privacy

Oct 8 2009   9:18PM GMT

OpenID pilot project for identity management starting up at NIH

Posted by: Alexander Howard
OpenID Foundation, Google, Yahoo, Facebook, National Institute of Health, MySpace, United States, AOL, OpenID, Identity management, authentication, NIH, privacy

As I reported last month, the U.S. federal government will try using OpenID as a federated identity framework for .gov authentication.

“The OpenID and .gov project’s goal is to make government more transparent to citizens,” said Don Thibeau, executive director of the OpenID Foundation at the OASIS Identity Management 2009 conference, referring the audience to IDManagement.gov.

There are now more than 1 billion OpenID-enabled accounts, according to Thibeau, with more than 40,000 websites supporting the framework, including technology companies Google, Yahoo, Facebook, AOL, MySpace, Novell and Sun Microsystems.

The OpenID identity management pilot at the National Institutes of Health (NIH) will be limited to conference registration, wiki authorization and library access, which require only Level of Access (LOA) 1 authentication.

Debbie Bucci, the integration services center program lead at the Center for Information Technology at NIH, talked about the success of existing identity management frameworks for authentication at the institute.

Bucci is cautious about implementing OpenID but sees utility in federated identity, given the success of InCommon, an identity framework at NIH. She expressed support for the “idea that you could take the same username and password and spread it around the business units.”

According to Bucci, NIH’s systems have more than 35,000 users, 250 service-level agreements and handle over 1 million transactions every day, 83% of which are external. Current user participation for InCommon is 21%, focused on higher education and research. The NIH’s electronic research administration supports more than 9,500 institutions and agencies, according to Bucci. By contrast, InCommon includes 165. More information about these identity management programs can be found at Federatedidentity.nih.gov.

According to Peter Alterman, senior advisor for strategic initiatives at NIH, the institute is continuing to work toward implementation of the Electronic Signatures in Global & National Commerce Act, also known as E-SIGN.

According to Thibeau, the core design principle for the trust framework is “openness,” meaning it will be open to all identity providers, qualified auditors, provider certification and evolution. He says that both the OpenID and Identity Card Foundations are working to collaborate with Harvard University’s Berkman Center and the Center for Democracy and Technology (CDT) to further expand the open trust framework.

That latter relationship may be important, as the CDT’s Schwartz said that “at Level 3 [access], we have a lot of concerns. If you don’t have limitations there, there will be a drive to ask for as much information as you can get.” Many high-priority citizen-to-government transactions are classified as LOA 3 or higher, including IRS tax filing, Social Security and Medicare. Given that limitation, there may be some roadblocks to address before government agencies that must address compliance under the Privacy Act implement this federated identity management framework.

Questioned about time frames and implementation metrics, Thibeau said in an email interview to “remember the effort under way is a pilot; a very deliberate beta test of new technology protocols, new integration and interoperability task. We don’t know when we will finish, but we do know we will make mistakes and wrestle with usability and security issues.

”Given all the players involved, it’s hard to say what will be completed and when. The most valuable new piece is how many people and many organizations are coalescing around a practical and far-reaching solution set for the challenges of identity from a user perspective. This goes beyond the tired truisms that often characterize privacy versus security debates. There is a real hunger for real solutions in identity authentication. Whether you frame it as open government, open source or open identity, there are powerful political, public and commercial drivers at work involving identity on the Web. The legal and policy discussions around open identity trust frameworks are a leading-edge indication that practical solutions are in play and
pragmatic (private and public sectors) organizations are involved.”

Thibeau was clear about the stage that the pilot is currently in. “We are at the beginning of a shakedown cruise on two tracks,” he said, referring to both the open source identity technologies and the open trust framework itself. “Both are parts of the GSA ICAM schema and both are on the agenda of the OpenID Foundation and Identity (IDF and ICF) boards to consider. They still have a review of and decision making around certification requirements, operations and strategy. As we begin technical testing of government pilots, we are also finalizing the certification of a trust framework process that is a critical element in government adoption and seen by some industry leaders as applicable for high value commercial applications.

Thibeau went on to explain that “the U.S. government is still finalizing requirements for credible, independent and industry standards-based identity certification.” The process holds interest beyond the borders of the U.S. as well, according to Thibeau. “Many international governments as well as U.S. state and local governments are studying the U.S. ICAM test of its ‘schema’ of technology protocols combined with industry self certification models. Identity provider certification of Open Trust Framework models have gained momentum after recent meetings with the Center for Democracy in Technology and feedback from various government agencies, including the GSA ICAM leadership, NIST, NIH and the national security staff in the White House.”

John Bradley, the chief security officer at ooTao Inc, serves on the OASIS XRI, XDI and ORMS Technical Committees and fielded questions about the details of the OpenID pilot at NIH. For more information, Bradley’s blog includes many useful links on the OpenID in government project.

Oct 2 2009   7:21PM GMT

NIST, smart grid privacy and social networking for security pros

Posted by: Alexander Howard
Smart Grid, Twitter, National Institute of Standards and Technology, Google, Personally identifiable information, identity theft, smart grid privacy, privacy, Security, Google Docs, cybersecurity

Last month, the National Institutes of Standards and Technology (NIST) outlined a framework for building more intelligence and interoperability into the electrical system of the United States. Such a system is generally known as the “smart grid.” Commerce Secretary Gary Locke released a plan for smart grid interoperability that’s meant to lead to a “secure, more efficient and environmentally friendly” system. A draft of the report from NIST is available for download as a PDF: “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0″

Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.

These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”

As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:

1. Identity theft.
2. Determining personal behavior patterns.
3. Determining specific appliances used.
4. Performing real-time surveillance.
5. Revealing activities through residual data.
6. Targeted home invasions.
7. Providing accidental invasions.
8. Activity censorship.
9. Decisions and actions based upon inaccurate data.
10. Revealing activities when used with data from other utilities.

Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.

Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:

1. Enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions.
2. State utility commissions currently lack formal privacy policies or standards related to the smart grid.
3. The lack of consistent and comprehensive privacy policies throughout the entities that will be involved with the smart grid creates a privacy risk.
4. Comprehensive and consistent definitions of personally identifiable information do not typically exist.

The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).

Social networking and distributed collaboration sped up report writing for infosec team

One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:

1. Ensuring adequate input from each of the 50 state NARUC energy commissions and other sources in a very short time frame.
2. Aligning recommendations with the plethora of existing laws.
3. Documenting concrete privacy risks.
4. Separating privacy risks from security and other risks.

According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.

“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.

Cortes also said NIST involved Twitter users from the start.

UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”

“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.

”All meetings were organized by conference call, and drafts of the Smart Grid Privacy policy documents and project plans were exchanged by email. In between meetings, members interacted informally on Twitter, similar to running into colleagues in the hall when everyone works physically in the same building. These informal Twitter dialogues facilitated relationship-building among the team and problem-solving between meetings.”

According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:

1. If you’re in IT and you’re not comfortable with Twitter, you are lacking a basic technical skill.
2. Twitter enables members of the IT community to check out each other’s static Web pages and credentials, but then get to know members of their own industry over time through their communications streams. How professional and informative is this person, over a period of time? How respected are they by other well-respected professionals, apparent through the interlocking web of followers? How many others respect this person, apparent from absolute numbers of followers, quality of followers, and mentions by others?
3. Twitter communication allows personality to come through and thus enables people to feel comfortable with each other much more quickly than other mediums.
4. It allows for a combination of private and public messages, allowing swift reaction to breaking industry developments.
5. It allows professionals to get a quick response to a technical question.
6. It enables professionals to know at a glance whether they are up to date on developments on our field or out to lunch, a constant problem in this field. What are other respected IT professionals talking about each day? What are they not talking about?”

If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.

Aug 20 2009   6:09PM GMT

Amended Massachusetts data protection act focuses on risk management

Posted by: Sarah Cortes
Federal Trade Commission, risk management, Information security, consumer protection, Security, Gramm-Leach-Bliley Act, FTC, 201 CMR 17.00, Massachusetts’ Data Privacy Law, privacy, data protection, regulation, compiance, IT compliance

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

Aug 19 2009   9:03PM GMT

The impact of Stengart v Loving Care on employee online privacy

Posted by: Alexander Howard
Security, Stengart v Loving Care, Electronic Communications Privacy Act, privacy, online privacy, compliance, cyberlaw, precedent, email, social media

This is a guest post from SearchCompliance.com contributor Andrew M. Baer, Esq. You can follow him at @baerbizlaw on Twitter.

The Stengart v. Loving Care case that Alexander Howard wrote about in ”The Web of social media and compliance: The ECPA and online privacy” is a very interesting one and merits closer examination. In that case, a New Jersey appellate court held that an employee did not waive her attorney-client privilege in communications with her lawyer that she sent through her personal Yahoo email account using a work computer, despite the employer’s attempts to argue that its electronic communications policy made the emails its property.

While the court’s opinion contains some lofty language about how an employer’s right to regulate its workplace is not limitless, the case actually turned on several key facts. Therefore, like the Pietrylo case discussed in my article on employee social media use policy, it can be seen as a case study in botched compliance.

The first half of the opinion deals with questions about the following:

• Whether the electronic communications policy was even in force and applied to the plaintiff.
• Whether or not it was disseminated and the plaintiff had notice of it.
• Which version (of several) was the applicable one.
• How the policy was to be interpreted in light of its rather shoddy drafting and contradictory statements regarding the allowance of personal communications.

The appellate court found that the lower court had not conducted a proper evidentiary inquiry concerning these issues. In particular, how a policy is drafted and how it should objectively be interpreted has a huge impact on what sort of online privacy expectations it is reasonable for an employee to have. The court also specifically noted that the employer had not followed the customary practice of obtaining from its employees a signed acknowledgment of the policy.

The policy also took the position that communications made using work computers became the “property” of the employer, which clearly rubbed the court the wrong way. To sum up, if:

1. The policy had been limited to specifying a right to monitor;
2. Had linked this right to a clear, unambiguous and customary set of prohibitions regarding personal communications;
3. Had been consented to in writing by the plaintiff;

It might not have been so offensive to the court.

Last but not least, despite the lofty statements about privacy in the workplace that I referred to earlier, these have no significant effect as precedent. As the court itself admitted, the real issue in the case was not defining the scope of the restrictions on an employer’s ability to access personal employee communications made using corporate IT resources. Instead, it was whether the plaintiff, in the particular facts and circumstances of the case, should lose her attorney-client privilege in certain emails.

The attorney-client privilege is sacred, particularly in New Jersey, as I know from past experience there. Courts will strain to avoid finding that a waiver has occurred, except in situations where a litigant behaves as if it doesn’t care whether its communications with an attorney are intercepted or not. In Stengart, the court effectively concluded that, despite the electronic communications policy, the plaintiff had not exhibited that level of indifference. The defendant’s law firm also seems to have behaved badly by reading the attorney-client emails and not alerting the plaintiff’s counsel that it had possession of these emails.

So, a small victory for employee online privacy at best, but one that contains important lessons for corporate compliance officers and counsel.

Aug 18 2009   4:53PM GMT

3 social media questions for compliance officers to consider

Posted by: Alexander Howard
Facebook, Social network, Twitter, LinkedIn, social media, Online Communities, privacy, compliance

My recently published series on online privacy and social media compliance is resulting in some feedback from our audience, as you might imagine. Scott Crawford, managing research director for Enterprise Management Associates, posed three questions that I believe are useful for anyone working and using social media to consider.

Navigating these boundaries will be a tricky dance for all as advice and professional services are offered over social media platforms, whether they are Twitter, Facebook, LinkedIn or [X] other social network. Crawford’s comments follow.

“I personally think one of the biggest issues with social networking will not be as cut-and-dried as a lot of these recommendations make it sound, however – namely: What clearly distinguishes personal from professional information shared via social networking sites? What are the boundaries of personal expertise and corporate IP? Can those necessarily be deduced in all cases where social networking is the vehicle? How much of the individual’s personal identity overlaps with corporate identity? This is likely a particular concern where personal expertise is the primary stock-in-trade of the enterprise, as with consulting organizations. Despite the apparent conflict, social networks are popular outlets for consultants, for example, since they not only help promote personal expertise but showcase it in a very personal way. Although you’ve offered some excellent examples of common sense distinctions between personal and acceptable corporate use, I suspect a number of cases will come forward that are not so clear-cut — and even where the case appears to be clear-cut, I would fully expect legal counsel to vigorously exploit any lack of clear distinctions that may be found in a particular case.”

If you have answers to Scott’s questions, please leave a comment, send feedback to editor@searchcompliance.com or @reply to @ITCompliance on Twitter.

Aug 17 2009   9:22PM GMT

201 CMR 17 FAQ: Updates to Massachusetts data protection law

Posted by: Alexander Howard
FTC, Security, Information security, Personally identifiable information, Information privacy, privacy, 201CMR17, data protection, encryption, compliance

Earlier today, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201.CMR.17, the Massachusetts data protection law. The deadline for implementation has now been extended until March 1, 2010.

In an interview with SearchCompliance.com, Undersecretary Barbara Anthony stated that “consumer protections have not been weakened in this amendment. Monitoring, reviewing the scope of security measures – and encryption is still required if you are going to transmit resident PII over public networks. What we’ve tried to do here is to not impose additional burdens which weren’t involved in the consumer protections.”

With the permission of the OCABR, we are posting the FAQ released by the office in full and unedited below. We will post the rest of Anthony’s comments tomorrow, along with further analysis of the changes referenced below.

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?

There are some important differences in the two versions.

First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.

Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.

Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.

The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.

Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.

What does “technically feasible” mean?
“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

Must I encrypt my email if it contains personal information?
If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.

Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?
You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.

I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations?
The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business’s size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?
If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.

Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?
No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

Do I have to do an inventory of all my paper and electronic records?
No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

How much employee training do I need to do?
There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.

What is a financial account?
A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.

Does an insurance policy number qualify as a financial account number?
An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.

I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?
If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my “monitoring” obligation?
The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

Is everyone’s level of compliance going to be judged by the same standard?
Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

This FAQ was posted with the direct permission of OCABR. For more information on the regulation, visit Mass.gov/consumer.

Aug 4 2009   2:55PM GMT

What online privacy expectations exist for social media use at work?

Posted by: Alexander Howard
privacy, Security, Web 2.0, Law, Big Brother, Twitter, online privacy, compliance, DLP, e-discovery, social media

If you read Professor Jonathan Zittrain’s rebuttal on cloud computing to Bernard Golden at CIO.com today, you know that both agree that privacy is the No. 1 concern for cloud computing. Compliance officers have to worry about more than just privacy, of course, but protecting the private information of employees and customers alike is a crucial component of any enterprise-class security regimen.

Given, say, Twitter security risks, I knew the premise for SearchCompliance.com contributor Andrew Baer’s recent tips on social media use in the enterprise holds considerable merit: Social media platforms demand a clear employee Internet use policy.

When it comes to the details, however, I was left with more questions than answers. I understand that as a lawyer and e-discovery expert, Baer is naturally risk-averse. Moreover, I recognize that he’s forgotten more about e-discovery and the law than I currently know as a journalist.

That said, Baer’s position on online privacy and the rights of the employer to access the online activity or posts of employees veers into more ambiguous territory. Baer writes that a “policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.”

I imagine most observers can agree that enterprises need to create a Web 2.0 usage policy that extends existing rules and reminds employees of established guidelines for electronic communications and expectations for online privacy. Such guidance is even more crucial in regulated environments, as explained in ″Compliance concerns dog enterprise 2.0 collaboration software.″

Baer acknowledges the privacy issue: “Monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise’s Web 2.0 strategy is not well planned and administered.”

The bottom line, however, is that Baer’s advice to compliance officers would appear to extend far beyond IT compliance into something else that he appropriately calls “Big Brother”-like action. As Baer observes, “Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems.”

Image problems may just be the tip of the iceberg. I’m left wondering what other e-discovery experts, attorneys, security experts and compliance officers think about online privacy in this context.

George Moraetes, an independent security consultant for Securityminders Inc. in Illinois, agreed via email with Baer that “employees should have no expectation of privacy in anything they store or transmit using corporate IT resources.”

Moraetes wrote “that is a correct assumption, most companies treat email the same way. Employees have separate accounts using own resources. The only way to assure privacy is to encrypt your transmissions, in addition to using aliases. Most users are not techies and lack sophistication. Many companies do not implement DLP and NAC systems, although this in itself will not stop it.”

Moraetes went on describe the issue further:

“I demonstrated to the IRS a project back in 2004, the ability to leak information and not be caught. They told me they would catch anyone — or so they thought.

“In my demonstration to them, I advised that perimeter firewalls all must have ports 80 and 443 open bi-directionally. Otherwise, how would your staff and external users access resources? Obviously, when someone goes to Gmail or even Playboy their network captures and blocks them, reporting them to security — which is a serious offense. In saying that, I launched OpenVPN, communicating directly to my proxy/VPN server from Washington, D.C., to Chicago. I went anywhere that was prohibited and the internal traffic from their DLP systems could not detect or see me. There was nothing they could do about it. There are more ways to skin a cat to breach and leak out information, including Web 2.0 and using TweetDeck, email and the Web. Funneling encrypted traffic can bypass the majority of corporate systems.”

I’m writing an article about online privacy that will capture more viewpoints of other IT practitioners and e-discovery experts. If you have opinions about the use of social media on corporate systems and the online privacy expectations the surround them that you’d like to share, please comment here, @reply to @ITcompliance on Twitter or relate them directly to ahoward@techtarget.com with instructions on whether you’re willing to see them published.

Jul 20 2009   7:26PM GMT

Managing e-discovery and compliance: What would Eliot Spitzer do?

Posted by: Sarah Cortes
e-discovery, Audit, regulation, Massachusetts, privacy, Security, compliance, high-risk data, Technology, Putnam, Putnam Investments, market timing, Project management, Eliot Spitzer, business

E-discovery - or electronic discovery - has many technical aspects. Questions of available tools, case law, regulations and scope are critical. One of the most important and often overlooked elements, however, is managing e-discovery and compliance.

As a senior manager at Putnam Investments, bizarre coincidences and convergence of fate with the soon-to-be famous marked my tenure. Few chapters embodied all these elements as thoroughly as the following e-discovery anecdote, for reasons that are obvious now, but were less so in 2003.

On Monday, Nov. 3, 2003, Putnam Investments fired its CEO, Larry Lasser, following a probe into market timing. Eliot Spitzer, New York’s attorney general, and William Galvin, the Massachusetts state regulator, had brought significant pressure to bear regarding market timing charges.

Spitzer, then known best as U.S. Attorney for the Southern District of New York, issued a subpoena two weeks later for Putnam documents. In the process, he indicated that criminal charges were being considered. From that day onward, senior managers at Putnam had a critical new IT project: managing e-discovery and compliance.

Unlike other IT projects, which include a feasibility analysis, budgeting and decision-making process prior to kickoff, e-discovery really starts from subpoena receipt. Spitzer’s reputation for a “take-no-prisoners” approach to investigations and prosecutions, not atypical for situations many firms face during litigation, had implications for IT.

From the moment a subpoena is received, senior technology managers should be called in. From IT’s viewpoint, e-discovery then becomes a new IT project on the list that requires reprioritization of existing resources.

The first step in managing e-discovery is to assign an IT project manager. Given that this will be a high-risk project, a seasoned individual is required. That means either hiring a backfill candidate for an existing project, or cancellation or delay of exiting work. E-discovery is usually a good example of a project that has no real, measurable ROI. This is a handy data point for all those IT projects that you, the IT manager, have to argue for each year during the budgeting process. That process demands an ROI even for operating system, database and other major software upgrades, which are also projects that evade calculating an ROI.

The next step in managing e-discovery is stakeholder and requirements identification. While vendor or tool selection usually comes later in the process, for a specialized project like e-discovery, identifying requirements should be fast-tracked from Day One. Firms and experts specializing in e-discovery are crucial for this type of project, which typically will be handled only once in a company’s lifetime – you’re lucky. Your staff is likely to lack experience with e-discovery, a reality best addressed by selecting an advisor immediately after selecting a project manager.

In the next post, I will address how to adapt standard project management techniques to the e-discovery project.

Questions? Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

Jul 7 2009   6:46PM GMT

Online privacy? Principles of self-regulation emerge, feds to follow

Posted by: Alexander Howard
Federal Trade Commission, Direct Marketing Association, Advertising, Association of National Advertisers, Pamela Jones Harbour, Online advertising, Better Business Bureau, online privacy, privacy, behavioral marketing, behavioral targeting, privacy compliance, compliance

Last week, a collection of trade organizations announced the release of a set of privacy principles for the use and collection of behavioral data in online advertising. The public adoption of these principles moves the industry towards self-regulation, though adoption measures that substantially improve protections for the online privacy of consumers will remain an open question for implementation.

Given the vast amount of data that is being collected online daily, the move can’t come soon enough. Whether the move is enough to head off regulation from Congress is likely a moot point; as my colleague Linda Tucci blogged last week, a national data privacy law is coming. As she noted, “the proposed federal electronic data privacy bill, known as H.R. 2221, was introduced in April with little fanfare but is generating a bit more buzz in the wake of recent hearings on Capitol Hill.”

Concern over online privacy is reflected by the relevant regulatory bodies, particularly at the federal level. To whit, as Pamela Jones Harbour, commissioner of the Federal Trade Commission, notes in the release:

“Consumers deserve transparency regarding the collection and use of their data for behavioral advertising purposes. I am gratified that a group of influential associations – representing a significant component of the Internet community – has responded to so many of the privacy concerns raised by my colleagues and myself. These associations have invested substantial efforts to actually deliver a draft set of privacy principles, which have the potential to dramatically advance the cause of consumer privacy. I commend these organizations for taking this important first step. I am hopeful that successful implementation will follow. In the meantime, I encourage the entire privacy community to continue a dialogue that places the interests of consumers first.”

According to the announcement on AAAA.org, these principles were developed by a “cross-industry self-regulatory task force” that included the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association (DMA) and the Interactive Advertising Bureau. The Council of Better Business Bureaus, has agreed, along with the DMA, to implement accountability programs “to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices and enable them to exercise control over that information.”

Such protections are commendable but perhaps somewhat less laudable, in the context of looming regulation. In this case, release of such guidance for the protection of online privacy may help head off potential sanctions or fines under new legislation, demonstrating some good faith by the industry. Adoption is another matter. Electronic publishers used to collecting reams of data about Internet audiences are likely to have a new kind of compliance to address in 2010: privacy.

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?