Corporate Data Footprint

June 13, 2012 by · Leave a Comment
Filed under: Digital Breach Newswire 

Great description of the data problem faced by many companies, and exactly where we can come in to assist managing that same data.

 

Do You Know Where Your Data is Tonight?

Article Author: Randall Beach

Twitter @rsbeach
June 12, 2012

Where is your data? If your company was asked this question 25 years ago, the answer would most likely be an easy one. Your company’s data was on the few computers it had in the office, on employees’ desks and in the file room (the physical one down the hall). Today, the answer to that question is far more complex. Your company’s data is likely stored on internal servers, cloud servers, desktops, laptops, touchpads, smart phones, social media sites and, just maybe, employee desks and the file room down the hall.

Why does the location of your data matter? America is the most litigious society in the world. That means, sooner or later, your company will be a party in a lawsuit. One of the first phases of law suits is discovery. That is when the other party is allowed to ask for and review your data. In general, when the other party asks for your data, you have to produce it.

If you don’t know where your data is, producing your data will be time consuming and very expensive. Imagine having a discovery order that requires a data review of all your employee’s smartphones, computers, and iPads! Imagine having to expand that to your company’s social media pages, or even those of your employees. If all of this imagining is not turning into a nightmare, you need to imagine harder.

E-discovery has been around since communications began to be transmitted via 0s and 1s. Discovery orders routinely include electronically stored information (ESI) within the span of items to be produced. ESI includes such things as emails, voice mails, texts, instant messages, data stored on the cloud, data stored on mobile devices, and, now, social media postings and other user generated content.

The inclusion of social media content within discoverable ESI was established in the 2010 case of EEOC v Simple Storage Management. In that case, the court ruled that social media content must be produced if it is relevant to the case at hand. Scarily, the Simple Storage court held that the permissible scope of discovery in that case included “any profiles, postings or messages (including status updates, wall comments, causes joined, groups joined, activity streams and blog entries) revealing or relating to emotion, feeling or mental state.” A shorter way of saying that would have been everything.

So what does this all mean for your company? First, your company needs to assert control over its data. There should be clear policies regulating how and where company data is stored. If you allow a wild west, anything goes, atmosphere to engulf your data, there is high potential of embarrassment and high cost.

Second, you need to make it very clear to your employees that social media is included when it comes to data control. Develop policies that protect your data from landing on social media platforms, and alert employees to the fact that social media content can be discoverable.

In the end, there will always be the risk of a rogue employee or hacker. There will always be innocent mistakes and data seepage. The critical thing is to make sure your company moves forward with eyes wide open and asserts control where it can. Make sure that most nights, you know where your data is and where it will be in the morning.

Story reprinted from Social Media Today website

What are contractor’s doing while in your office?

June 5, 2012 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: U.S. Attorney’s Office

May 31, 2012

SACRAMENTO, CA, USA—Michael Garcia, 39, of Stockton, was sentenced today by United States District Judge Morrison C. England Jr. to 57 months in prison for fraud in connection with computers and in connection with an access device, United States Attorney Benjamin B. Wagner announced.

According to court documents, Garcia was employed as a technician by a contractor that provided information technology (IT) assistance to third parties. While employed there, Garcia accessed the computer servers of a law firm and an accountant firm without their knowledge or authorization and downloaded the personal information of more than 1,450 clients and employees. Garcia maintained this information on his computer and elsewhere.

According to court documents, Garcia and others used this personal and financial information to make counterfeited identification documents including driver’s licenses and military identification. They used the information to open bank accounts, draft bank checks, make cash withdrawals, obtain loans and lines of credit, and make unauthorized purchases. Additionally, Garcia accompanied others who wore stolen U.S. Customs and Border Protection uniforms to carry out certain fraudulent transactions, such as cashing checks, in the belief that the uniforms gave them more credibility. When arrested, Garcia possessed counterfeit California driver’s licenses, one of which bore his photo but with the name of a victim. The loss is more than $136,000.

Today in court, an employee of the accounting firm where Garcia unlawfully accessed the personal financial information told of the severe hardship suffered by the firm because of Garcia’s actions, as well as the personal toll she experienced because of Garcia’s breach of trust. Judge England commented that identity theft cases, particularly those where there has been an abuse of trust, negatively affect many lives.

This case was the product of an extensive investigation by the Federal Bureau of Investigation and the San Joaquin County Sheriff’s Department. Assistant United States Attorneys Todd Pickles and Robin Taylor prosecuted the case.

Story reprinted from FBI Website

Violating work computer-use policies not a crime

April 14, 2012 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: Grant Gross (IDG News Service)

Violating work computer-use policies not a crime

An appeals court says that a DOJ prosecution of a former employee would have expanded computer crime law

An ex-employee who persuaded former coworkers to access their company’s customer lists and give them to him is not guilty of computer hacking crimes, a U.S. appeals court has ruled.

The U.S. Court of Appeals for the Ninth Circuit ruled Tuesday that David Nosal, a former employee of executive search firm Korn/Ferry, did not violate the Computer Fraud and Abuse Act (CFAA), a 1986 law that outlaws the act of knowingly accessing a protected computer with the intent to defraud.

Nosal “convinced” some of his former colleagues working for Korn/Ferry to assist in his efforts start a competing business, wrote Judge Alex Kozinski, in the appeals court opinion. The employees used their log-in credentials to download source lists, names and contact information from a confidential company database, despite a Korn/Ferry policy forbidding employees from disclosing confidential information

The U.S. Department of Justice indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. Nosal was charged with violations of the CFAA for aiding the Korn/Ferry employees in exceeding their authorized access with an intent to defraud.

The DOJ appealed a U.S. District Court for the Northern District of California ruling dismissing the CFAA charges against him.

The appeals court agreed with the lower court, saying the DOJ’s reading of the CFAA was too expansive and would allow criminal charges against any employee that accesses company computers in violation of policy.

The law focused on criminal hacking, not employee access to information, Kozinski wrote. “The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

The DOJ’s interpretation could mean criminal charges for employees that play games on company computers, Kozinski wrote.

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights,” he said. “Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.”

Judge Barry Silverman wrote a dissenting opinion. “This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values,” he wrote. “It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”

The Electronic Frontier Foundation praised the decision, saying the DOJ’s interpretation would create a “massive expansion” of the CFAA.

“This is an important victory for all Americans who use computers at work,” EFF senior staff attorney Marcia Hofmann said in a statement. “Violating a private computer use policy shouldn’t be crime, just as violating a website’s terms of use shouldn’t be a crime. These policies are often vague, arbitrary, confusing and contradictory.”

Story reprinted from Computerworld

USB sticks still being used insecurely

November 29, 2011 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: John E Dunn (Techworld)

USB sticks still being used insecurely, Ponemon study finds not enough encrypted drives despite numerous data breaches USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.

Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.

Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.

“If you lose a laptop you can’t do your work; if you lose a USB stick nobody will ever know about it,” said Larry Ponemon of the Ponemon Institute. “To many people a USB stick is just a ubiquitous device.

” In the last three years, cases publicised by Britain’s Information Commissioner’s Office (ICO) show that lost USB drives – very few of which ever employ encryption despite containing sensitive data – have become a major bane of the public sector.

Despite only scratching the surface of the problem, according to Ponemon, public ‘naming and shaming’ has been a major spur to change.

“Notification has been shown to be very effective in achieving a higher level of compliance,” said Ponemon. “When it is made a reputation issue, organisations tend to pay attention to it.

” Data isn’t the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.

Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.

Story reprinted from COMPUTERWORLD

Privacy of millions at mercy of a USB device

November 8, 2011 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: Leonie Wood

Data abuse is part of a ‘depressing’ trend, writes Leonie Wood.

THE privacy and financial records of millions of shareholders who use Computershare’s global share registry system were placed at risk this year when a Boston employee quit the company, allegedly taking with her thousands of pages of highly sensitive and confidential documents.

The employee resigned in September last year but did not return a work laptop for three weeks. When Computershare retrieved the laptop, the company claimed internal documents and emails had been copied without authorisation to a USB flash drive and later to the employee’s home computer.

What is most disturbing about the case is that the woman was formerly employed in Computershare’s risk management and internal audit department, which is responsible for scrutinising the vulnerabilities of the group’s internal systems.

It is understood forensic technicians employed by Computershare later purged the documents from the home computer and retrieved one of two USB devices in the woman’s possession.

But a court in Boston has heard Computershare does not know where the original USB device is; the woman told the company she had lost it. The chief executive of Computershare, Stuart Crosby, declined to comment on any aspect of the US court case and he declined to say if the company believed it had plugged the leakage of information.

But he said despite spending as much as $80 million in the past three years to improve security encryption and technology protection systems, Computershare, like many companies, could never be entirely certain that its information, including customer data, was safe.

”What we can assure you is that we take protection of the private information that we have custody of extremely seriously,” Mr Crosby said.

”We have invested … tens of millions of dollars – over the past five or six years especially – in technology and systems to do that, and we are always looking at ways to do it better, but I am not naive enough to say to you that we have that completely nailed. I don’t believe anyone can [tell you that].”

Mr Crosby noted that as employees increasingly used mobile and remote technological devices for their work, and as various jurisdictions put in place strict laws to bar companies misusing private information, companies were being forced to invest more to protect the integrity of their systems.

”It is a world that gets more complicated in this regard and that is why I resist your advances to be more assuring but we are doing everything we can,” he said.

Mr Crosby said while breaches of intellectual property were not common at Computershare, the company had noticed that fraud attacks, from both external and internal sources, had increased since the global financial crisis.

”It’s the desperation out there,” he said. ”And I have to say that our systems are doing a fabulous job picking it up. If it had happened eight years ago we might not have been as successful in picking it up.”

In court documents filed in the US District Court in Massachusetts in February and March, Computershare’s lawyers offered an alarming catalogue of the types of material the company alleges was taken and copied by the former employee without authorisation. This included ”information that could compromise the company’s competitive position in the market as well as highlight and disclose commercial business practices that are proprietary to the company, and which have been uniquely designed to protect client and shareholder private data and accurate money movements around the globe”.

The US court heard that one of the documents detailed Computershare’s business and operational processes, ”the inherent risks they face, their management risk rating, the likelihood and consequences of risks to those business lines, a documentation of controls that are in place that have been designed to mitigate their risk” and more.

Another document was an internal audit report covering all of Computershare’s US operations which, among other things, ”describes in detail the company’s efforts to maintain and preserve shareholder and institutional privacy and confidentiality” as well as specific audit findings and detailed strategies for resolving issues.

Also Computershare’s lawyers told the US court that the woman copied her emails from the laptop and that these contained ”personally identifiable information of shareholders, including account numbers, names and holdings”.

But the court heard this was only ”a brief summary of the thousands of pages of highly confidential and proprietary information” that Computershare alleges were taken.

In February, after the woman had denied copying any confidential or proprietary documents, Computershare sought a temporary restraining order. This was later withdrawn when the former employee agreed to allow forensic analysts to examine her computers.

Computershare has filed a damages claim in the US District Court in Massachusetts, alleging the former employee violated the US Computer Fraud and Abuse Act, wrongly took company information and breached a confidentiality agreement in her employment contract.

Computershare’s experience is not unique. One only has to consider how the integrity of US State Department and US Defence Department communiques was undermined when an employee passed on hundreds of thousands of diplomatic cables to WikiLeaks.

In Australia, the packaging group Amcor obtained court orders in 2004 to retrieve confidential documents from several employees who had resigned to set up their own consultancy. In the process, Amcor’s lawyers were given tapes of conversations that revealed the company was entrenched in a cartel with its rival, Visy Industries.

The head of Allens Arthur Robinson’s technology law group, Michael Pattison, told BusinessDay the instances of employees making off with confidential information were ”depressingly common”.

”It’s depressing because the information was quite clearly the company’s property and therefore any use of that information while they are employed is not only a breach of implied trust, it is a breach of their employment contract,” Mr Pattison said.

Mr Pattison suggested companies could try to protect their systems and confidentiality by signing employees into confidentiality agreements but they also needed to bolster the security of their IT systems, perhaps by barring certain information from being downloaded to remote devices.

”Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached,” Mr Pattison said.

Story reprinted from Sydney Morning Herald

Four Questions to Start the Security Discussion

August 5, 2011 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: Brian McGinley

Intelligent businesses walk the security journey every day, whether management models security-smart behavior in the office or IT stays abreast of the latest technology developments.

But for newcomers those first steps can feel like major leaps, especially if it involves getting coworkers, employees and executive management on the path.

Discussion prompts action, and I’ve found over my years in corporate management and data security that these four simple questions can often get the ball rolling:

 

1. When it comes to the protection of your confidential company information—the information entrusted to you by your customers, clients and employees—do you have it right? What about other sensitive company information regarding financial, strategic, intellectual property and other sensitive data?

Having it right isn’t as easy as it sounds. There are administrative, operational and systemic considerations. Is the information really protected as it is collected and/or acquired; as it is transmitted; as it is used; and as it is stored?

And is it handled with a sense of importance by your employees with an understanding of the threats, vulnerabilities, and consequences of loss, as well?

That is to say, are there outlined policies and procedures for the collection, retention, use and disposal of that information that is accompanied by appropriate awareness communications, training and management reinforcement?

 

2. Are you confident that you, your management team, and your IT shop understands the complexities and interrelationships of the legal, regulatory, operational, and systemic data risk management protection requirements for sensitive material?

Questions of legality and compliance compound if your business handles Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry Data (PCI) or other sensitive and classified data.

An important follow-up question is, Has your team responded to threats against these kinds of data with appropriate protection measures?

 

3. If your company’s financial system or bank access credentials were compromised and funds were stolen from your accounts, would your bank immediately repay those funds? Would the loss be covered by the current insurance that you have in effect?

These answers might not be as straightforward as you think. Bank policies and insurance policies vary greatly when it comes to commercial financial fraud and data breach.

 

4. If your company’s confidential information was compromised by a data breach tomorrow, would you know what to do? Do you have the appropriate plans and resources in place to respond effectively? If so, has this plan be vetted and tested?

Prevention and response, ultimately, is the name of this game. By looking hard at these four questions you’ll be able to realistically gauge where you are—and where you need to go—on the journey that is sound data security.

 

Story reprinted from Infosec Island

Brian McGinley, Senior Vice President of Data Risk Management, Identity Theft 911 With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.