Identity theft

Is Anyone Guarding the Internet Henhouse?

Question:  With all the rampant fraud and identity theft on the Internet, why are consumers responsible for protecting their data when they have so little control?

The assumption is that if data is compromised or one’s identity stolen it is somehow the victim’s fault.  The picture is painted that we are responsible for managing our own security.  To a certain extent that is true and we should, as responsible citizens, practice basic network security hygiene.  Yet, we are constantly barraged with advice telling us to install data protection software, invent complex passwords, change them often and monitor our financial activities.  Is it really our fault when the system lets us down and our money is stolen, our identity compromised or our computers are hacked?

I would argue that the reality is far different.  We as consumers do not have much control over the security of our data or how secure our computer’s operating systems are.  Even if we pay for everything in cash, if we have a bank account, we are open to fraud.  One of my students recently pointed out that the Internet can be thought of as a giant recording device.  Everything that is ever posted to the net is still out there to be found and possibly used for nefarious purposes. Once our money enters the global financial system we have little or no say over who touches the information and what they do with it.

The average computer user should not be required to be a sophisticated network security professional to use the Internet services.  Consumer protection laws were originally put in place back in the early/mid 20th century because we came to realize that if we purchased something that wasn’t what we thought it was, it was not because we weren’t smart shoppers, it was because the buyer/seller relationship was too skewed towards the sellers and not enough power was in the hands of the buyers to make informed decisions.

It is time that we come to the understanding that the Internet is entering a similar phase in its market maturity.  Companies need to regain or maintain consumer trust.  As good corporate citizens, it is our responsibility to make sure to implement proper security measures to protect customers’ data.  The recent spate of laws in Massachusetts, the European Union and other places that are designed put the responsibility for the protection of personally identifiable data on the companies that are holding it is a step in the right direction.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Massacusetts Privacy Laws: Coming Soon to a Business Near You!

Question:  How can my organization prepare for the new Massachusetts Privacy Law 01 CMR 17.00 and why is it important?

Massachusetts recently passed a new privacy protection law that is strictest in the nation to date.  If you are not in Massachusetts you might not think it applies to your business, but if your organization has any employees or customers in Massachusetts then you are affected by Massachusetts Privacy Law 201 CMR 17.00 — Standards For The Protection Of Personal Information Of Residents Of The Commonwealth.  In a nutshell, the law states that you need to place safeguards on any personal information (PI) that your company touches, either in electronic or paper form.  You will need to be in compliance with the law by 2010, so to get you started, here is a quick tutorial.

First determine if you have any personal information (PI) that needs protection.  PI is defined as a combination of a person’s first and last name connected to any one of the following pieces of information: driver’s license number, credit card number or Social Security number. Specifically, you should examine: the number of records, the people and processes that access it, how it is transmitted and where it is stored.  Ideally, you want to minimize the amount of information to what is needed to perform your business processes.   In addition, you want to keep it for as short a time as possible, and reduce the number of people and processes that access to the data.  Following these best practices will reduce your liability and exposure under the law.

Here are some recommended steps to meet the legal requirements:

• Policy - Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
• Exposure - Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
• Communication - Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
• Data classification - Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
• Discovery - Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
• Need to know - Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
• Lifecycle - Look at your business processes to understand the lifecycle of PI in your enterprise.
• Administration - Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
• Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
• Physical - Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
• Training - Everybody, yes everybody, in the company should receive training, reminders and yearly refreshers on what information you are responsible for protecting and why.

Hopefully these recommendations will smooth your path towards compliance and reduce risk.  Whatever you do, don’t just ignore Massachusetts Privacy Law 201 CMR 17.00; your business does not need the additional headaches.  So what are you waiting for?

David Goldstein, managing partner, and Sean Megley, a consultant at Knowledge Management Associates created this entry.