Data Governance threatens corporate reputation
Article Authors: Vasant Dhar and Arun Sundararajan
Over the last two decades, the primary contribution of information technologies in firms has been about efficiency and enablement: to improve processes, make people more productive, reduce time to market, or enable things that couldn’t be done previously. The focus has been on costs and payoffs. This decade is witnessing a new challenge: data. There is suddenly too much of it, and while firms rush to mine it, they do so without adequate regard for the risks in keeping and using it.
Hardly a week goes by without yet another major breach or scandal involving data. The last month has been particularly bad. Tom Tom sold location data to law enforcement without asking its consumers, Apple has been gathering consumer movement and use data on its devices, while Epsilon and Sony were hacked, with sensitive data on hundreds of millions of individuals stolen. Despite reassurances from these companies, it is hard to be certain whether and when this data will be misused. More importantly, the reputations of these companies have been badly damaged.
Are these incidents any different in terms of potential impacts on franchises from product recalls due to defects in industrial products? Not really. And perhaps some companies are beginning to realize this. Indeed, one major positive development from the Sony fallout has been the creation by the company of a “Chief Information Security Officer (CISO)”. This is a laudable step that others should follow. But it doesn’t go far enough in acknowledging the real problem.
Sony and many other firms view the security and use of data as a technical problem. But in fact, the governance of data is a management problem. The lapses we are seeing are not technical ones, but failures in management. Where data is the lifeblood of commercial activity, its management in many industries must reside in the C-suite, not in the trenches.
Lapses in data governance in data-dependent industries are no different than product defects in the physical world. The reason is simple. Increasingly, it is information itself that is the product, with technology being the critical conduit for its exchange. Many industries that touch our lives on an everyday basis involve information products. If one considers the firms that we deal with every day, such as Google, Facebook, banks, media, and telecommunication companies, their products are information-based. Even when there is a physical product, digital interaction with consumers transforms part of the consumer experience into one that is information-based. Information products have different properties than traditional physical products and are subject to different economics and risks. Furthermore, the growing volume of data created as a by-product of this digital interaction brings with it significant benefits as well as risks.
CEOs who are insulated from technology have largely failed to grasp the implications of this shift in the role of information technology from enabler to product and still expect their technologists to deal with all aspects of data. This is a mistake. They must partner actively with their CIOs in assessing the importance of data to their product or service and the franchise to avoid the reputational risks from the lack of effective data governance.
Isn’t It Time CEOs Were Held Accountable For Technology?
When an automobile has a defect, it involves the CEO. If a brake or gas pedal is defective or a tire substandard, the CEO steps in immediately to manage the fallout and address its customers directly. The same must be true for data breaches and misuse. The Sony data breach was an important milestone in that its chief apologized, albeit somewhat late, for a defect in its information-based product. While Sony appointed a dedicated CISO to deal with data security, it didn’t go far enough in acknowledging that this is a management problem, not a technical one.
We believe that firms need to give the same level of importance to their firm’s data governance policies as they do to their company’s products, financial reporting practices, or brand equity management. Viewing data privacy management through the lens of network management or potential liability is too narrow. This isn’t a legal, technological or compliance issue. Rather, it’s an executive matter, one made more critical by the continual increase of data and the corresponding increase of risk in cyberspace. As devices become more powerful, providing more and richer electronic touch points to human activity, the scope of available electronic information explodes, and the associated risks to handling these data also grow exponentially. Companies actively collect and mine this data and even sell it without considering the risks, as the recent Apple, TomTom and Epsilon incidents reveal.
These developments strengthen the case for the CIO being a full-fledged member of the C-suite and embracing the new role of managing their firm’s data with a more holistic and strategic approach. CIOs should partner with their CEOs in putting in place a coherent and transparent policy that defines the frequent and deliberate choices about what data to acquire, keep, use and share. A first question that such a policy might answer is: Do we keep too much data? Our research (in conjunction with NYU research scientist Jessy Hsieh) suggests that the answer to this question is generally “yes.”
The less data you keep, the less you need to worry about keeping it secure. Next, it is essential to have a clear idea about the use of the data you keep, and specifically, to assess whether this use is congruent with the customers’ intent when they provided it to your firm. We have developed a framework that provides executives with a roadmap for answering these questions, the details of which are available in our working paper titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” available from the Center for Digital Economy Research at the NYU Stern School of Business.
It took a global financial crisis to get the public to pay attention to systemic financial risk. There is equivalent and growing systemic risk in cyberspace. We hope it does not take a massive data breach at an Apple, Google or Facebook to make data governance a top executive priority. Because once that data is out there, it’s out there for good, and there’s no taking it back.
Story reprinted from Computerworld
Vasant Dhar is the Daniel P. Paduano Fellow and Professor at NYU’s Stern School of Business, and Director of Stern’s Center for Digital Economy Research. Arun Sundararajan is the NEC Faculty Fellow and Associate Professor at NYU’s Stern School of Business, and a Distinguished Academic Fellow at the Indian School of Business for 2010-12. Vasant and Arun conduct research about how information technology transforms markets and corporate strategy, with expertise in privacy, business intelligence and digital business models.
Breach Prevention in Spotlight
Article Author: Howard Anderson
Zero Tolerance for Records Snoops and Other Prevention Tips
Preventing breaches requires comprehensive information security policies, aggressive staff training and, sometimes, bold action as well.
Allina Hospitals and Clinics took the gutsy move of firing 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case.
Raising the security awareness of your workforce is your best defense against having a breach incident.
Allina spokesman David Kanihan stresses that the delivery system has consistently enforced its privacy policy by dismissing those who access records without a legitimate reason. “But this is larger in scope than other incidents we’ve had in the past,” he says.
“We take our obligation to protect patient privacy very seriously,” according to an Allina statement. “Anything short of a zero-tolerance approach to this issue would be inadequate.”
Breach Prevention Tips
Zero tolerance for records snooping certainly is a powerful, high-profile breach deterrent. But what other steps should healthcare organizations take to prevent various types of breaches?
“Raising the security awareness of your workforce is your best defense against having a breach incident,” says David Holtzman, who’s on the federal team that enforces the HITECH Act breach notification rule (see: Breach Rule Enforcer Offers Advice).
Holtzman, health information privacy specialist at the Department of Health and Human Services’ Office for Civil Rights, says organizations that successfully create a culture of compliance and promote good data stewardship will “be at lower risk of having a breach or having your data sitting on a laptop that’s unprotected in the airport or in somebody’s car while it’s parked at the grocery store.”
He also contends that “Those organizations that have good foundations of policies and procedures respond better to incidents.”
Based on the breach incidents reported so far, Holtzman also advises healthcare organizations to:
- Make widespread use of encryption, especially for data stored on various devices, including laptops.
- “Do not neglect physical safeguards for areas where paper records are stored and used.”
- Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptops or desktops.
- “Create clear and well-documented administrative and physical safeguards for storage devices and removable media” that are used to store protected health information.
Healthcare organizations must comply with the interim final version of the HITECH Act breach notification rule until the final version is issued, federal officials stress. This week, Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, said the final version will be released later this year as part of an omnibus rulemaking package, which also will include final modifications to HIPAA
It remains to be seen whether the final version of the breach notification rule will modify, clarify or eliminate the harm standard, which enables organizations to conduct a risk assessment to determine whether a breach incident represents a significant risk of harm and thus merits reporting. Some members of Congress would like to see the provision eliminated in favor of requiring that all breaches be reported. We’re hoping the final version of the rule, at the very least, greatly clarifies the “risk of harm” provision.
Original Story at Gov info security
Hard drives sold with government data
Article Author: Angela Moscaritolo
Sensitive data including child abuse records on drives readied for secondhand market.
New Jersey state agencies left confidential information on computers set to be sold at auction, according to a report released this week by state Comptroller Matthew Boxer.
An audit by Boxer’s office revealed that multiple state agencies disposed of computer equipment without ensuring that data on the devices had been removed. Auditors discovered completed tax returns, Social Security numbers, health records, child abuse papers and a list of login passwords on computers that were shrink-wrapped on pallets at the state’s surplus property warehouse ready to be auctioned off to the public.
The comptroller’s office intervened to stop the auction after confidential information was discovered on the computers but warned that the state may have inadvertently released personal information in the past. The state gives away or sells hundreds of computers each year, the comptroller’s office estimated.
“It’s certainly a reasonable assumption that before we arrived there was no one to stop computers with confidential data from being auctioned to the public,” said Pete McAleer, a comptroller spokesman.
New Jersey state policy requires agencies to remove all data from a computer’s hard drive before deeming it fit for redistribution. Despite the state’s requirements, 46 out of 58, or 79 percent, of the hard drives evaluated during the audit contained data, much of which was confidential, according to the report.
“At a time when identity theft is all too common, the state must take better precautions so it doesn’t end up auctioning off taxpayers’ Social Security numbers and health records to the highest bidder,” Boxer said in a statement.
Specifically, the hard drives contained more than 230 files related to state child abuse investigations, containing names and addresses of the children, as well as immunization and health records. The release of such information violates various state and federal laws, the report states.
The comptroller made 10 recommendations to state officials for improving the surplus system, many of which advise employees to follow and enforce existing policies.
In response, the state’s Treasury Department, which operates the warehouse, said it has undertaken efforts to improve data security.
The department has issued an interim policy requiring that agencies remove all hard drives from computers sent for redistribution while it develops a permanent policy for handling such computers.
Original Story at Secure Computing Copyright © SC Magazine, US edition
Cloud and Efficiency Are Driving Data Center Decisions
Article Author: Derrick Harris
According to a survey by AFCOM, cloud computing is on the rise among data center operators, more than doubling since last year, and expected to reach 80-90 percent in the next five years.
Among respondents to the data-center-focused organization’s annual “State of the Data Center” survey, 36.6 percent have implemented some form of cloud computing technology within their data centers, and another 35.1 percent are seriously considering doing so. This is big leap from last year, when only 14.9 percent had implemented cloud technology, and underscores a general consensus among IT professionals and pundits that cloud computing is fast becoming an accepted delivery model for IT resources.
Other findings from the survey support the increased interest in cloud computing. One key trend is the rise of servers and the decline of mainframes among respondents: Whereas 91.3 percent said they had the same amount or fewer mainframes than they did three years ago, 73.6 percent have more servers than they did three years ago. Also, 86.6 percent said they are running more web applications than they were three years ago. More servers and more web applications don’t necessarily mean more cloud computing, but they certainly indicate environments better suited for the transition than are data centers filled with mainframes and running strictly internal-facing applications.
Following the general trends we’ve seen around the proliferation of data and increased demand for computing power, an overwhelming majority (90.9 percent) said they utilize more space for storage than they did three years ago, while 44.2 percent said their data centers occupy more square footage than they did three years ago.
Of course, all the extra equipment and space can wreak havoc on a company’s power bills, which is likely why survey respondents seem very tuned into monitoring power usage. The majority of respondents measure power usage effectiveness (PUE), cooling efficiency and server utilization, and the majority of respondents have already consolidated, are in the process of consolidating, or are planning to consolidate their data center operations. On the other hand, almost half of respondents also are in the process of expanding, or are planning to expand, their data centers, so perhaps energy-efficient hardware, software and building design are even more important in these efforts. Indeed, the vast majority of respondents (77.3 percent) have utilized server virtualization as a method to cut power costs, and a large percentage are undertaking a variety of measures from liquid cooling (21.8 percent) to UPS systems (88.5 percent).
When I spoke with AFCOM CEO Jill Eckhaus earlier this month, she said energy concerns have been a top concern among AFCOM members for about five years, and won’t likely be decreasing in importance any time soon. In fact, she noted, power availability is the primary concern in siting new data centers. Organizations are building new data centers, she said, in large part because they’re simply running out of space and power supply at their existing sites, but, as the survey suggests, they’re also building them smarter. She noted an increase in data center container use, too, and the 2011 survey shows 6.4 percent of respondents utilizing them. “I think during a down economy, you have to be smarter … about your purchases and what you’re doing,” Eckhaus said.
Conventional wisdom says cloud computing is a good way to curb energy use, but recent research suggests this isn’t always the case and, as my colleague Katie reported yesterday, Greenpeace is keeping tabs on the environmental impact of cloud data centers, and will release its findings on April 21 at our annual Green:Net conference. Greenpeace’s big push has been to expand energy-efficiency beyond smart design and efficient hardware and into use of clean energy. Only 3.9 percent of AFCOM respondents said they are currently using solar power, and companies such as Facebook have come under fire for their patronage of coal-powered energy plants. Also at Green:Net, energy experts from Google and Yahoo will sit down with Om Malik to talk about the cutting edge in green data center techniques, which should will find their way into mainstream data centers in the years to come.
Sourced from NY Times
Google takes Office to the Cloud, security issues remain
Article Author: Keir Thomas
Google has begun testing an intriguing plugin for Microsoft Office. Google Cloud Connect is a devastatingly simple concept: rather than save your files to your computer’s hard disk, it allows you to save them to your online Google Docs space.
Following the upload, the user can share docs with colleagues and more importantly, collaboratively edit them from within the Microsoft Office software window. In other words, the plugin brings the shared editing power of Google Docs — its best selling point — to Microsoft Office.
Senior adviser calls for stronger EU data protection laws
Article Author: Jennifer Baker, IDG News Service
Europe needs strong and effective data protection, the European data protection supervisor said Monday.
Responding to the recent European Commission communication on data protection reform, Peter Hustinx underlined the importance of a clear legal framework that harmonizes national data protection legislation, particularly in societies where private information is widely gathered without individuals’ knowledge.
Forrester: Consumerisation of IT can be an opportunity
Article Author: Anh Nguyen
IT should support employee innovations.
IT needs to adapt to a new ’empowered’ era, where customers have more information available to them than ever before, and employees are bringing new technologies into the business first, says Forrester.
A recent survey by the analyst house found that 30 percent of information workers in the UK, France and Germany, were doing at least one IT activity for work without the support of IT, such as downloading and regularly using applications on a work computer, or paying for a smartphone used for work. Forrester believes that this is a significantly large number.
“Game-changing technology will always be available to employees first. IT will always be playing catch-up,” said Ted Schadler, analyst at Forrester and co-author of Forrester’s ‘Empowered’ book, which urges organisations to “unleash your employees, energise your customers and transform your business”.
Forrester believes that IT needs to deal with a new set of technologies to support the empowered customer and employee, with a particular focus on social and mobile.
“IT has to master a whole new set of marketing technology, mobile technology, social technology for social engagement and video technology. They don’t have to do it, they can outsource it, but it’s an extension of the IT role,” Schadler.
Schadler said there are parallels between the company-wide change that is required for businesses to operate successfully in the empowered era, with the change that occurred when e-commerce arrived on the scene.
As it had to do when e-commerce became pervasive, in the empowered era IT will have to co-ordinate with the rest of the business in new ways.
For instance, funding structures may have to be changed.
“If the marketing department needs to build a mobile application, that comes out of the marketing budget, but if it connects to a transactional capability, it will need to connect to the finance backend, and that has to come out of the IT budget. So a lot more coordination between IT and the rest of the business is needed,” said Schadler.
In another example, Schadler said that IT will have to work with HR to educate employees about the risks of the technology they use, especially if they are bringing the technologies into the work place. The business may need to design a social networking policy that outlines how much information an workers can disclose to the outside world on sites such as Twitter, for example.
Risk is clearly a significant issue, but Schadler believes that IT will need to address this in a different way as well.
“Instead of saying ‘no, it’s too risky’, you have to understand and mitigate the risk and determine if it’s a risk worth taking. Technology risk is just another form of risk. It is not an IT decision, it’s a whole business discussion. Can you quantify the risk so business managers can understand?” he said.
Although creating risk assessment models, determining the financial damage and the likelihood of the damage occurring, is nothing new, Schadler advises that IT needs to “make it [the risk assessments] more visible, more business-centric and to distribute it more broadly in the organisation.”
However, while businesses should be more open to weighing up the risks of innovation, as employees bring more, and increasingly wide-ranging, technologies into the workplace, IT still needs to consider how much diversity their organisation can tolerate.
“Diversity is generally bad for productivity. There has to be a constant evaluation of technology. IT has to be pragmatic about the trade-off between diversity and uniformity,” Schadler said.
Original article at ComputerWorld
Victims still awaiting identity theft laws
Article Author: Karen Dearne
LAWS to prevent identity theft and giving victims a means of untangling financial and legal damage are still held up in federal parliament.
The draft laws were introduced two years ago by former Home Affairs minister Bob Debus.
The Identity Crimes Bill adds three identity offences to fill gaps in existing laws: trafficking in identity data (carrying a penalty of up to five years’ imprisonment); possession with intent to commit a crime, and possession of equipment for the purpose of identity theft (both a maximum three years’ jail).
The laws will also allow victims to obtain a magistrate’s certificate confirming misuse of their personal information, to assist in their negotiations for reparation with banks and other authorities.
An updated version of the bill finally passed through the Senate last Thursday, after languishing since then human services minister Joe Ludwig presented the first draft in March last year.
Chris Connolly, research associate at the Cyberspace Law and Policy Centre, University of NSW, said a magistrate’s certificate would be very helpful for victims. “People who’ve experienced this say the hassle of repeating the story, and providing evidence, every time something comes up is the worst part of identity theft,” he said.
“So having a single certificate that’s recognised by courts, debt collectors, financial institutions and credit reporting agencies would be of enormous benefit to people caught in that situation.
“Applying to a magistrate should not be too expensive or cumbersome to achieve.”
But relief of this nature is still some way off, as the long spell in the Senate’s holding queue means the latest bill, tabled by Senator Ludwig just over a month ago, must face another vote in the House of Representatives before it becomes law. Originally, the Identity Crimes Bill was introduced to the house in December 2008 by then Labor MP Mr Debus, and was passed three months later.
A spokeswoman for Home Affairs Minister Brendan O’Connor said the bill was on the representatives’ agenda for the November session, but the house faced a large workload which may affect timing.
Any changes to the legislation would require the bill to return to the Senate before passage, she said.
Meanwhile, Mr Connolly said while tougher penalties for identity theft were welcome, prevention and allocation of policing resources were far larger issues.
“If we’re really serious about this, we’d certainly be catching more perpetrators,” he said. “People complain that police don’t seem to have the capacity to investigate organised criminal activity behind ID theft. But we know that once an identity is stolen, sooner or later the thief is going to rock up to a financial institution and apply for a loan or credit card.
“Better alert systems would make it possible to identify and flag evidence of ID theft and then police and the bank could together work out ways to catch perpetrators in the act.”
Link to origianl article on The Australian
Getting your data safely across the border
Article Author: Tony Bradley
Since the terrorist attack on the 9/11, the United States has sacrificed some freedoms and liberties in exchange for tighter security in an attempt to prevent future attacks. The ACLU has joined with other groups in filing a legal challenge to one such security measure that infringes on personal liberty–the practice of searching laptops without cause at border crossings. However, there are also other ways you can get your data across the border without having it accessed by the prying eyes of Big Brother.
Benjamin Franklin is given credit for saying “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety,” and many of the security measures that have been implemented in the wake of 9/11 violate this basic tenet. But, for some organizations that fall under HIPAA, SOX, GLBA, or other regulations, safeguarding data is not just a principle of personal freedom, but also a compliance mandate.
Check It: If you are traveling by air, you can get your laptop past the TSA (Transportation Security Administration) checkpoint and possibly CBP (Customs and Border Protection) agents by checking it with your luggage. Odds are fair that you wouldn’t really use it on the flight anyway. Unless you’re flying first class (and how many businesses still allow for expensing first class travel?), there is simply no room to work with a laptop. Whatever minor productivity might result is most likely not worth the effort and frustration.
That said, baggage handlers are not known for treating things gently. There is a reason Samsonite demonstrated the quality of its luggage with commercials showing it being abused by a gorilla. So, your laptop will need to be carefully packed and padded. Also, keep in mind that CBP agents do randomly inspect checked baggage as well so it’s not a guarantee that the data won’t be accessed.
Encrypt It: Simply encrypting your laptop hard drive, or at least the sensitive files and folders, will prevent casual access by Border agents. If you or your laptop seem particularly suspicious, the government may still try to compel you to share the encryption key so it can get a deeper look at the data, but at that point it will be up to you how much you want to dig in your heels and stand on principle, or if exposing the data to Border agents just trying to protect the country is really that big a deal.
Use USB: Another option for getting sensitive or confidential information across the border without having your Fourth Amendment rights violated is to carry it separately on a USB thumb drive. Your laptop will still be subject to inspection at border checkpoints, but you can remove any critical data that should not be accessed or viewed by others and put it in your pocket or on a keychain with a USB thumb drive.
Take the Cloud: Probably the best way to get your data safely across the border is to simply store it where borders don’t exist–the cloud. Border agents might randomly confiscate and access your laptop to ensure you are not part of terrorist sleeper cell intent on destroying America, but your personal, sensitive, and confidential data can be stored safely and securely in the cloud using Google Docs, Box.net, Dropbox, Microsoft’s Skydrive, or any of a wide variety of other Web-based storage options.
Using the cloud means that the data will be accessible from any Web connection in the world even if the laptop is lost or stolen, and prevents government agents from unauthorized access of sensitive data at the same time.
Next time you travel internationally, make sure you consider that your possessions may be seized and searched with or without cause, and take some extra steps to protect your data and get it across the border safely.
Full article at Computerworld with hyperlinks intact
Data breaches blamed on organised crime
Article Author: John Leyden
Hackers feast on financial sector security mistakes
Cybercrooks continue to be a menace to corporate security, with hackers and malware authors collectibly (sic) responsible for 85 per cent of all stolen data.
The latest edition of Verizon’s annual data breach report also records a rise in insider threats and greater use of social engineering.
Verizon worked with the US Secret Service to pool information and develop a more complete picture of data breaches. Information used in the 2010 Verizon Data Breach Investigations study spans six years, and more than 900 breaches involving in excess of 900 million compromised records.
Data breaches crop up in all types of industries but financial services, hospitality and retail still make up the “Big Three” of industries affected (accounting for 33 per cent, 23 per cent and 15 per cent of incidents, respectively). However, a huge majority (94 per cent) of all compromised records in 2009 were attributable to breaches at financial service firms.
Many of the breaches covered by the study involved privilege misuse. Almost half (48 per cent) of breaches were blamed on users who, for malicious purposes, abused their right to access corporate information. An additional 40 per cent of breaches were the product of hacking.
Social engineering (for example tricking company reps into handing over sensitive data) played a role in 28 per cent of attacks.
Hackers largely feasted off hanging fruit, as in previous years. The vast majority (85 per cent) of the breaches were not considered highly difficult. Most (87 per cent) of the firm hit by breaches had evidence of data loss in their log files, yet missed it.
Verizon adds that 79 per cent of the victims involved in handling credit card transaction and therefore subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.
Full story at The Register