The Security Catalyst

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger - and more trustworthy - result.

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

If you enjoyed this post, make sure you subscribe to my RSS feed!

I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation.

As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased.

Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same.

Three Challenges to Success
Whether developing the Trustmark, working any type of certification or developing a new process, there are three broad challenges to ensuring a successful outcome:

1. building the framework/solution
2. applying the framework/solution
3. verifying the framework/solution

The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I’ll be breaking these down into a series of of readable columns. However, if there is enough interest, I’ll pull them together in the end for a cohesive paper and make it available for download. I know that I’ll be referring back to this research to avoid mistake in future efforts.

Technorati Tags: catalyst, comptia, BITS, trustmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Earlier today we received the shipment of “preview copies” for Into the Breach. This is the first book that I authored by myself (as opposed to contributing) - and it took longer than expected. Despite the delays, the entire journey has been amazing!

To open the book and hold the finished (albeit preview) product in my hands felt cool.Okay, I did a little happy dance in the office. Then I realized that the book website is out of date (and is slated for massive overhaul next weekend). We’re also working on the link for pre-orders and a final ship date for the Hardcover version…. mind racing, pressure building, I got back to work.

Just now, my children came home. My son actually snuck into my office (he’s getting good!), walked up behind me and yelled “Congratulations” and gave me a huge hug. He was as excited as his birthday when I handed him his own copy. He looked me dead in the eye and told me, “Daddy, this must have taken a lot of time. I am very proud of you.” His entire body let me know he was excited. And proud. A minute later, my daughter came running in, cheering for me. She immediately asked for her copy, hugged me and told me the book looked “great.”

The tears welled up as they scampered upstairs to put their books in “a safe place.”

I didn’t write this book for the sake of writing; rather I wrote to shift thinking and change behaviors. I asked, “What if breach isn’t the problem?” and then spent a few years blending and distilling sociology, psychology, applied economics and experience with technology to share some insights and suggest a path. I wrote to make a difference. The process of writing involved the entire family - and for that, I am grateful.

Holding the book today was an awesome feeling. And yet it was quickly trumped by the simple celebration and pride my children took in me. This is what really matters. Today is a day to remember.

Update: My parents and Grandmother came by for dinner. My son ran out to meet them - book in hand. Couldn’t wait to tell them “how totally awesome Daddy’s book is.” Totally an awesome day to remember.

Technorati Tags: catalyst, into the breach

If you enjoyed this post, make sure you subscribe to my RSS feed!

How hard is it to build trust?

“When people honor each other, there is a trust established that leads to synergy, interdependence, and deep respect. Both parties make decisions and choices based on what is right, what is best, what is valued most highly.” –Blaine Lee

In my last article, I introduced the efforts of CompTIA to address a growing need in business today with the Trustmark certification.  The Trustmark, initially focused on small and medium-sized VARs, represents a promising step forward in how businesses demonstrate and verify they protect information. As outlined in part one, I see a far larger benefit for small and medium businesses everywhere – provided Trustmark is positioned and grown properly.

Note: The more I think about Trustmark and the challenges of getting it right, the more I see vast potential. As such, I’m lengthening this article into a series of posts to share more ideas and invite constructive conversation.

 

The Challenges

Now I turn my attention to addressing the key challenges – with suggestions on how to meet and overcome them. This is also a call to action for professionals to come together to tackle these challenges industry-wide.

When I left the Trustmark workshop, I sensed the start of a necessary program that is heading in the right direction. In the weeks since, I have continued to consider the approach – and the challenges that must be overcome — in the context of my own experience with frameworks, education and industry measurement.

Aside: these challenges are not unique to Trustmark – these are challenges many of us face every day, especially when it comes to presentations, standards development, projects and our day-to-day activities.

The next few articles will address some of the key challenges and provide some insights – based on my experience – to successfully address those challenges.

1. No Need to Reinvent the Wheel
2. Provide Transparency with Support
3. Establish a Sound Audit Process

Make a Difference

While you may not (yet) share my enthusiasm for a way to verify how vendors and other businesses protect information, your experience, concerns, insights and ideas are essential to the success of this and other efforts. So – reach out to me by email, telephone, twitter or join me in the Security Catalyst Community to sound off.  I’m interested in any and all feedback – especially from small business owners, VARs, vendors, anyone who has been through this process. 

By blending our voices and experience together, we are able to influence positive change (while actively considering and addressing unintended consequences).

Stay tuned… 

If you enjoyed this post, make sure you subscribe to my RSS feed!

“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst - gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

• sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
• allows vendors higher confidence across their entire channel
• creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

• Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
• Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?

If you enjoyed this post, make sure you subscribe to my RSS feed!

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 

 Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

During [these] periods of relaxation after concentrated intellectual activity, the intuitive mind seems to take over and can produce the sudden clarifying insights which give so much joy and delight.
– Fritjof Capra, physicist

Again, I find myself packing the RV to return home. Again, I find myself calm, mentally focused and brimming full of ideas. I am convinced that the body and brain need time away in order to make sense of that which we experience. Seems that every time we are in the RV, I am afforded time to think, consider and analyze. As such, I’ll be sharing some of what I observed this weekend as it relates to how we practice information security and change the way people protect information.

In specific, I’ve been thinking about “compliance awareness” — the stuff most people do today in the name of awareness — and “true awareness” — the situations that shift thinking and lead to a behavior change.

In the meantime, I’ve started to look for some additional voices to share their ideas and insights; to act as catalysts to help us think differently about the way we act.

Today, I introduce to you Michael Starks. Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs. He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications. In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues.

Hopefully we can convince him to share with us on a regular basis!

If you enjoyed this post, make sure you subscribe to my RSS feed!

by Patrick Romero

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

If you enjoyed this post, make sure you subscribe to my RSS feed!

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased - but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding - and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement - speaking or training - receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker - you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Patrick Romero and Michael Santarcangelo

Previously, we explored whether you should be issuing and relying on email disclaimers. This week, we look deeper into email communication to find out if your emails are considered private communications or not.

When speaking with audiences, this is a topic that generates a lot of questions, opinions and sometimes controversy. While everyone is entitled to his or her opinion on the topic, we wanted to take a look at any legal grounding to form a more complete answer.

In the business world, the answer is pretty clear: if you are using the resources of your company, then you have no expectation of privacy. However, what about when you’re using your personal email account, on non-company resources? Do you have a reasonable expectation of privacy for those messages?

The crux of the argument here is one of the fourth amendment. Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.

Think about that for a second.

This has implications for both you personally, and for your organization. What standard is the government required to produce in order to obtain your email records? As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.

Based on a landmark ruling this past summer, it appeared the easy answer was “yes.” In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy” in their e-mail communications.

No so fast
Yet what was hailed as a victory for privacy advocates was short-lived. Just days ago, on October 9th, 2007, the 6th Circuit granted a rehearing en banc, thereby vacating their earlier decision. This is significant, as an en banc hearing means that instead of the usual three-judge panel decision, all sixteen active judges of the Court will hear this case.

The humble beginning
The decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses. The government obtained a court order directing ISP Yahoo! and NuVox Communications to turn over information pertaining to Warshak’s e-mail account. The order was issued under the Stored Communications Act (SCA) of the Electronic Communications Privacy Act. The SCA requires the government to show that there be “reasonable grounds to believe that the contents of a wire or electronic communication…are relevant and material to an ongoing criminal investigation.”

The government argued that the court order issued under the SCA to the ISPs were not searches but rather compelled disclosures, akin to subpoenas. As a result, the higher burden of probable cause required under the 4th Amendment for a search and seizure was inapplicable. The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a” a 4th Amendment violation.

Why is email different?
Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box. Americans naively assume that e-mails a private and require that the government seek a warrant supported by probable cause to access. Whereas telephone calls due have this judicial standard, e-mails today are not afforded the same level of protection due their technological differences.

The seminal case that enshrined our privacy laws was Katz v. United States
. The Supreme Court held that that the 4th Amendment protects individuals against unreasonable searches and seizes if an individual can justifiable expect that is communications would remain private. Justice Steward wrote that “no less than an individual in a business office, in a friend’s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the 4th Amendment.”

The government argued that e-mails are not analogous to telephone communications because they require an intermediary. E-mail works by breaking the contents into individual packets that are routed to the senders ISP. The ISP then stores and copies the e-mail on their server before transmitting it to the recipient. The government’s theory runs along the lines that since the ISP stores and copies the e-mail, the information was voluntarily turned over. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause.

Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.

Fallout of the Decision
So what does this mean for you and me? The Court will hear the case again and determine whether the government’s action were in violation of federal law. While it is always difficult to predict the outcomes of such a case, the issues raised by Warshak should be of concern to all Americans. The decision of the court will be one of the most important decisions involving fundamental Constitutional protections. Due to the prevalent use of new technologies, Americans are not being adequately protected by federal statutes. The need for the courts like the 6th Circuit to establish clearer guidelines to the government and Americans is critically needed to prevent confusion and abuse in the digital age.

In the meantime – remember that email works on a store-and-forward system, and if you are not willing to read what you wrote in the newspaper, you may not want to send it.

If you enjoyed this post, make sure you subscribe to my RSS feed!