Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

This was someone who for all intents and purposes had nothing to gain from doing something so blatantly stupid.  As an auditor he was likely aware of the logging capabilities available on the host (mainframe system).  He also had direct knowledge of the audit culture and the degree of scrutiny they placed on certain internal artifacts and/or repositories.  But in the end his basic human nature created an override allowing him to indulge his curiosity.  For me that meant that you could never assume that any manner of stored information was ever truly safe and secure

Thus began my basic mistrust of storing sensitive information in electronic repositories.

With that in mind imagine my horror as technology began a rapid progression away from centralized storage and started spreading out first within the infrastructure to distributed applications and eventually breaching the walls of the data center and finding new homes elsewhere in other companies  so-called data centers.   Beyond the fact that you don’t truly know how secure your data ever truly is (notwithstanding reports and attestations to the contrary), it now also has to traverse communication lines that despite what you may want to believe are vulnerable in a number of very real ways.  And we’re not just talking business data, we’re talking social security numbers, bank account numbers, credit card numbers and, and, and……

I simply don’t trust that any sensitive data is ever truly protected anymore.  I operate under the assumption that there are two common states with regards to data security, known breaches and those yet to be discovered.  When I’m challenged with the logic that we’re always told about confirmed breaches eventually and so we know exactly how much has been exposed I laugh.  All that means is that the hackers and criminal element slipped up along the way; a confirmed breach indicates someone made a mistake.  I truly believe that a successful breach is never detected, that the perpetrators behind it figure out the proper balance between skimming data and moving it around for illicit gains so that it never hits the radar.

And I think the threat comes from all over the map.  I think it’s often internal, someone on the inside behind the firewall and locked doors or someone with legitimate access to databases.  I think it’s sometimes along the way between a transmissions point of origin and its destination.  And I think it’s often at points of exposure along the way.  I just don’t believe that there aren’t rogue employees at offsite storage facilities that know how to rig the system and grab media with all manner of PII and NPPI with no one ever the wiser.  I reject the notion that it’s impossible for employees of the popular SaaS companies to gain undetected access to a wide variety of information typically considered private and secured.  I think this happens regularly (if not often) and that as long as we remain blissfully ignorant this will continue to happen indefinitely.

I use only one rule when it comes to how best to protect sensitive data: if the human element is involved in any way your data is at risk.

And if you’re not truly yet at risk, if there’s been no concerning or inappropriate attempts to access your choice data that’s either because they haven’t gotten to you yet on their to-do list or your choice data isn’t as choice as you might think.

If I had it my way everything would be moved back to Big Iron in an internal data center and I’d go hog-wild slapping every conceivable monitoring tool and detection devices wherever possible.  Short of that I’d select solutions that could only be run behind my firewall and on telecom pipes that I directly controlled to further minimize my exposure.  Oh and I’d probably fire anyone who ever even mentioned migrating to the cloud just to set an example.

I read an article in which Reid Hoffman, LinkedIn’s founder was quoted this past summer as saying that privacy was for old people.   To be at least a little fair he was making a point about transparency of data and how it’s shared is an important component of social networks.  Young people are more interested in enhancing the experience and less concerned about revealing too much information in exchange for making that happen.  But really, isn’t it both a bit self-serving and irresponsible for someone atop the world’s largest professional social network to be thinking along those lines?

First of all it sort of makes him seem like a visionary rather than irresponsible for allowing LinkedIn to take certain liberties with regards to protecting my personally identifiable information (PII) in exchange for furthering the platform – he’s not irresponsible, he’s forward thinking.  Second he marginalizes the concerns of experienced people by making such a statement as if to say “you’re too old to understand that it’s more important to be out there too much rather than not enough” – it conveys a message that I’m not cautious, I’m slow to adapt and that’s primarily because I’m not young.  Third it makes it so much easier and cheaper for LinkedIn to continue building out their platform if security isn’t their top priority – wouldn’t we rather have them introduce cool new features rather than enhance their controls?

Well Mr. Hoffman here’s what I have to say about all of this.  What you call old, I call experienced.  I’m not concerned about my privacy because I have a dated way of thinking, I’m concerned because I know too much about identity theft and the damage it can cause.  I know that sites such as LinkedIn and Facebook have made it sooo much easier for the criminal element to develop profiles on people and figure out how to crack passwords, hijack email accounts and obtain information that allows them to assume someone’s identity.   I know that features such as TripIt and Foursquare allows criminals to figure out when people are going to be away from home and plan break-ins accordingly.  I know that it’s much easier to obtain inside information by trending activities on LinkedIn (e.g. I always know when someone works for a company facing downsizing or layoffs based on the type of profile updates they’re making).

And you’re right that privacy is for old people.  So are life insurance, money management and parenting.  We’ve worked long and hard to get what we have and we understand the value of losing it.  Anyone much under the age of twenty-five likely hasn’t a clue as to why privacy is such a big deal because their exposure is so much less.  If someone stole my identify when I first started my career they would have had access to a few hundred dollars, maybe one or two credit cards with ridiculously low limits and have discovered that my house was sparsely furnished with hardly anything worth stealing.   I could have repaired most of the damage from a stolen identity within a couple of paychecks.  At that point I would have totally thrown caution to the wind and have leveraged the full offerings of today’s social networks in order to market myself both professionally and socially.  At this point I simply want to protect myself from unnecessary risks and exposures.

Last night I watched a story on the news about how insurance companies are using Facebook as a way to investigate disability fraud as well as profile policyholders who engage in high-risk activities in order to decide who’s too risky to insure.  Do you think those people think their privacy is an issue for the old?  And doesn’t LinkedIn process credit cards for its paying customers?  Is PCI for old people too (now that would be a newsworthy quote)?

I’m sure at some point Reid Hoffman has backtracked on his statement in some measure because whether you hear it in or out of context it still sounds awful.  And I can only imagine that officially LinkedIn will point out that he’s no longer running the company (officially anyway).  And I also realize that his statement didn’t convey in any way that LinkedIn didn’t value privacy just like I know from firsthand experience that LinkedIn as designed allows me to throttle what I share with the rest of the community in a way that I’m comfortable with.  But still, comments like that make my blood run a little cold and make me jump online right away to make sure that I’ve kept my information sharing to a minimum.  Because in the end while “I’m older and I have more insurance” I don’t want to have to use it.

Why do organizations struggle so mightily to manage the most simple and straight-forward of all controls; their own interior physical space?  They’ll spend seemingly limitless dollars on implementing state-of-the-art security software and related devices.  They’ll build out robust vulnerability and scanning schedules to root out issues and loopholes.  They’ll implement all manner of physical security controls from key-card access locks to bio-metric devices to video monitoring cameras at every conceivable point of entry.  But walk through the interior office space and check out what’s sitting unclaimed in the output bins of the various copiers, printers and fax machines or sift through the papers scattered about in wide-open cubicle spaces and you’re likely going to find a treasure trove of sensitive information that’s there for the taking, all without the slightest chance of detection.  How is it possible that in this, the era of security enlightenment when security awareness is a recognized corporate initiative being hailed from the upper echelons of the org chart, that all anyone needs to do to steal choice non-public personal information is to simply pick up a stack of papers from any one of the many output devices spread around the office?

I hear about desk top audits where someone is designated to walk the floor and identify when someone has left sensitive information laying about but I never see evidence of it.  I read emails provided as evidence during audits that staff is constantly being reminded to secure their work space but while conducting fieldwork I still walk past wide-open offices with loan applications laying about or even the occasional pocketbook or wallet sitting right there on top of the desk.  And quite literally every client site I have ever visited has things sitting in printer and fax machine trays that should never be left out in the public space.  Does it really make a difference to prevent an online hacker from gaining access to customer data when the cleaning staff can simply stuff dozens of documents with the same information into a garbage bag and sell it to someone on the black market without any fear of detection?

And I’m not sure why this keeps happening?

Seriously, how hard is it to enforce such blatantly simple rules?  Why can’t organizations assign an individual to walk the floor before leaving each night to at least make sure things aren’t laying around?  Well over a decade ago while working on Wall Street the team I was part of had someone designated each day to conduct a desk audit of a randomly selected floor.  If someone was caught with sensitive information sitting unsecured in their work space they received a smiley face with a note reminding them to be more diligent in the future.  If they were caught a second time their manager was contacted with a slightly sterner warning.  No one was ever caught a third time in the year plus the program was in effect.  It took about fifteen minutes for the walk through and the job was rotated amongst a group of people so it wasn’t just one sheriff or one bad guy.  It was simple and effective.  Perhaps if it cost hundreds of thousands of dollars to purchase and required a six month implementation plan it might hold greater appeal.

It’s been said that an organization is only secure as its weakest link and for most that means they have a significant vulnerability.  The only way it can be addressed sufficiently is via a true and robust security awareness program.  Sadly most organizations seem content to be security unaware which is just mind boggling in 2011.

It’s a custodial account because of his age and my wife is designated as the custodian of record.  As a result, I’m not supposed to be able to conduct any manner of business with the account because my name doesn’t appear anywhere.  However, of the five phone calls I’ve needed to make to the fund company’s offices over the past few weeks, I’ve only been asked to have my wife authorize the conversation twice.  That means that in 60% of my calls, I was able to present myself as someone with legitimate privileges to conduct business with the account and was successful.  And while you can slice and dice the numbers and draw the conclusion that the fund company’s compliance efforts are partially effective, the truth is that they’re completely useless.

Being a little bit compliant is akin to being a little bit pregnant; you either are or you aren’t.  There’s no gray area in between to take credit for.

Now take into account that I didn’t go looking for this; it just fell into my lap.  I wasn’t researching anything, trying to test a theory or uncover a topic for a new blog post — I was just trying conduct a simple transaction.  And so my first thought upon reflection was that this was too easy.  What if I was really trying to do something I wasn’t supposed to be doing?  What if I’d found a neighbor’s statement in my mailbox and decided to try and access their account?  What if I did some good old-fashioned dumpster diving around town and found a few discarded statements (trust me on this, that’s easier to do than you’d ever believe) and tried to get money out of someone’s account?  Statistically you’d have to figure I could get pretty far without getting caught.

What I find truly amazing is that we’re in the age of compliance.  I receive pamphlets and inserts in my mailings all the time from banks, credit card companies and anyone else I share PII with about how they have an obligation to protect my information.  Every time you visit a doctor for the first time, half the paper work is specific to HIPAA.  And yet in the middle of this sand storm of compliance activity, I was able to bypass the rules three times in five attempts and I wasn’t even trying to break any rule.

They say a chain is only as strong as its weakest link.  The same is true of compliance; if it fails in any measurable way it fails — pure and simple.  And if the compliance folks at these companies can’t keep up, how are they going to adjust as we keep moving more and more onto the lightning fast pathways of the Internet?

I’ve posted before about such things: about how you need to exercise good judgment when online and when sharing potentially sensitive information (avoid those Facebook “about me” quizzes always).  While something like the Facebook breach might make it a little easier for the bad guys, the truth is the sheer volume likely rendered the information useless.  I couldn’t find a Social Security number, bank account number or anything else remotely resembling a true digital prize.  And I looked, believe me, I looked.  I should qualify what that means; I have a well-earned reputation for being able to develop fairly extensive dossiers on people by using a variety of techniques, all based upon readily accessible online resources.  It’s sort of a hobby interest of mine and I find new and better ways all the time to improve my techniques.  But other than using the Facebook skimmed data for marketing activities, I wouldn’t think it to be too big of a deal.

However, if you’re looking for a really neat way to access social network sites in such a way that you get to work smarter, not harder, when up to no good there are far more effective methods available.  My newest favorite threat to all of our privacy and sensitive information is a recent add-on to Outlook that allows me to instantly access Facebook and LinkedIn information directly connected to an email account.  The way it works is that you send me an email, the Outlook add-on then scans Facebook and LinkedIn for activity linked to that email account and displays it all nice and neat in a sub-window below the message.  I installed the add-on on Wednesday out of curiosity, expecting little if anything useful.  The first email I receive after the fact was from an associate in the banking industry.  This person must use a business email for Facebook and LinkedIn because the aforementioned sub-window filled quickly with nearly a dozen different bits of information between Facebook and LinkedIn.  I can view family photos, a scheduled event detailing an upcoming vacation and several LinkedIn updates including new connections.  That by itself is scary enough but what makes it worse for me is that I’m not connected to this person on either site.  I was able to see all of this information without even wanting to.  In one neat little bundle, I have the person’s email address, access to personal information, a clear indication of when they plan to be away from the office, and a simple way to track the individual’s whereabouts.  Oddly enough, if I searched either site directly I couldn’t see much of the same information, but the Microsoft utility apparently removes such obstacles and gets me to where I want to be.

What would you rather have: A monstrous database with relatively benign Facebook user information or an email containing all forms of PII combined with the person’s title and position at a bank or credit union?  I know who they are and if they are likely to have broad access capabilities within their institution — information allowing me to reset passwords and close to no possible way to trace this all back to me.

As if though this isn’t enough to cause all you security-minded folks to lose sleep, there’s one more new wrinkle to worry about.  Facebook now has its new “Places” functionality working, in which mobile users can indicate where they are at a given point in time.  It reminded me of the Trip-it utility that people started using on LinkedIn last year.  Essentially, both tools allow you to provide specific information to everyone you’re connected to and many of the people they’re connected to, letting them know when you’re out of the office or away from home.  Think about it: You go to the beach for the day and update your location on Facebook.  You’re thinking that it’s no big deal if your friends and family know where you are and you may be right.  But on the day I tried it out, I tagged a family member who was with  me.  He has nearly 600 Facebook friends, of which he knows less than a third.  So 400 relative strangers knew that not only was he away from home but so was his family.  Any one of those connections instantly knew there was a reasonable chance that if they broke into our house they could get in and out with little chance of detection.  For a society where people have their mail collected daily and their newspaper service suspended when away on vacations to avoid the appearance that the house is empty, this is a stunning turn of events.  And you can’t stop the kids from using the newest and latest capabilities, so now we have potentially tens of millions of people advertising when they’re away from home and for how long.

It’s amazing, really, how we react to a threat framed for us by the media but almost completely miss out on another that’s way more likely to hurt us.  The first thing I would do as a CISO would be to have a script written that checked every corporate email account against all popular social network sites to see if anyone is showing up.  The second thing I would do (and already advise clients to do) is to update all of my related policies and training curriculum to address mixing business with pleasure: Never use your corporate email, never advertise travel plans, and never disclose anything even remotely resembling sensitive data on any of the social networking sites. And I would incorporate activities that check to see if these new policies are being followed.  Remember, the right way to manage this new evolutionary twist in technology isn’t to prevent it but rather to manage it appropriately.

Oh and just in case anyone needs to be reminded of the fundamental rule of security, make sure out-of-office replies are restricted to internal communications only.  I can’t believe how many of them I still receive, and with this new Outlook capability it’s just a recipe for disaster.