Only 49% review these partners – and the same percentage lack even a standard contract for ensuring privacy protections of that data.

In the agencies I counsel and contract with, I hammer home the points: 

1)  Everyone in the organization must be a mini-Security Officer, and –

2)  They must view every action, project, implementation, business and IT change, through a virtual Security Prism.

Tomorrow:  What I uncovered at a State agency concerning personal privacy and data (the State and agency will have to remain nameless, but just wait until you hear this…)

The employee was using company resources (computer, internet access, and indeed company time), but the Court ruled that she had a reasonable expectation of privacy for the account, being that the company’s policy regarding computer use was that “occasional personal use is permitted.”

Various states have differing views of workplace privacy:  Most, if not all, have ruled that company-owned, corporate, e-mail accounts belong to the company – including all data that is contained – business related or otherwise.  Many have ruled that any data on a workplace computer belongs to the company, “personal” passwords and allied info notwithstanding.  But in gray areas, companies and individuals alike need to thoroughly understand Acceptable Use policies and to grow and amend those policies as necessary based on precedents and local rulings.  Some predict that workplace expectations of privacy vis-à-vis differing locales and laws will ultimate settle into a uniform judgment as the issue inevitably makes its way to the Supreme Court.

But there’s another consideration here:  Who might be accessing your e-mail and any other personal data in the workplace that you may not know about, and will never know about?  Someone could be surveying your workplace computer right now – for entertainment purposes, or for judgment in your suitability for promotion, or even further employment.  Can this be done in secret?  Of course.  Is it?  Well… for certain environments and for anyone who understands enough about human nature… the answer comes back again, “…of course.”

For a little background, the following article by Susan K. Vivio at NJ.com is of interest:  N.J. Supreme Court upholds privacy of personal e-mails accessed at work.

This much is certain:  If you’re in the policy-making arena (whether IT or Business policy), be sure your Acceptable Use and Content Managment policies are thoroughly up-to-date and that staff is apprised of your organization’s expectations.  If you are a workplace user of resources (again, whether IT or Business staff), be sure you are thoroughly familiar with all policies affecting use of computer and allied resources – and be certain that any people you may manage are also fully educated and current.

In all regards, it is always wise to carefully consider what you may be saying and storing on workplace computers.