Favorite Files

No favorite files added yet

Recent Posts

1. Comment - US Senate Bill Holds IT Managers Responsible for Privacy Breaches

   (Feb 9, 2007 - 9:40 AM)

   Much ado about nothing, this is more grandstanding by pols.
   
   1) IT Manager pleads for shred bins, CFO (ultimately, this means the board of directors) refuses funding. String the IT manager up? No. Any IT manager that's not an intern keeps the CYA file of denied requests like that for just such an occasion. Some "IT Managers" are for shops that have an AS/400 and two file servers for construction companies, and there are no staff.
   
   2) Writing policies does nothing. There must be an established initiative from the Board, or C-level exec. For public companies, this isn't much of a problem on the surface.
   
   3) How do you define "IT Manager?" How many of you were the sole IT person while in college for some small joint? Yeah, there was PII (personally identifiable information) in there somewhere. If you are say, a 40 employee advertising agency, and contract with a local computer shop to do Novell maintenance, etc., is it the contractor's fault that because didn't request a $50,000 privacy and security audit, stuff got lost?
   
   4) What happens when this is a government agency? Who gets sent up the river? The PMO? The CISO? The CPO? No one? (See: VA breaches, HHS, etc). Why, for instance, is the password to your Sallie Mae monthly PDF still your SSN?)
   
   5) If you hold, store, or process information, especially PII for other companies (ie, you are a third party provider), you already do this, since the company that hires you will include "due diligence" as part of their vendor management program. While Steve's Credit servicing with 4 employees may not write this into the contract, every single stinking bank that is regulated (ie, all of them, via the OCC, FDIC, etc) will force these provisions on you, or they will be unable to renew a contract.
   
   6)As far as notice, each state has different thresholds for providing notice to people. Think long and hard before you request the federal gov't "level the playing field" on notice, since when the feds preempt state legislatures, the playing field meets the lowest common denominator. Right now, since almost every entity has a customer in California, for instance, the companies are required to write and implement policies to the *highest* common denominator.
   
   6b)Notice does not, and should not be required to be given while there is still an ongoing investigation. This is why the VA (supposedly) waited for months before sending me my letter. You lose a tape, you try to figure out the scope of the loss. That's OK, otherwise we'd all be getting two letters a month "just to be sure."
   
   7)Consumers have the choice to move their business. How many of you have read Verizon's privacy notice? That of your bank? Do you even know when their policy says they're allowed to share your information? Change banks, find one that can give you the answers. Call your bank CPO, and ask them their plans surrounding two factor authentication (FFIEC guidance from Oct 2005). I've done this.
   
   8) Technical controls and policies cannot ever be perfect. No system is ever 100% protected from failure or incident. How many developers don't check out code from source safe like they're supposed to? Fess up. You, lonely old you, are violating a technical control over data integrity. Grabbed an unlabeled tape to replace the dead one in the tape library to get the backup done on time? Hmmm, may have PII on it that won't be overwritten.
   
   9)Returning the the government question, let's think about state and local governments. Court records are public, and the crowd has pushed that services be made available online. Whoops, your divorce decree is available online, with addresses, pay rates, and probably SSNs all around! What about the courthouse you filed your DD-214 with when you got out of the army? Anyone can go look at it. New York just figured this out.
   
   10) Colleges... Colleges have archives that go back decades. Remember when it was normal to put your SSN on all correspondence you had with the university? Go look in some boxes.
   
   11) Look for an example of an FTC consent decree. They're pretty ugly, and can be for seemingly minor violations.
   
   12) How many of you went to a new dentist or doctor and put your SSN somewhere? That was completely optional, and you didn't have to, but you just created a new attack vector on your identity.
   
   The basic point is this... It's purely a feel good measure, with no discernable productive results. Get ID theft insurance, clean your own house, and conduct your own due diligence about people you give your business.