IT Compliance Advisor

September 20, 2010  3:02 PM

Visibility the key to meeting compliance standards and data protection

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

As IT managers struggle to meet the latest compliance standards, there is one challenge that remains constant: knowing what types of data you have and which subset of that data must be protected, and bringing in the appropriate data protection. This may sound like an easy task, but in reality it can be quite difficult.

Administrators are finding out just how scattered across the enterprise their data is. Increasingly, it is being stored on a growing number of new portable machines, removable devices and desktops that make it hard to determine if you are compliant or not.

For example, take HIPAA compliance. Patient data must be protected and kept confidential yet, many times, X-rays or test results are stored on a CD and sent to another medical practice, sometimes carried by the patient. On the surface, if all the rules are adhered to, meeting compliance standards should not be an issue. But when the data is in transit, compliance officers no longer have control, which potentially poses a serious data protection problem.

While it may be impossible to solve such a data protection problem quickly, it does bring up a key issue: Visibility. Simply put, if administrators aren’t fully aware of this process, how can they ascribe to any meaningful compliance standards?

The answer to that dilemma comes in the form of management tools that offer visibility into IT operations. The problem is there is no one-size-fits-all solution that can offer full visibility. This is where administrators have to become creative.

For example, a combination of PC asset management tools, such as Intel’s LANDesk, Symantec‘s Altiris and Dell‘s Kace, can provide the visibility into what’s transpiring on PCs and other endpoints in the enterprise. These tools can be complimented by network monitoring and management tools, like SolarWinds and Paessler, and others can handle reporting on data in motion to round out visibility.

The last step administrators need to take is integrating these tools. By doing so, administrators have a clear map that shows where data can travel, allowing them to take preventative steps to eliminate the dreaded noncompliance discovery during an audit.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

September 14, 2010  3:08 PM

Compliance and hosted services an uneasy fit for small companies

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

For many small companies, compliance has become an expensive burden, forcing them to turn to hosted services. But the concept of shifting the compliance burden to a third party is not as easy as it seems.

This is particularly true when it involves HIPAA compliance. So many small companies, such as clinics and single practitioner offices, are forced to meet the same stringent requirements as much larger organizations.

There is a critical difference that separates the two. Larger organizations have IT departments, staff and budgets to meet these stringent requirements, and small companies do not. That makes smaller offices ideal candidates for hosted services and storage, but that still doesn’t eliminate the burden of compliance.

Ultimately, small company operators remain wholly responsible for their data and how that data meets compliance regulations. This means small business operators must vet their hosted services providers to make sure they are not the weak link in their compliance strategy.

Luckily, many businesses providing hosted services are becoming certified for compliance. Take Egnyte, a small hosted file server/hosted storage vendor offering HIPAA compliance services to its customers. To achieve compliance certification, Egnyte had to go through third-party auditing and deploy technologies that keeps data compliant.

For example, Egnyte has to encrypt data at rest and in motion. What’s more, the company had to implement a solid disaster recovery plan that protects against data loss, as well one for backing up data locally and at an alternate site. Comprehensive logging and user logon security is another area that Egnyte had to address to meet compliance needs. All of those elements together (and some not mentioned) is how Egnyte achieved compliance certification.

However, if a business with HIPAA requirements chooses Egnyte for file storage or other services, that business will not automatically become compliant. Why? Because consideration must be given to what happens to the data on-site, how that data is stored, who has access to it, who audits the data, and how it is protected. For instance, is the data encrypted? Can it be copied without being logged?

The moral of the story is that no matter what services are used, a business is ultimately responsible for its own compliance needs. Still, companies like Egnyte can reduce the burden of compliance by providing valuable services including backup, off-site storage, disaster recovery and a whole range of other services that protects data, while ensuring compliance.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

September 7, 2010  3:09 PM

Weighing the balance of Big Data, Web analytics and compliance

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

The term Big Data has been flying around the enterprise for the last two years or so, simultaneously creating a lot of excitement but driving many concerns, especially in the realm of compliance.

Basically, Big Data is a catchphrase that encompasses storage technology and the tools, processes and procedures that allow an organization to work with large data and, more importantly, perform Web analytics on that data. Examples of Big Data solutions at work include Google Analytics, the human genome project and Amazon’s product recommendation engine.

In other words, Big Data Web analytics are quite prevalent and are now popping up even in the small- and medium-sized business world. But there is a dark side that begs consideration: for Big Data analytics to work properly, tools and users must have unfettered access to large amounts of data, and therein lays the problem.

Compliance is all about protecting data, maintaining transactional continuity and concealing information from unauthorized sources. Big Data, on the other hand, is all about exposing data and mining that data for information. It almost seems that compliance and Big Data are polar opposites. Does that mean those technologies are mutually exclusive?

Not exactly. With some proper planning and comprehensive security, Big Data actually compliments compliance. One of the primary tenants of compliance is the ability to retrieve interrelated data for e-discovery purposes, often a time-consuming and expensive undertaking that is driven by a legal request.

Here, Big Data proves to be a valuable tool because it allows users to quickly retrieve information for e-discovery purposes. The mining process also lets users create relationships between data, while mining for other information that is applicable for an e-discovery request.

For example, data that is not normally related can be retrieved using ad hoc queries that build temporary relationships to combine filtered data sets. This allows an administrator to gather all information pertinent to a particular customer (including VoIP recordings, emails, IMs, documents, spreadsheets and so on) in a matter of minutes by leveraging the power of Big Data Web analytics. But to accomplish any of this, a Big Data platform must be in place. Luckily, open source solutions exist, such as Apache’s Hadoop, which significantly reduces startup costs.

Ultimately, all businesses needing to meet compliance requirements will turn to Big Data platforms, even if their data isn’t so big. Now is the time to look into platforms and solutions that power today’s Big Data analytics and to strengthen security so Big Data doesn’t become a big security problem.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

August 6, 2010  1:52 PM

New class of compliance professionals will drive new certifications

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

No one should be all surprised that a lot of the legislation involving the Sarbanes-Oxley Act (SOX), PCI and HIPAA is creating a completely new subset of compliance professional. Validating these new compliance professionals, however, is another issue altogether.

But thanks to the IT educational behemoth known as training and certification, we may have an answer on compliance competence sooner rather than later. Yet, one has to wonder if there will be any measurable value behind the new certifications that are being baked right now.

We will eventually see, of course, certificates such as certified SOX compliance specialist or PCI certified engineer, and so on. While certifications such as these may have questionable value, they will prove to be a good starting point for vetting potential employees. Or will they?

All we have to do is take a short walk down memory lane to truly gauge the value of certifications. Just a few years ago, the IT realm was filled with professionals sporting certifications such as MCSE (Microsoft Certified System Engineer), CNE (Certified NetWare Engineer), CCSP (Cisco Certified Security Professional), and many more.

While that may have seemed like a rich pool of potential employees, many CIOs discovered their departments were becoming flush with inexperienced “experts.” The problem has its roots in the artificial value assigned to certifications, which led to the creation of certification boot camps. This is the place where candidates learned how to take certification exams and not how to use the technology effectively in the real world.

Currently, the world of compliance is ripe for the boot camp ideology to kick in. Organizations are seeking compliance professionals at a growing rate, and it is getting harder to find individuals who have the correct skill sets to effectively implement and enforce compliance on IT systems. These dynamics will cause a boon in certifications, which in turn may water down the value of those certifications.

The moral of this story is there will be no shortcuts in finding competent professionals. If anything, it will get harder to separate the wheat from the chaff. Simply put, CTOs and CIOs will have to get involved in the interviewing and hiring process and not leave it solely up to HR to find the ideal candidates.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

July 30, 2010  1:35 PM

When compliance-related best efforts for data archiving aren’t enough

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

When it comes to compliance, regulations often dictate that an organization must demonstrate “best efforts” for archiving data. The term best efforts is vague, at best, and can mean different things to different people.

But for regulators, the term best efforts has its roots in the ability to retrieve and audit data. For CTOs, it means a backup and archiving platform. For CFOs, it means the lowest-cost solution that meets the minimum requirements. Defining best efforts in a meaningful fashion is usually a task that IT managers responsible for compliance technology find themselves assigned.

Luckily, those IT managers can dissect the term best efforts to figure out an applicable definition by keeping one other technology term in mind: e-discovery. The requirements behind e-discovery make it easy to see that best efforts must go beyond merely storing relevant information. The e-discovery process dictates that data must be archived securely in a protected fashion that supports auditing — the key word here being auditing.

For all intents and purposes, best efforts means much more than just archiving data. It also means the ability to retrieve the data in a relevant fashion, and that is where things start to get complicated. Retrieving the data, especially if it is years old, often requires access to the applications that can report on the data. This, in turn, means old email clients, accounting systems and other relevant applications must be maintained, as well as the platforms that support those applications.

This is a major challenge when one considers that audit windows can range from a few months to 20 years or more, depending on the type of data and the regulations that apply. So what does all of this mean?

Simply put, IT managers need to plan for the retrieval of data, not just its archiving. Luckily, technologies such as virtualization make the process a little easier today. When creating an archive, IT managers can do a physical-to-virtual conversion and store all of the needed elements as a virtual machine, which can be accessed at a later date using a hypervisor.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

July 23, 2010  3:14 PM

How to meet compliance regulations with Windows Active Directory

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

IT Compliance Advisor welcomes our new blogger, Frank Ohlhorst:

Meeting the needs of compliance regulations effectively means that IT staffers must be able to monitor and report on any activity traversing the network. Luckily for many Microsoft shops, the compliance beast has been tamed with the help of Microsoft’s Active Directory (AD), which can be extended to store many of the data elements associated with compliance requests.

What’s more, dozens if not hundreds of compliance tools that integrate with AD are readily available on the market. While that is good news for Microsoft Windows administrators, it is bad news for those looking to innovate. Simply put, AD plus compliance kills innovation.

How can this be? It’s simple: Many administrators are using compliance as an excuse to not deploy alternate capabilities. For example, take a moderately sized organization that wants to add a dozen Macs to the network to support the art department. The request goes in, and is immediately shot down because of a compliance issue — namely, the inability to apply policies to the Mac systems and report on activity, configuration and so on.

Pretty much the same thing can be said about Linux. Organizations looking to save bucks and deploy Linux are finding that compliance has become a powerful tool to prevent a deployment. Nowhere is this more true than on Windows Server networks using Active Directory.

The basic argument goes like this: “We can’t deploy the new desktop OS, because we are unable to monitor logons, apply policies, audit and report on compliance.” So, does that mean it must be the end for non-Windows systems being attached to the network? Well, not exactly. AD proves to be extensible, allowing new leaf objects and data elements to be added. It does take a bit more than modifying AD however, to handle compliance for non-Windows systems. In fact, it will take thinking outside of the Windows box.

Lets look a little more closely at the problem. For a desktop PC to be compliant under the rules of PCI, SOX and HIPAA, you will need to do a few things. At the top of that to-do list is authentication. You will need a way to maintain logon security, regardless of whether it has a local connection or not. Next on the list is applying policies to the system, policies that enforce rules about access and the types of data available. After that, you will need methods to inventory, monitor and report on the system. Finally, you will need to audit the system, which includes looking at usage and history over a period of time.

Miss any of these elements, and you will not be compliant. AD proves to be the perfect tool for backing compliance, and those leveraging AD will never want to see a non-Windows system on their networks. Where does that leave those non-Windows systems? Unfortunately, out in the cold.

But it doesn’t have to be that way. There is a solution to the problem, and we can once again thank Active Directory. There are a few products on the market that bring AD-based authentication to Linux, Unix and Macintosh systems, solving one of the biggest security issues of those systems (under the eyes of compliance). This is a good start.

However, authentication is only part of the puzzle. You will also need to enable policy enforcement and implement change management. In some instances, some of those same products will provide the answer. Finally, you will need to audit and report on those systems, and that is where a third-party product really pulls its weight.

So the moral of the story is to not let IT staffers pooh-pooh the possibility of integrating Linux, Unix and Mac into the enterprise, and begin to research products such as LikeWise Enterprise, Quest Authentication Services and Centrify’s DirectControl. Currently, Likewise Enterprise appears to have all the bells and whistles anyone could need and includes compliance reporting built right into the product.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

July 14, 2010  6:29 PM

Security professionals: How will Mass. data privacy law be enforced?

Fohlhorst Paul F. Roberts Profile: Proberts

IT Compliance Advisor welcomes our newest blogger, Paul F. Roberts:

I recently had the pleasure of speaking to a group of security professionals in New York about Massachusetts’ toughest-in-the-nation data privacy and protection law. It was one of those mutually beneficial events that sometimes comes along: New York security professionals learned a little more about the guts of the Massachusetts law, and I got to pick their brains about what the law means for their employers, which rank as some of the largest IT shops in the nation.

My takeaway: Folks are only now starting to pay attention to this law and are very anxious about one big question — its enforcement.

There’s good reason for this concern. While the data protection law has been on the books for a couple of years, specific guidance on implementing it (201 CMR 17.00) just took effect at the beginning of March. The law’s passage was the culmination of a long and contentious fight among business leaders, state legislators and regulators over the scope and provisions of the law.

But now that 201 CMR 17.00 is “live,” the focus has shifted to the question of enforcement, as organizations with customers in Massachusetts try to divine how this law is different from all other laws. The questions and comments I fielded from top IT security practitioners in New York suggested there is lots of grey area. Here are some areas where enforcement actions by the Massachusetts AG can add some color.

Will there be any enforcement of this law, and if so, what for?

This is the big question. Word is that the state attorney general’s office is looking into violations of Massachusetts General Law (M.G.L.) 93H, but no actions against specific organizations or individuals have yet been taken. One likely possibility is that enforcement will follow disclosure of a breach, in accordance with M.G.L. 93H, or after details of a breach have been made public. Failure to comply with 201 CMR 17.00 used to punish firms retroactively. The Massachusetts Office of the Attorney General declined to comment on the question of enforcement.

Who is covered by the Massachusetts data protection law?

The guidance offered by 201 CMR 17.00 is pretty clear about the fact that this law applies to both individuals and corporate entities that manage data concerning Massachusetts residents, including both employee and customers. But legal experts who follow the law say there’s still considerable uncertainty about which entities will be the focus of enforcement actions — companies that manage consumer data, or just their own employees’ data, or both? According to one attorney at a prominent Boston law firm, “we still see the basic ‘We don’t have consumers — do we really have to comply with this?’ question.”

A key question is what kinds of data will get the attention of law enforcement. Mega breaches affecting consumers, like the breach at TJX, are at the root of M.G.L. 93H. There is no reason however, that regulators won’t take an equally tough stand on companies that are loose with employee data.

Also unclear is whether those charged with enforcing the requirements in 201 CMR 17.00 will focus on large corporations with customers in Massachusetts, or on smaller in-state firms first. The attorney I spoke with said that if a case involving an out-of-state entity presents itself (such as a major data breach), the AG has made clear that she will enforce the regulations in order to protect the interests of the affected residents of the commonwealth. This means that out-of-state firms are at risk of making Massachusetts’ law a de-facto national standard — at least until a tougher state law comes along.

What about mobile devices?

Of the eight IT-focused requirements in 201 CMR 17.00, one of the most contentious involves the security of wired and wireless (i.e., mobile devices) that contain information on Massachusetts residents. The IT pros I spoke with were understandably nervous about this one, and for good reason.

Many large enterprises are in the early stages of tracking and managing employee mobile devices. Yes, there are systems in place to enforce basic policies, but it’s an imperfect art and nobody I spoke with would say for sure they know what devices employees are using to check their email, or to log into work applications. With poor visibility into their mobile infrastructure, it’s hard to say which devices do and don’t contain personal information covered under M.G.L. 93H.

To ease tensions with the private sector, legislators in Massachusetts inserted the idea of “technically feasible” into the wording of the Massachusetts data privacy law concerning the security of data on mobile and wireless devices. This means that if there is a “reasonable means through technology to accomplish a required result, then it must be used.” What is a “reasonable means through technology?” That’s right, you ask the attorney general.

Is there any safe harbor for companies?

There was much disagreement on this among members of the New York audience, with IT security pros relating different messages from their own corporate counsel. In some cases, the opinion seems to be that encryption of personal information constitutes safe harbor from prosecution. In others, there’s a belief that if organizations take reasonable steps to protect customer data, such as layered security protections, they’ll have shown due diligence.

The attorney I spoke with said that companies can get safe harbor from M.G.L. 93H by encrypting covered data, and by complying with the many requirements of 201 CMR 17.00. But, like other regulations, organizations can have no “safe harbor” from the law itself. They can only be in compliance or out of compliance with it.

Paul F. Roberts is a senior analyst at The 451 Group in New York. Let us know what you think about the post; email

May 24, 2010  7:25 PM

Paychex risk management analysis method shoots and scores

Scot Petersen Scot Petersen Profile: Scot Petersen

Final Four bracket pools are not just for basketball fans anymore.

In an unusual risk management analysis methodology, payroll and human resource services provider Paychex breaks down its risk factors into four regions and pits them against one another.

Frank Fiorille, director of risk management for Paychex, presented an overview of the company’s risk analysis process at the 18th Edition SOX Compliance & Evolution to GRC conference in Boston on May 17.

In this version of March Madness, the Final Four is comprised of financial risks, hazard risks, strategic risks and operational risks. In the example Fiorille presented, each region is assigned 16 risks, which then compete against each other in live votes among the company’s leaders, to determine the risk champions in each region.

The brackets are whittled down to a Sweet 16, four in each region, before being put through more rigorous tests, vetting and quantitative analysis, and then ranked again on heat maps.

“Risk management is part art and part science,” Fiorille said, “but the business units know their risks the best.”

May 17, 2010  8:04 PM

Using personally identifiable information is gonna cost you

Linda Tucci Linda Tucci Profile: Linda Tucci

The era of businesses playing fast and loose with people’s personally identifiable information (PII) has passed — and not because of standards like PCI DSS or compliance mandates. The public at large is awakening to the reality that information is currency.

This is something that CIOs, of course, have known for a long time. IT executives owe their livelihoods to the fact that there is barely a company in the world that doesn’t do business in this material known as information.

Now the rest of us — from computer cave dwellers like me to the oversharing Facebook generation — are on to the fact that our PII comes at a price. And, one way or another, companies will pay up. The uproar over Facebook’s shape-shifting privacy “rules” and the anger in Europe over Google’s collection of private data are two current and noisy examples.

To get a sense of the change in public attitude in a few short years, consider the evolution of the Netflix Prize. Back in 2006, the company that changed the way people consume movies announced an open competition to improve Netflix’s algorithm for predicting which movies its customers might like to watch based on their past viewing habits. In September 2009, to breathless media reviews about tapping into the wisdom of the smart crowd, Netflix awarded the $1 million prize to BelKor’s Pragmatic Chaos, a seven-man (yes, man) multinational team of computer scientists and machine learning experts, and promptly announced a second contest. By March, the Netflix Prize 2 was called off. Netflix’s chief product officer, Neil Hunt, reported that that the company had decided not to pursue round 2 after reaching “an understanding” with FTC investigators and settling a class action suit on whether the contest violated customer privacy. The investigation and suit were prompted by a research study by two University of Texas at Austin scientists showing that the anonymity of the Netflix prize data set was not so anonymous.

Gabriel Helmer, an attorney and privacy expert at Boston firm Foley Hoag, said the reaction to the second contest points to two important issues related to data privacy: re-identification and a company’s data privacy policy. For the second contest, Netflix promised contestants access to “a lot more demographic information,” and that information would be hosted in the cloud.

“You can take somebody’s name off their personal data, but the more personal information you provide, the easier it is to re-identify that person. Anonymized is never truly anonymous,” Helmer said. The FTC started to investigate because it wanted to know what Netflix told its customers their personal data would be used for when they turned it over.

“Most likely, Netflix did not say they would take the name off and give that personal information to the entire world in order to create a better algorithm,” Helmer said.

Helmer finds the case a “fascinating example” of the strengths and weaknesses of cloud computing — of the enormous gains that that can be realized by making real data available for analysis to large groups of people, along with the obvious dangers of doing that. As a consumer, he said he likes that companies will do the work to tell you which media or products you might like to consume. But the people who brought the class action suit against Netflix are realizing that those services “come with a price.” They are demanding that the price for personally identifiable information be borne by the business, whether it means paying for personal information in exchange for a service, or guaranteeing the data will remain private, or cease and desisting. But the lawyer says it is still early days for knowing how such transactions will play out.

”The reason why it is such an exciting time is that people really have not decided what they will put up with, and what they like and don’t like about personally identifiable information,” he said.

His bet? Just as technology got us into this quandary, technology will quickly point us the way out. It will likely do so in the form of biometric scans or ways to identify people other than using a Social Security number, an address or your mother’s maiden name, much of which is already widely available on the Internet.

May 8, 2010  7:50 PM

Financial reforms won’t fix the computer terrorism on Wall Street

Linda Tucci Linda Tucci Profile: Linda Tucci

I am not the only one who wondered if the stock market “jitterations” Thursday were caused by an act of computer terrorism. Like a lot of people apparently, I pondered whether the theoretical fat-fingered trader sitting at his desk deliberately applied a fat finger to the wrong key to cause mayhem in the markets.

But it doesn’t matter really whether fat fingers, clumsy or deliberate, were or were not the cause of the 1,000-point stock plunge. The threat to capitalism is upon us, and it doesn’t have much to do with a typo. When the anomaly occurred, some of the super-fast computer systems that pounce on such deviations of the norm whirred into action, impervious to electronic checks and balances. Billions of dollars were lost and made in a matter of a minutes.

The Obama administration is investigating the “unusual market activity” with a focus on the disparate rules of the various trading platforms. Congress also wants a review of the selloff. The event may hasten action on financial reforms. The government powers investigating the event might find out that the computer trading systems were in fact tricked into responding by a big bank or hedge fund or some other financial terrorist looking to make a killing.

But whatever the discovery — or remediation — that comes about as a result of the May 6 stock crash will pale beside what could be in store. At some point, it will occur to many people that the super-fast computer systems that pounce on anomalies, whether governed by effective or ineffective rules, are in the hands of a few. The means of production of very big profits are controlled by a very rich few. And when that reality sinks in, Marx my words, many middle-class working schmoes like me who pay taxes, keep up with mortgage payments and invest a portion of their bonusless salaries to fund their precarious retirements will decide that this capitalist game has run its course.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: