Reporting Data Loss: Tough Choices, One Answer

When military data is lost, stolen or compromised, the potential dangers are obvious. Lost personal data can lead to identity theft, lost operational data can lead to mission cancellation or failure and lost technical data can lead to other compromised systems and even further damage. While loss of data is bad enough, sometimes the loss is not mitigated in a timely fashion. When this happens, it is often not because of a stealthy hacker or a missing hardware audit. It is because somebody did not report the incident out a fear of potential personal consequences. We need to change that mindset. Not accepting responsibility and warning others of a network or data breach can put missions and lives at risk.

So if you are the cause or you discover a loss of data or a hacked network, it’s decision time. Report it or cover it up. What’s worse? A chewing out from your CO or knowing that letting your error go unreported resulted in an ambush or the identities of fellow soldiers and their families being stolen? Even if the person that discovers the loss is not personally responsible for the incident, they might be reluctant to report it because it would reflect badly on friends or the unit.

Military personnel tend to have the “not on my watch” mindset. This is a great attribute when it comes to the defense of a position or ensuring that everyone makes it back from a patrol. However, when such dedication to that statement means that fellow soldiers are at risk because of an unreported breach of network security, it is unacceptable. Neither is taking a “not my problem” attitude. Loss or compromise of military data is everyone’s problem.

Most soldiers will take responsibility if they are at fault. But many of these same soldiers will cover for a buddy’s mistake. Covering for someone is often considered being a team player. That’s fine, if you help Bill get ready for inspection after a tough night of leave or taking on more work because Ed needs to deal with a family matter. However, covering for someone in the case of data loss is as risky as not reporting your own error.

Fear is often the motivation for not reporting an incident. Nobody wants to get chewed out or written up. But think about what could happen if data has been compromised and nobody that can do something to eliminate or reduce the problem is ever told. The punishment for not reporting a network security problem that is found out later will be much greater than reporting it in the first place. It’s like when you were a kid. Do you tell your parents? It’s basically the choice between a scolding and being grounded for a month. In the military, grounding can take the form of docking your pay or sending you to someplace you really don’t want to be. But the real issue is not a personal one. The fact is that delay in reporting lost or stolen data can result in lost identities, compromised missions and possibly risk to soldiers in theater. afcea

Ten Ways to Protect Your Network From Insider Threats

Insiders -- people who work within your organization -- pose a huge potential security risk. That's because while hackers and other outsiders have to break in to your network and gain access to systems and data, many insiders have valid credentials to log on quite legitimately and access the systems and data they need to carry out their jobs.

Unless appropriate steps are taken, it can be quite trivial for employees to copy your confidential data on to a memory stick and walk out the door, install a logic bomb to destroy data in the future, or set themselves up with login credentials to ensure that they have access to your systems even after they have left your employment.

Here are ten things you can do to protect your network:

Privacy expert: It's good PR to say no to the government

A leading privacy researcher is urging companies to say no to government requests for data, arguing that it's good for business.

"Or rather, saying yes can be really bad for business," said Chris Soghoian, an Indiana University PhD candidate and security and privacy researcher.

Speaking on Monday at a Law Seminars International event in Seattle, Soghoian offered companies tips for handling law enforcement requests for data.

Consumers do care about their privacy and their reaction to news about companies that too willingly help the government access their data -- or resist such requests -- proves it, he said.

For instance, in 2005 it was revealed that a few years earlier the National Security Agency had illegally asked telecom providers to install wiretap equipment in their facilities. Qwest said no. "When the news came out, there was widespread praise for that company and the strong position they took, whereas AT&T and the others were criticized," he said.

In 2004 airline JetBlue voluntarily provided customer data to the Department of Defense. The action led to a lawsuit that was ultimately thrown out, "but in the meantime their name was dragged through the mud," he said.

In addition to bad publicity, such incidents aren't cheap. "Not only do government requests lead to loss of reputation but when you get sued by civil liberties groups and your customers, the government won't pick up the tab," he noted.

In another instance, the Department of Justice asked search engines to reveal information about search terms. Most of the big search engines complied but Google declined, not on privacy grounds but citing proprietary information, he said. "If you ever have the fortune to discuss privacy with a Google privacy person barely two minutes will go by before they tell you about the time they said no to the DOJ. They receive thousands of requests a year that they say yes to, but this one instance they've been able to trumpet," he said.

A lawyer who spoke at the conference on Monday agrees that resisting data requests can be good for business. There is increasing scrutiny from consumer groups about privacy issues and companies may be able to maintain competitive differentiation if they are careful about law enforcement requests and if they are open about their policies, said Daniel H. Royalty, a lawyer at K&L Gates in Seattle. "It may be that increasing transparency in this space can lead to differentiation." .computerworld

Navy took more than a year to announce personal data breach

In case of danger or a natural disaster, the U.S. Navy can rapidly dispatch troops, fighter jets or relief supplies to troubled areas around the world.

So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released?

The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach.

E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not.

An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, "A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees."

The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees "must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised." This note even indicates where a sample letter can be found on the Navy's Web site.

But the 244 employees -- subsequently increased from 128 -- were not notified until much later. washingtonpost

Improper disposal of hundreds of loan applications raises security concerns

A cleaning crew mistakenly tossed the unshredded documents in a garbage bin

PLEASANT HILL — The financial and personal details of about 300 property-loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin.

The paperwork, belonging to FHG Finance, a home loan business at 548 Contra Costa Blvd., was discarded last week by a cleaning crew hired to clear out a portion of the building where FHG is based, an official at the business said.

The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company secured the trash bin with a padlock until the documents could be shredded.

Broker Walter Rook, vice president of FHG, described it as a close call.

"It definitely could have caused problems "... from any of these people who go bin diving, looking for account information," Rook said.

Rook said his business used to share space with another loan company, which closed more than a year ago.

He had accumulated at least 32 boxes of old documents that he stored in the vacated space, in preparation to shred them.The documents represented about 300 clients from 2003 to 2007. "You have to hold them for three years before you can destroy them," he said.

But Rook was unprepared April 28, when the building's owner hired a crew to clean out the vacated space.
The two cleaners came into Lamps Plus and asked store manager Rachel Rainey if they could throw several boxes of paper into the store's outdoor recycling bin. She gave permission.

After the men left, another employee noticed the recycled documents were loan applications. They included copies of driver's licenses and credit reports, Rainey said.

"The loan applications were very, very detailed," she said. "Every single thing you can think of to start a loan."

Concerned about the apparent mishandling of the documents, Rainey alerted Rook.

"If the Lamps Plus people wouldn't have told me, I would have never known," he said. "Thank God they came over."

Too late in the business day to do anything more, Rook put a padlock on the recycling bin and fretted through the night about the sensitive contents inside.

In the morning, the bin was emptied and a Walnut Creek shredding company destroyed all of the contents.

But later that day, Lamps Plus employees found several more boxes of loan documents in a nearby garbage bin.

"We did the right thing and decided to shred the rest of the papers ourselves," Rainey said.

The activity took eight hours.

The Times could not contact the owner of the property, who Rook said was out of the country. The property management company, Central Real Estate, did not return phone calls seeking comment.

Typically, businesses that share office space are notified by the owner or property management company when entry will be made and cleaning will be done, said Amy Callaghan, a property manager at Colliers International in Walnut Creek.

"To just call someone and say, 'dump whatever you see in there,' it's not a standard procedure," she said. "But every owner handles things differently."
insidebayarea.com

Private papers found in trash

Law director not sure how documents got into the recycling Dumpster without being shredded.

For several weeks, a mound of city documents containing Social Security numbers, phone numbers and carbon copies of checks filled a Dumpster at Smith Park, where they were accessible to anyone.

The Journal received a tip that led to the discovery of countless junked records containing personal information for Middletown residents, along with blueprints, contracts and tax papers.

Most appear to have originated in the city’s public works and utilities department, with a few from the police and finance departments.

City Manager Judy Gilleland said normal records policy calls for documents of that nature to be shredded and not simply thrown away.

“We typically ... have the Shred-it company come on site and take care of everything,” Gilleland said. “I don’t know why we would be dumping in Smith Park, other than those are our Dumpsters.”

Law Director Les Landen said he is not sure how confidential documents got into the recycling Dumpster, but he suspects they started in a recycling bin within the city building. Every piece of recycled paper from the city building eventually ends up in the container at Smith Park, according to Landen.

“Somebody made a mistake and threw something away that should have been shredded,” Landen said. “We do have a policy and process for getting rid of confidential and sensitive documents, but that clearly was not followed here.”

While Landen is not sure an incident like this would expose the city to potential legal action, he said it is still “a practice we do not condone.”

“We need to make sure our employees know where the material is going after it leaves their offices,” Landen said. “Sometimes situations like this help us self-check ourselves.” middletownjournal

Deadlines for data security requirements

This advisory provides a brief summary of new data security requirements with effective and enforcement dates in early 2010 that will affect innumerable businesses.

State Data Security Developments

January 1, 2010: New Amendment to Nevada Privacy Law
A new amendment to Nevada privaQQcy law that became effective January 1, 2010 requires companies doing business in Nevada that accept payment cards to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

The new amendment also requires QQthat other data collectors doing business in Nevada encrypt personal information contained in certain kinds of transmissions and when stored on a data storage device.

While Nevada appears to be the QQfirst state to require such compliance, others may follow.

March 1, 2010: Massachusetts Security Regulation Affecting All Companies with Personal Information of Massachusetts Residents

Under the Massachusetts Security QQRegulation (201 CMR 17.00) (the “Regulation”), every person or company that owns or licenses certain personal information about a Massachusetts resident must develop, implement, maintain and monitor a comprehensive written information security program (“WISP”).

The applicability of the Regulation QQis very broad, extending to any company that has personal information of Massachusetts residents, whether or not the company is doing business in Massachusetts. The Regulation does not exempt any industry, sector or out-of-state business, and does not exempt a de-minimus number of Massachusetts customers, employees or other residents. Compliance is required by March 1, QQ2010.


Federal Data Security Developments

February 17, 2010: Expanded Reach of Federal HITECH Act Protecting Health Information
The HITECH Act imposed substantial QQparts of the HIPAA privacy rule and the HIPAA information security rule directly on business associates.

HITECH imposed changes to the QQ“minimum necessary rule” for the use and disclosure of protected health information for uses and disclosures other than treatment, with the limited data set serving as a “safe harbor” pending further regulations. The Act also requires covered entities to provide patients with a copy of their electronic protected health information (“PHI”) in electronic format, or to transmit electronic PHI to other providers in electronic format at the patient’s request. Also, new restrictions on the use and disclosure of protected health information for marketing purposes will take effect. Covered entities should have new business associate agreements in place that reflect new privacy and security requirements by this date.

February 22, 2010: Full Enforcement of Health Data Breach Notification Rules
Full enforcement of the HIPAA data QQbreach notification rule for covered entities and business associates will begin on February 22, 2010. Similarly, the Federal Trade Commission will begin enforcing the data breach rules applicable to personal health record vendors and their contractors on February 22, 2010.

June 1, 2010: Broad Upcoming Federal Requirements – Red Flags Rule
The federal Red Flags Rule (16 CFR QQ681.1) requires that financial institutions and “creditors” (which is very broadly defined) develop and implement written Identity Theft Prevention Programs in order to detect, prevent, and mitigate identity theft.

For financial institutions, comQQpliance has been required since November 28, 2008.
For “creditors” that maintain “covQQered accounts,” the Red Flags Rule will go into effect June 1, 2010. The term “creditor” is broadly defined, causing concern that the Red Flags Rule reaches entities other than traditional financial institutions or creditors that engage in regular loans or advances, including businesses that offer forbearance in the collection of debts or bills, or which allow multiple or extended payments for goods or services that have been previously provided.

European Data Security Developments
In addition to complying with US data protection, most US companies with subsidiaries in the European Union need to be aware of the data protection laws in the EU, enforcement, and the penalties for non-compliance. There are new penalties for data protection violations and breaches in Germany, and a proposal for increased penalties pending in the UK, as noted below. Further, those publicly traded firms implementing whistleblowing programs for subsidiaries in the EU in order to comply with two important US laws, the Sarbanes-Oxley Act of 2002 and the Foreign Corrupt Practices Act, should also take note of recent important whistleblower decisions, guidelines or directions in France, Denmark, Sweden, Portugal, Austria, and Hungary.

United Kingdom
Pending the outcome of a recent QQMinistry of Justice consultation, the Information Commissioner’s Office (ICO) in the UK may be given increased statutory powers to impose fines up to £500,000.

This would apply when the ICO is QQsatisfied that: (i) there has been a serious breach of one or more of the data protection principles of the organizations; and (ii) the breach was likely to cause substantial damage/distress, i.e., if the breach was deliberate or the organization knew or should have known there was a risk, such as by the reckless handling of personal data.

As some data breaches may include QQindividual names in other countries, the fine levels of those authorities become increasingly important.

Germany
The German Federal Parliament QQpassed comprehensive amendments to the Federal Data Protection Act, effective September 1, 2009, that cover a broad variety of data protection issues and give fine authority of € 50,000 for simple violations and € 300,000 for serious violations.

The data protection authorities QQhave been given these new powers to enable them to impose higher fines for failure to comply with data protection requirements, especially on the security side. lexology

Scoring Big in a Dumpster Dive!

So you think data security is all about your IT department? Think again...

Video:

Steve Hunt reveals how easy it is to find sensitive information while Dumpster Diving!

Is your company keeping information secure?

Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles:

• Take stock. Know what personal information you have in your files and on your computers.
• Scale down. Keep only what you need for your business.
• Lock it. Protect the information in your care.
• Pitch it. Properly dispose of what you no longer need.
• Plan ahead. Create a plan to respond to security incidents.

To learn more about how you can implement these principles in your business, play our interactive tutorial. You'll see and hear about practical steps your business can take to protect personal information. After you experience the tutorial, we hope you'll take advantage of the other resources on this site to educate your employees, customers, and constituents. Order copies of our brochure, Protecting Personal Information: A Guide for Business, or publish an article on information security in your newsletter, magazine, or website. All of the information on this site is in the public domain; we hope you'll share it freely.
FTC Info Security Video Tutorial