DHS Learns a Lesson: “What Happens on the Internet, Stays on the Internet!”
In response to the recent inadvertent TSA exposure of an improperly redacted PDF document containing highly detailed information on Passenger Screening procedures used by TSA officials at U.S. airports, several lawmakers have apparently asked Department of Homeland Security Secretary Janet Napolitano to review any legal remedies available to stop Web Sites from reposting the leaked security manual.
First a couple reminders:
- ”What Happens on the Internet, Stays on the Internet”
- The US legal system does not have jurisdiction over all of the Internet
Perhaps the same lessons being taught to students regarding the dangers of posting personal information or photographs of themselves online should be relayed to government employees with access to the Internet. Once that information is out there, it is highly unlikely you will ever get it back…just like there is no “UNSEND” button to click after you sent an e-mail you did not mean to send.
What we really need are real solutions that address these and other real life issues. This incident reveals the real and critical need for awareness and accountability across all levels of government. All personnel should be provided with “situational awareness” and “customized training” to ensure all appropriate personnel understand:
- What types of information can be shared or not shared
- How to properly share information
- Who information can be shared with
- How to protect/redact sensitive information
- And many other situational awareness issues that all appropriate personnel need to know
Aligning Security and Company Risk – Lessons Learned from Others’ Mistakes
Excellent Lessons Learned from Major Incidents
There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.
As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title: Aligning Security and Company Risk
I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.
The article really got my attention when I read the first paragraph:
After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.
The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses.
Are you organization’s security, compliance and risk management efforts aligned?
Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?
Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management? Compliance Management? Risk Management? Reputation Management?
Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?
In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.
Ohio Storage Bins Stolen – One Man’s Trash Is Another Man’s….
We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information.
In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities. Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers.
A few questions this incident brings to mind:
- Should personal data be stored outside of buildings?
- Should trash/storage bins be removable?
- Should trash/storage bins be monitored by video cameras?
- How should data waiting to be shredded be handled and secured?
- Does your organization have policies and procedures for data waiting to be shredded?
- Does your organization have information handling agreement with shredder vendors?
When it comes to protecting customers’ personal information, many other questions come to mind and many risks and issues have been discussed in previous Lessons Learned Blog entries.
Oh! And don’t forget this lesson learned provides yet another ‘red flag’ that should be added to your FACTA Red Flag Rule program and communicated to all appropriate personnel.
HHS Strengthens HIPAA Enforcement
If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009. This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI)
The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act.
As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after February 18, 2009.
I am curious if organizational leaders are taking notice of a trend that is catching on with strengthening enforcement of regulations?
The FDIC, OSHA, SEC, FINRA, FTC and others have announced they are also strengthening enforcement of regulations.
Are organizational leaders are paying attention and taking steps to strengthen their management programs?
Stay tuned….
Fact or Fiction with Tweets and Web Sites
The battle of the megaphones…it’s on!
The California Public Employees’ Retirement System (CalPERS) has launched a web site to target misinformation and offers a way to let its members, employees, employers and others keep up with issues in national health care reform, pension investments and security.
CalPERSResponds.com is the new web site that will also link to its social media posts on Twitter, Facebook and YouTube.
According to Patricia Macht, CalPERS director of external affairs, “There’s a lot of information and misinformation about CalPERS” and “We hope this site will help separate the facts from fiction and provide some education, insight and clarity to these issues.”
So now that multiple social networking sites are here to stay, are other organizations also planning to build a bigger microphone so they can shout over the top of the other microphones?
Megaphones – especially bigger and louder ones – are they really the most effective or efficient solution for communicating information to trusted members, employees and partners when information overload is already a serious problem?
30,000 Hotmail Passwords Posted Online…and growing
Did you see the headlines…10,000 webmail passwords were posted online?
Did you see the headlines…20,000 webmail passwords were posted online?
Did you see the headlines…30,000 webmail passwords were posted online?
Where does this end?
The headlines offer valuable lessons learned that every organization should be utilizing to help their people (board members, managers, employees, partners, contractors, vendors, service providers, etc.) to be better prepared for phishing threats and attacks.
The fact that 20,000 or 30,000 people (or more) were social engineered and gave away their personal webmail password is alarming. So what is your organization doing to make sure your people are not giving away their password to organizational mail accounts?
Awareness is vital. Accountability is critical. Lessons Learned must become Lessons Implemented.
Is your organization prepared?
Rocky Mountain Bank vs. Google
In this Network World article, a US District Court Judge in California ordered Google to deactivate the Gmail account of a User who accidentally received personally identifiable information. An employee of Rocky Mountain Bank sent an e-mail to the User’s account in error containing names, Social Security Numbers and loan information of more than 1300 bank customers.
Once the employee realized their mistake, they quickly sent a follow-up e-mail requesting that the recipient destroy the previous e-mail and contact Rocky Mountain Bank as soon as possible. After receiving no reply from the recipient, the bank contacted Google and asked for information on the Gmail account holder which Google refused to provide without a court order.
On September 25, the court issued a temporary restraining order, insisting that Google shut the account down and divulge whether the account was still active and whether the confidential info had been viewed. Google complied with the order. The bank has confirmed that the confidential message was never opened and that it has now been permanently deleted.
Not sure if I agree with the judge’s decision, but I think everyone can agree that important lessons were learned. Lessons learned include 1) make sure employees understand regulatory mandates which prohibit the transmission of unencrypted personally identifiable information and 2) make sure employees understand acceptable e-mail usage guidelines and verify the e-mail address or addresses are correct before hitting SEND!
Additional acceptable e-mail usage guidelines and questions to consider before sending any e-mail or other electronic message, may include:
- Who is receiving the e-mail?
- Does the content disclose proprietary information about my organization?
- Does the content disclose sensitive personal information?
- Does the content disclose confidential data about clients, contracts, etc.?
- Are there statements or accusations in the content that cannot be substantiated?
- Does the content contain offensive, racist or slanderous information?
- What would happen if the e-mail was shared, stolen or forwarded to someone else within or outside of my organization
- If the e-mail went public, would it have a negative effect on me or my organization?
- Does the e-mail comply with organizational requirements?
Remember….everyone knows how to use e-mail…but not everyone understands the risks and consequences of using e-mail, so taking time to ensure awareness and accountability can make a huge difference in your bottom line results.
Customers vs. Banks – Failure to Implement Adequate Security Procedures?
Two recent headlines caught my attention:
Construction Company Sues Bank for Money Lost in Cyber Scam
Couple’s Lawsuit Against Bank Over Breach to Move Forward
In both of these cases, banks are being sued for not taking adequate precautions that could have prevented cyber thieves from stealing money from the customers’ accounts. The customers claim that the banks did not offer two-factor authentication and also failed to notice suspicious and anomalous behavior. Therefore, the customers are claiming that the banks breached their duty to protect account holder information.
These lawsuits could have significant ramifications and I will be curious to see the final outcome. Should a bank be held liable in the breach of their customers’ online accounts?
As Cyber Criminals continue to develop more sophisticated attacks and are constantly finding new ways to target financial accounts, financial organizations will need to show due diligence and work continuously to secure their networks and data with up to date data protection measures. Organizations that can’t prove they took adequate measures to protect data will find themselves exposed to additional legal liabilities and reputational damages.
Financial organizations may also need to educate their customers about their efforts to ensure customer data is protected and secured. By maintaining ONGOING compliance with regulations like FFIEC, PCI-DSS, GLBA, FACTA Red Flags, etc., organizations can improve their reputation and develop a culture of trust with their customers. Organizations may also want to make a proactive effort to educate their customers on the latest risks and threats and how to implement security best practices. If customers understand the importance of strong passwords, how to recognize a phishing attempt, how to use e-mail securely, etc. they can become a layer of defense rather than a weak link.
Weekly Update: Implementing Lessons Learned
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
U.S. Government Advises Businesses on Swine Flu.
Government officials are calling on U.S. businesses to help manage the H1N1 flu this fall by developing customized plans for managing both the seasonal and swine flu, getting vaccines to vulnerable workers and encouraging employees with symptoms to stay home.
Court indicts Hackers in Largest Data Breaches in US History
A federal grand jury in New Jersey indicted Albert “Segvec” Gonzalez in the largest hacking and identity theft case ever prosecuted. Gonzalez was involved in allegedly stealing more than 130 million credit and debit card numbers by hacking into Heartland Payment Systems, as well as Hannaford Brothers, 7-Eleven and other unnamed national retailers. Gonzalez was also indicted on accusations of stealing 41 million credit and debit card numbers from major retailers, including TJ Maxx.
Campaign Monitor, an Australian email marketing application, was a victim of a hacking attack when unauthorized users broke into the Campaign Monitor servers and accessed customer accounts. The compromised accounts were used to send spam, using lists already in the account and lists imported by the hackers.
Massachusetts Data Protection Law Deadline Extended to March 1
The deadline for compliance with the Massachusetts data protection law, 201 CMR 17.00, has been extended to March 1, 2010. 201 CMR 17.00 requires all companies, large or small, that conduct business within Massachusetts to protect the personal information of Massachusetts residents.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
Article Cites “Dingbat Data Leaks”
A title to an article in SmartMoney caught my attention because it read “Dingbat Data Leaks”.
I think it caught my attention because over the last 27+ years or so, I have worked with my share of IT and IS department managers, as well spending many years working with end-users and I am not sure I understand who the author is referring to as the “dingbats”?
The author mentions absurd incidents and common blunder incidents….so:
Are the people that throw away sensitive records in the trash the dingbats?
Are the people that lose flash drives and laptops the dingbats?
Is the gas station attendant who refilled the receipt printer with a used roll that had prior customers’ credit card data printed on the back a dingbat?
I get the impression from the article that yes, they are the dingbats. The article closes with an interesting bright side revelation from a Ponemon researcher that only 2 percent of all data breaches result in ID fraud. And the conclusion of the article cites that cluelessness works both ways and says “just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they’ve received.”
Everyone has their own view, however I see some great Lessons Learned in this article for business leaders.
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand which records can and can’t be thrown away and which need to be shredded?
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand how to handle and protect information that is in transit or on mobile devices?
Isn’t it the responsibility of the business leaders to ensure their technology and business devices are compliant with today’s security and privacy regulations?
Is it possible the source of these common problems is the business leaders not implementing situational awareness, regulatory requirements, legal due diligence and accountability for their employees?
After 27+ years experience and research, I know People are very capable and most want to help. I also know People can be an organization’s first layer and best layer of defense in protecting against data leaks, but only if business leaders understand the problem and take steps to implement and enforce simple and reasonable processes and procedures at the individual level.
