Violating work computer-use policies not a crime

An appeals court says that a DOJ prosecution of a former employee would have expanded computer crime law

An ex-employee who persuaded former coworkers to access their company’s customer lists and give them to him is not guilty of computer hacking crimes, a U.S. appeals court has ruled.

The U.S. Court of Appeals for the Ninth Circuit ruled Tuesday that David Nosal, a former employee of executive search firm Korn/Ferry, did not violate the Computer Fraud and Abuse Act (CFAA), a 1986 law that outlaws the act of knowingly accessing a protected computer with the intent to defraud.

Nosal “convinced” some of his former colleagues working for Korn/Ferry to assist in his efforts start a competing business, wrote Judge Alex Kozinski, in the appeals court opinion. The employees used their log-in credentials to download source lists, names and contact information from a confidential company database, despite a Korn/Ferry policy forbidding employees from disclosing confidential information

The U.S. Department of Justice indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. Nosal was charged with violations of the CFAA for aiding the Korn/Ferry employees in exceeding their authorized access with an intent to defraud.

The DOJ appealed a U.S. District Court for the Northern District of California ruling dismissing the CFAA charges against him.

The appeals court agreed with the lower court, saying the DOJ’s reading of the CFAA was too expansive and would allow criminal charges against any employee that accesses company computers in violation of policy.

The law focused on criminal hacking, not employee access to information, Kozinski wrote. “The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

The DOJ’s interpretation could mean criminal charges for employees that play games on company computers, Kozinski wrote.

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights,” he said. “Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.”

Judge Barry Silverman wrote a dissenting opinion. “This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values,” he wrote. “It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”

The Electronic Frontier Foundation praised the decision, saying the DOJ’s interpretation would create a “massive expansion” of the CFAA.

“This is an important victory for all Americans who use computers at work,” EFF senior staff attorney Marcia Hofmann said in a statement. “Violating a private computer use policy shouldn’t be crime, just as violating a website’s terms of use shouldn’t be a crime. These policies are often vague, arbitrary, confusing and contradictory.”

Story reprinted from Computerworld

USB sticks still being used insecurely, Ponemon study finds not enough encrypted drives despite numerous data breaches USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.

Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.

Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.

“If you lose a laptop you can’t do your work; if you lose a USB stick nobody will ever know about it,” said Larry Ponemon of the Ponemon Institute. “To many people a USB stick is just a ubiquitous device.

” In the last three years, cases publicised by Britain’s Information Commissioner’s Office (ICO) show that lost USB drives – very few of which ever employ encryption despite containing sensitive data – have become a major bane of the public sector.

Despite only scratching the surface of the problem, according to Ponemon, public ‘naming and shaming’ has been a major spur to change.

“Notification has been shown to be very effective in achieving a higher level of compliance,” said Ponemon. “When it is made a reputation issue, organisations tend to pay attention to it.

” Data isn’t the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.

Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.

Story reprinted from COMPUTERWORLD

Data abuse is part of a ‘depressing’ trend, writes Leonie Wood.

THE privacy and financial records of millions of shareholders who use Computershare’s global share registry system were placed at risk this year when a Boston employee quit the company, allegedly taking with her thousands of pages of highly sensitive and confidential documents.

The employee resigned in September last year but did not return a work laptop for three weeks. When Computershare retrieved the laptop, the company claimed internal documents and emails had been copied without authorisation to a USB flash drive and later to the employee’s home computer.

What is most disturbing about the case is that the woman was formerly employed in Computershare’s risk management and internal audit department, which is responsible for scrutinising the vulnerabilities of the group’s internal systems.

It is understood forensic technicians employed by Computershare later purged the documents from the home computer and retrieved one of two USB devices in the woman’s possession.

But a court in Boston has heard Computershare does not know where the original USB device is; the woman told the company she had lost it. The chief executive of Computershare, Stuart Crosby, declined to comment on any aspect of the US court case and he declined to say if the company believed it had plugged the leakage of information.

But he said despite spending as much as $80 million in the past three years to improve security encryption and technology protection systems, Computershare, like many companies, could never be entirely certain that its information, including customer data, was safe.

”What we can assure you is that we take protection of the private information that we have custody of extremely seriously,” Mr Crosby said.

”We have invested … tens of millions of dollars – over the past five or six years especially – in technology and systems to do that, and we are always looking at ways to do it better, but I am not naive enough to say to you that we have that completely nailed. I don’t believe anyone can [tell you that].”

Mr Crosby noted that as employees increasingly used mobile and remote technological devices for their work, and as various jurisdictions put in place strict laws to bar companies misusing private information, companies were being forced to invest more to protect the integrity of their systems.

”It is a world that gets more complicated in this regard and that is why I resist your advances to be more assuring but we are doing everything we can,” he said.

Mr Crosby said while breaches of intellectual property were not common at Computershare, the company had noticed that fraud attacks, from both external and internal sources, had increased since the global financial crisis.

”It’s the desperation out there,” he said. ”And I have to say that our systems are doing a fabulous job picking it up. If it had happened eight years ago we might not have been as successful in picking it up.”

In court documents filed in the US District Court in Massachusetts in February and March, Computershare’s lawyers offered an alarming catalogue of the types of material the company alleges was taken and copied by the former employee without authorisation. This included ”information that could compromise the company’s competitive position in the market as well as highlight and disclose commercial business practices that are proprietary to the company, and which have been uniquely designed to protect client and shareholder private data and accurate money movements around the globe”.

The US court heard that one of the documents detailed Computershare’s business and operational processes, ”the inherent risks they face, their management risk rating, the likelihood and consequences of risks to those business lines, a documentation of controls that are in place that have been designed to mitigate their risk” and more.

Another document was an internal audit report covering all of Computershare’s US operations which, among other things, ”describes in detail the company’s efforts to maintain and preserve shareholder and institutional privacy and confidentiality” as well as specific audit findings and detailed strategies for resolving issues.

Also Computershare’s lawyers told the US court that the woman copied her emails from the laptop and that these contained ”personally identifiable information of shareholders, including account numbers, names and holdings”.

But the court heard this was only ”a brief summary of the thousands of pages of highly confidential and proprietary information” that Computershare alleges were taken.

In February, after the woman had denied copying any confidential or proprietary documents, Computershare sought a temporary restraining order. This was later withdrawn when the former employee agreed to allow forensic analysts to examine her computers.

Computershare has filed a damages claim in the US District Court in Massachusetts, alleging the former employee violated the US Computer Fraud and Abuse Act, wrongly took company information and breached a confidentiality agreement in her employment contract.

Computershare’s experience is not unique. One only has to consider how the integrity of US State Department and US Defence Department communiques was undermined when an employee passed on hundreds of thousands of diplomatic cables to WikiLeaks.

In Australia, the packaging group Amcor obtained court orders in 2004 to retrieve confidential documents from several employees who had resigned to set up their own consultancy. In the process, Amcor’s lawyers were given tapes of conversations that revealed the company was entrenched in a cartel with its rival, Visy Industries.

The head of Allens Arthur Robinson’s technology law group, Michael Pattison, told BusinessDay the instances of employees making off with confidential information were ”depressingly common”.

”It’s depressing because the information was quite clearly the company’s property and therefore any use of that information while they are employed is not only a breach of implied trust, it is a breach of their employment contract,” Mr Pattison said.

Mr Pattison suggested companies could try to protect their systems and confidentiality by signing employees into confidentiality agreements but they also needed to bolster the security of their IT systems, perhaps by barring certain information from being downloaded to remote devices.

”Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached,” Mr Pattison said.

Story reprinted from Sydney Morning Herald

Intelligent businesses walk the security journey every day, whether management models security-smart behavior in the office or IT stays abreast of the latest technology developments.

But for newcomers those first steps can feel like major leaps, especially if it involves getting coworkers, employees and executive management on the path.

Discussion prompts action, and I’ve found over my years in corporate management and data security that these four simple questions can often get the ball rolling:

1. When it comes to the protection of your confidential company information—the information entrusted to you by your customers, clients and employees—do you have it right? What about other sensitive company information regarding financial, strategic, intellectual property and other sensitive data?

Having it right isn’t as easy as it sounds. There are administrative, operational and systemic considerations. Is the information really protected as it is collected and/or acquired; as it is transmitted; as it is used; and as it is stored?

And is it handled with a sense of importance by your employees with an understanding of the threats, vulnerabilities, and consequences of loss, as well?

That is to say, are there outlined policies and procedures for the collection, retention, use and disposal of that information that is accompanied by appropriate awareness communications, training and management reinforcement?

2. Are you confident that you, your management team, and your IT shop understands the complexities and interrelationships of the legal, regulatory, operational, and systemic data risk management protection requirements for sensitive material?

Questions of legality and compliance compound if your business handles Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry Data (PCI) or other sensitive and classified data.

An important follow-up question is, Has your team responded to threats against these kinds of data with appropriate protection measures?

3. If your company’s financial system or bank access credentials were compromised and funds were stolen from your accounts, would your bank immediately repay those funds? Would the loss be covered by the current insurance that you have in effect?

These answers might not be as straightforward as you think. Bank policies and insurance policies vary greatly when it comes to commercial financial fraud and data breach.

4. If your company’s confidential information was compromised by a data breach tomorrow, would you know what to do? Do you have the appropriate plans and resources in place to respond effectively? If so, has this plan be vetted and tested?

Prevention and response, ultimately, is the name of this game. By looking hard at these four questions you’ll be able to realistically gauge where you are—and where you need to go—on the journey that is sound data security.

Story reprinted from Infosec Island

Brian McGinley, Senior Vice President of Data Risk Management, Identity Theft 911 With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.

Over the last two decades, the primary contribution of information technologies in firms has been about efficiency and enablement: to improve processes, make people more productive, reduce time to market, or enable things that couldn’t be done previously. The focus has been on costs and payoffs. This decade is witnessing a new challenge: data. There is suddenly too much of it, and while firms rush to mine it, they do so without adequate regard for the risks in keeping and using it.

Hardly a week goes by without yet another major breach or scandal involving data. The last month has been particularly bad. Tom Tom sold location data to law enforcement without asking its consumers, Apple has been gathering consumer movement and use data on its devices, while Epsilon and Sony were hacked, with sensitive data on hundreds of millions of individuals stolen. Despite reassurances from these companies, it is hard to be certain whether and when this data will be misused. More importantly, the reputations of these companies have been badly damaged.

Are these incidents any different in terms of potential impacts on franchises from product recalls due to defects in industrial products? Not really. And perhaps some companies are beginning to realize this. Indeed, one major positive development from the Sony fallout has been the creation by the company of a “Chief Information Security Officer (CISO)”. This is a laudable step that others should follow. But it doesn’t go far enough in acknowledging the real problem.

Sony and many other firms view the security and use of data as a technical problem. But in fact, the governance of data is a management problem. The lapses we are seeing are not technical ones, but failures in management. Where data is the lifeblood of commercial activity, its management in many industries must reside in the C-suite, not in the trenches.

Lapses in data governance in data-dependent industries are no different than product defects in the physical world. The reason is simple. Increasingly, it is information itself that is the product, with technology being the critical conduit for its exchange. Many industries that touch our lives on an everyday basis involve information products. If one considers the firms that we deal with every day, such as Google, Facebook, banks, media, and telecommunication companies, their products are information-based. Even when there is a physical product, digital interaction with consumers transforms part of the consumer experience into one that is information-based. Information products have different properties than traditional physical products and are subject to different economics and risks. Furthermore, the growing volume of data created as a by-product of this digital interaction brings with it significant benefits as well as risks.

CEOs who are insulated from technology have largely failed to grasp the implications of this shift in the role of information technology from enabler to product and still expect their technologists to deal with all aspects of data. This is a mistake. They must partner actively with their CIOs in assessing the importance of data to their product or service and the franchise to avoid the reputational risks from the lack of effective data governance.

Isn’t It Time CEOs Were Held Accountable For Technology?

When an automobile has a defect, it involves the CEO. If a brake or gas pedal is defective or a tire substandard, the CEO steps in immediately to manage the fallout and address its customers directly. The same must be true for data breaches and misuse. The Sony data breach was an important milestone in that its chief apologized, albeit somewhat late, for a defect in its information-based product. While Sony appointed a dedicated CISO to deal with data security, it didn’t go far enough in acknowledging that this is a management problem, not a technical one.

We believe that firms need to give the same level of importance to their firm’s data governance policies as they do to their company’s products, financial reporting practices, or brand equity management. Viewing data privacy management through the lens of network management or potential liability is too narrow. This isn’t a legal, technological or compliance issue. Rather, it’s an executive matter, one made more critical by the continual increase of data and the corresponding increase of risk in cyberspace. As devices become more powerful, providing more and richer electronic touch points to human activity, the scope of available electronic information explodes, and the associated risks to handling these data also grow exponentially. Companies actively collect and mine this data and even sell it without considering the risks, as the recent Apple, TomTom and Epsilon incidents reveal.

These developments strengthen the case for the CIO being a full-fledged member of the C-suite and embracing the new role of managing their firm’s data with a more holistic and strategic approach. CIOs should partner with their CEOs in putting in place a coherent and transparent policy that defines the frequent and deliberate choices about what data to acquire, keep, use and share. A first question that such a policy might answer is: Do we keep too much data? Our research (in conjunction with NYU research scientist Jessy Hsieh) suggests that the answer to this question is generally “yes.”

The less data you keep, the less you need to worry about keeping it secure. Next, it is essential to have a clear idea about the use of the data you keep, and specifically, to assess whether this use is congruent with the customers’ intent when they provided it to your firm. We have developed a framework that provides executives with a roadmap for answering these questions, the details of which are available in our working paper titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” available from the Center for Digital Economy Research at the NYU Stern School of Business.

It took a global financial crisis to get the public to pay attention to systemic financial risk. There is equivalent and growing systemic risk in cyberspace. We hope it does not take a massive data breach at an Apple, Google or Facebook to make data governance a top executive priority. Because once that data is out there, it’s out there for good, and there’s no taking it back.

Story reprinted from Computerworld

Vasant Dhar is the Daniel P. Paduano Fellow and Professor at NYU’s Stern School of Business, and Director of Stern’s Center for Digital Economy Research. Arun Sundararajan is the NEC Faculty Fellow and Associate Professor at NYU’s Stern School of Business, and a Distinguished Academic Fellow at the Indian School of Business for 2010-12. Vasant and Arun conduct research about how information technology transforms markets and corporate strategy, with expertise in privacy, business intelligence and digital business models.

Zero Tolerance for Records Snoops and Other Prevention Tips

Preventing breaches requires comprehensive information security policies, aggressive staff training and, sometimes, bold action as well.

Allina Hospitals and Clinics took the gutsy move of firing 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case.

Raising the security awareness of your workforce is your best defense against having a breach incident.

Allina spokesman David Kanihan stresses that the delivery system has consistently enforced its privacy policy by dismissing those who access records without a legitimate reason. “But this is larger in scope than other incidents we’ve had in the past,” he says.
“We take our obligation to protect patient privacy very seriously,” according to an Allina statement. “Anything short of a zero-tolerance approach to this issue would be inadequate.”

Breach Prevention Tips
Zero tolerance for records snooping certainly is a powerful, high-profile breach deterrent. But what other steps should healthcare organizations take to prevent various types of breaches?

“Raising the security awareness of your workforce is your best defense against having a breach incident,” says David Holtzman, who’s on the federal team that enforces the HITECH Act breach notification rule (see: Breach Rule Enforcer Offers Advice).

Holtzman, health information privacy specialist at the Department of Health and Human Services’ Office for Civil Rights, says organizations that successfully create a culture of compliance and promote good data stewardship will “be at lower risk of having a breach or having your data sitting on a laptop that’s unprotected in the airport or in somebody’s car while it’s parked at the grocery store.”

He also contends that “Those organizations that have good foundations of policies and procedures respond better to incidents.”

Based on the breach incidents reported so far, Holtzman also advises healthcare organizations to:

• Make widespread use of encryption, especially for data stored on various devices, including laptops.
• “Do not neglect physical safeguards for areas where paper records are stored and used.”
• Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptops or desktops.
• “Create clear and well-documented administrative and physical safeguards for storage devices and removable media” that are used to store protected health information.

Healthcare organizations must comply with the interim final version of the HITECH Act breach notification rule until the final version is issued, federal officials stress. This week, Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, said the final version will be released later this year as part of an omnibus rulemaking package, which also will include final modifications to HIPAA

It remains to be seen whether the final version of the breach notification rule will modify, clarify or eliminate the harm standard, which enables organizations to conduct a risk assessment to determine whether a breach incident represents a significant risk of harm and thus merits reporting. Some members of Congress would like to see the provision eliminated in favor of requiring that all breaches be reported. We’re hoping the final version of the rule, at the very least, greatly clarifies the “risk of harm” provision.

Original Story at Gov info security

Sensitive data including child abuse records on drives readied for secondhand market.

New Jersey state agencies left confidential information on computers set to be sold at auction, according to a report released this week by state Comptroller Matthew Boxer.

An audit by Boxer’s office revealed that multiple state agencies disposed of computer equipment without ensuring that data on the devices had been removed. Auditors discovered completed tax returns, Social Security numbers, health records, child abuse papers and a list of login passwords on computers that were shrink-wrapped on pallets at the state’s surplus property warehouse ready to be auctioned off to the public.

The comptroller’s office intervened to stop the auction after confidential information was discovered on the computers but warned that the state may have inadvertently released personal information in the past. The state gives away or sells hundreds of computers each year, the comptroller’s office estimated.

“It’s certainly a reasonable assumption that before we arrived there was no one to stop computers with confidential data from being auctioned to the public,” said Pete McAleer, a comptroller spokesman.

New Jersey state policy requires agencies to remove all data from a computer’s hard drive before deeming it fit for redistribution. Despite the state’s requirements, 46 out of 58, or 79 percent, of the hard drives evaluated during the audit contained data, much of which was confidential, according to the report.

“At a time when identity theft is all too common, the state must take better precautions so it doesn’t end up auctioning off taxpayers’ Social Security numbers and health records to the highest bidder,” Boxer said in a statement.

Specifically, the hard drives contained more than 230 files related to state child abuse investigations, containing names and addresses of the children, as well as immunization and health records. The release of such information violates various state and federal laws, the report states.

The comptroller made 10 recommendations to state officials for improving the surplus system, many of which advise employees to follow and enforce existing policies.

In response, the state’s Treasury Department, which operates the warehouse, said it has undertaken efforts to improve data security.

The department has issued an interim policy requiring that agencies remove all hard drives from computers sent for redistribution while it develops a permanent policy for handling such computers.

Original Story at Secure Computing Copyright © SC Magazine, US edition

According to a survey by AFCOM, cloud computing is on the rise among data center operators, more than doubling since last year, and expected to reach 80-90 percent in the next five years.

Among respondents to the data-center-focused organization’s annual “State of the Data Center” survey, 36.6 percent have implemented some form of cloud computing technology within their data centers, and another 35.1 percent are seriously considering doing so. This is big leap from last year, when only 14.9 percent had implemented cloud technology, and underscores a general consensus among IT professionals and pundits that cloud computing is fast becoming an accepted delivery model for IT resources.

Other findings from the survey support the increased interest in cloud computing. One key trend is the rise of servers and the decline of mainframes among respondents: Whereas 91.3 percent said they had the same amount or fewer mainframes than they did three years ago, 73.6 percent have more servers than they did three years ago. Also, 86.6 percent said they are running more web applications than they were three years ago. More servers and more web applications don’t necessarily mean more cloud computing, but they certainly indicate environments better suited for the transition than are data centers filled with mainframes and running strictly internal-facing applications.

Following the general trends we’ve seen around the proliferation of data and increased demand for computing power, an overwhelming majority (90.9 percent) said they utilize more space for storage than they did three years ago, while 44.2 percent said their data centers occupy more square footage than they did three years ago.

Of course, all the extra equipment and space can wreak havoc on a company’s power bills, which is likely why survey respondents seem very tuned into monitoring power usage. The majority of respondents measure power usage effectiveness (PUE), cooling efficiency and server utilization, and the majority of respondents have already consolidated, are in the process of consolidating, or are planning to consolidate their data center operations. On the other hand, almost half of respondents also are in the process of expanding, or are planning to expand, their data centers, so perhaps energy-efficient hardware, software and building design are even more important in these efforts. Indeed, the vast majority of respondents (77.3 percent) have utilized server virtualization as a method to cut power costs, and a large percentage are undertaking a variety of measures from liquid cooling (21.8 percent) to UPS systems (88.5 percent).

When I spoke with AFCOM CEO Jill Eckhaus earlier this month, she said energy concerns have been a top concern among AFCOM members for about five years, and won’t likely be decreasing in importance any time soon. In fact, she noted, power availability is the primary concern in siting new data centers. Organizations are building new data centers, she said, in large part because they’re simply running out of space and power supply at their existing sites, but, as the survey suggests, they’re also building them smarter. She noted an increase in data center container use, too, and the 2011 survey shows 6.4 percent of respondents utilizing them. “I think during a down economy, you have to be smarter … about your purchases and what you’re doing,” Eckhaus said.

Conventional wisdom says cloud computing is a good way to curb energy use, but recent research suggests this isn’t always the case and, as my colleague Katie reported yesterday, Greenpeace is keeping tabs on the environmental impact of cloud data centers, and will release its findings on April 21 at our annual Green:Net conference. Greenpeace’s big push has been to expand energy-efficiency beyond smart design and efficient hardware and into use of clean energy. Only 3.9 percent of AFCOM respondents said they are currently using solar power, and companies such as Facebook have come under fire for their patronage of coal-powered energy plants. Also at Green:Net, energy experts from Google and Yahoo will sit down with Om Malik to talk about the cutting edge in green data center techniques, which should will find their way into mainstream data centers in the years to come.

Sourced from NY Times

Google has begun testing an intriguing plugin for Microsoft Office. Google Cloud Connect is a devastatingly simple concept: rather than save your files to your computer’s hard disk, it allows you to save them to your online Google Docs space.

Following the upload, the user can share docs with colleagues and more importantly, collaboratively edit them from within the Microsoft Office software window. In other words, the plugin brings the shared editing power of Google Docs — its best selling point — to Microsoft Office.

If you’ve never tried Google Docs collaborative editing, I’d advise you to give it a try. Right there in your browser you can see other invited people working on the document, and edits are shown almost in real time. It makes an extremely compelling case for embracing cloud computing.

Unfortunately, nowhere in its new product announcement does Google address the number one concern of businesses when asked about the cloud: data security.

Survey after survey shows that any mention of cloud computing goes hand-in-hand with concerns about data security. It’s a mystery why companies such as Google don’t make more of an effort to assuage fears. After all, we have to assume their setup is extremely secure and probably involves high levels of encryption every step of the way. Yet in the Google Cloud Connect official announcement, there wasn’t one mention of security or encryption.

Would you upload a highly confidential document into the cloud — one that could fatally wound your business if it fell into the wrong hands?

What about your clients’ data? Are lawyers safe to use cloud services without running the risk of betraying client confidentiality? Data protection laws are also an issue. Could a business become liable, should data it stored in the cloud accidentally become available to others?

Not one of these questions are being answered by the majority of cloud service providers. Such reluctance turns using the cloud into something of a gamble. You’ll probably be OK, but what if things go wrong?

Larger businesses that build their own cloud storage systems have complete freedom to incorporate encryption via bespoke software, of course. The incorporation of 256-bit AES will ensure that even if the data is picked up by another individual, it will be unreadable. However, smaller and medium-size businesses have to rely on third-party infrastructure, and that involves 100 per cent trust in service providers.

The only way companies like Google will encourage such businesses to embrace cloud services is to offer unequivocal guarantees about security and privacy.

I suspect this would have to involve some kind of insurance policy, such as promising a cash payout should data go astray — effectively, a million dollar guarantee. This will not only engender confidence in cloud computing but may prove a necessity; should client data end up in the wrong hands and you find yourself sued because of it, it’s not unreasonable to expect the cloud service provider that made the mess to help clean it up.

However, it’s unlikely that any insurance underwriter could offer such a policy to cloud providers. Technical considerations aside, all an underwriter need do is search Google and discover the many instances over the years that supposedly 100 per cent secure systems have proven to be flawed.

The area of wireless networking provides classic examples. Security experts lined up to explain that WEP was considered the perfect method of protecting data. WPA was considered the bulletproof replacement — until it was cracked. WPA2 replaced it and remains in use at the moment, but it’s not overly cynical to wonder how long this will last.

Even now many corporate IT departments refuse to adopt wireless networking, sticking to ethernet cables despite the many advantages Wi-Fi offers. We can’t blame them for their lack of trust but, fundamentally, it’s no different with cloud services. They might claim to be 100 per cent secure, but for how long?

The hacking community comprises some of the most intelligent and devious people on the planet. Nothing will stop them. With any kind of data security, it’s only a matter of time before its blow wide-open.

Article via cio.com.au

Europe needs strong and effective data protection, the European data protection supervisor said Monday.

Responding to the recent European Commission communication on data protection reform, Peter Hustinx underlined the importance of a clear legal framework that harmonizes national data protection legislation, particularly in societies where private information is widely gathered without individuals’ knowledge.

He also called for a technologically neutral approach, the inclusion of the principles of privacy by design and accountability, and the introduction of a mandatory security breach notification covering all relevant sectors.

“Data protection is not an abstract thing. It relates to everybody’s life, every moment of every day. There is no room for mistakes here: the challenges are enormous. That is why the proposed solutions must be equally ambitious and actually enhance the effectiveness of the instruments of data protection,” he said.

Last month the Commission announced that it is taking Austria to court for failing to establish an independent data protection authority and in March the European Court of Justice declared Germany in breach of E.U. rules on the independence of its data protection authority.

Meanwhile, the U.K. is in hot water for allowing BT to secretly test Phorm’s snooping technology without informing customers.

The European Commission is currently reviewing its data protection and data retention directives.

Original Article at NetworkWorld