The Security Catalyst

by Patrick Romero

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Patrick Romero

One of the principle missions of the Federal Trade Commission is to protect American consumers against activities such as false advertising and unfair business practices. Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth.

The FTC held a two-day forum earlier this month regarding online advertising and privacy. The meeting concerned the tactics of behavioral targeting, which is used by online publishers and advertisers to deliver ads based on user’s web-browsing behavior. Advertisers believe that this information helps them deliver better information to consumers and increases the effectiveness of their campaigns. Opponents and civil liberty advocates warn against the erosion of privacy and lack of consent by consumers. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination.

Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick. While Google collects the history of its users through its search engine, DoubleClick tracks what websites people visit. In order to do this, DoubleClick creates profiles for users based on their IP address, domain, browser, local time and date, operating system, and page viewed. The ability for one company with the power to collect data on millions of individuals without any government oversight is disconcerting, to say the least.

The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them. There has even been recent controversy as to whether this type of targeted advertising is even legal or not.

Past attempts to stop behavioral targeting have been unsuccessful. In 2001, a class action lawsuit was brought against DoubleClick for keeping cookies stored on internet user’s computers without their consent. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site. The court held that since the user consents to Double Click’s access by visiting the website affiliated with the advertisement, there was no law being violated.

As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting. Privacy organizations are calling on the FTC to establish, among other things, an opt-out policy similar to the one applied to telemarketers. They would like to see fines for non-compliance and disclosure of all data-collection practices clearly visible on websites that engage in behavioral targeting.

Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon. The most successful internet companies rely heavily on advertising dollars to sustain their growth and need this capital to generate new technologies. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.

The Google-DoubleClick acquisition has put online privacy at the forefront of government concern. Congress and the EU have scheduled hearings on the impact that these two companies will have on consumer’s online experience. Proposals for government intervention will surely be considered in order to control how information is used and stored. The debate as to whether there should even be state intervention in this country appears to have begun.

If you enjoyed this post, make sure you subscribe to my RSS feed!

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased - but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding - and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement - speaking or training - receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker - you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Patrick Romero and Michael Santarcangelo

Previously, we explored whether you should be issuing and relying on email disclaimers. This week, we look deeper into email communication to find out if your emails are considered private communications or not.

When speaking with audiences, this is a topic that generates a lot of questions, opinions and sometimes controversy. While everyone is entitled to his or her opinion on the topic, we wanted to take a look at any legal grounding to form a more complete answer.

In the business world, the answer is pretty clear: if you are using the resources of your company, then you have no expectation of privacy. However, what about when you’re using your personal email account, on non-company resources? Do you have a reasonable expectation of privacy for those messages?

The crux of the argument here is one of the fourth amendment. Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.

Think about that for a second.

This has implications for both you personally, and for your organization. What standard is the government required to produce in order to obtain your email records? As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.

Based on a landmark ruling this past summer, it appeared the easy answer was “yes.” In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy” in their e-mail communications.

No so fast
Yet what was hailed as a victory for privacy advocates was short-lived. Just days ago, on October 9th, 2007, the 6th Circuit granted a rehearing en banc, thereby vacating their earlier decision. This is significant, as an en banc hearing means that instead of the usual three-judge panel decision, all sixteen active judges of the Court will hear this case.

The humble beginning
The decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses. The government obtained a court order directing ISP Yahoo! and NuVox Communications to turn over information pertaining to Warshak’s e-mail account. The order was issued under the Stored Communications Act (SCA) of the Electronic Communications Privacy Act. The SCA requires the government to show that there be “reasonable grounds to believe that the contents of a wire or electronic communication…are relevant and material to an ongoing criminal investigation.”

The government argued that the court order issued under the SCA to the ISPs were not searches but rather compelled disclosures, akin to subpoenas. As a result, the higher burden of probable cause required under the 4th Amendment for a search and seizure was inapplicable. The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a” a 4th Amendment violation.

Why is email different?
Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box. Americans naively assume that e-mails a private and require that the government seek a warrant supported by probable cause to access. Whereas telephone calls due have this judicial standard, e-mails today are not afforded the same level of protection due their technological differences.

The seminal case that enshrined our privacy laws was Katz v. United States
. The Supreme Court held that that the 4th Amendment protects individuals against unreasonable searches and seizes if an individual can justifiable expect that is communications would remain private. Justice Steward wrote that “no less than an individual in a business office, in a friend’s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the 4th Amendment.”

The government argued that e-mails are not analogous to telephone communications because they require an intermediary. E-mail works by breaking the contents into individual packets that are routed to the senders ISP. The ISP then stores and copies the e-mail on their server before transmitting it to the recipient. The government’s theory runs along the lines that since the ISP stores and copies the e-mail, the information was voluntarily turned over. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause.

Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.

Fallout of the Decision
So what does this mean for you and me? The Court will hear the case again and determine whether the government’s action were in violation of federal law. While it is always difficult to predict the outcomes of such a case, the issues raised by Warshak should be of concern to all Americans. The decision of the court will be one of the most important decisions involving fundamental Constitutional protections. Due to the prevalent use of new technologies, Americans are not being adequately protected by federal statutes. The need for the courts like the 6th Circuit to establish clearer guidelines to the government and Americans is critically needed to prevent confusion and abuse in the digital age.

In the meantime – remember that email works on a store-and-forward system, and if you are not willing to read what you wrote in the newspaper, you may not want to send it.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Michael Santarcangelo and Patrick Romero

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation - Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

If you enjoyed this post, make sure you subscribe to my RSS feed!

One of the areas I have been interested in is how teams can effectively work in a virtual environment - and in a way that protects information. I like to work virtually, and it’s the only way I can effective support the growing team of professionals behind the security catalyst (we have nearly 10 people now).

I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.

Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

By participating, you’ll be helping some grad students - and we’ll all get the results with a podcast! We only need 100 people to help - please take a few minutes and share your experiences.

Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.

Here is some additional background.

The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.

The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.

The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.

Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

If you enjoyed this post, make sure you subscribe to my RSS feed!

Products & Services

“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
-Frank Herbert

By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data.

It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e:

• The Information Protection Toolkit (IPT)

• ‘Speaking About Security’ training sessions for security professionals

• The Privacy and Awareness Toolkit

• Keynote speeches and workshops designed to engage, empower and enable your teams

• Catalyst Sessions - dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.

We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days.
Visit our website or contact me for more information.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Michael Santarcangelo with Patrick G. Romero

If you’re like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?

During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.

It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:

Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.

So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.

Can e-mail disclaimers guarantee the privacy and confidentiality of documents?

Generally speaking, e-mail disclaimers are not legally enforceable.

The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.

One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.

If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send

1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.

I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).

Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use - please start with your requirements and then select your solution.

2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.

Think about it - how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.

While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.

3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).

Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.

In the end, some do, some don’t and you get to chose

Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.

If you enjoyed this post, make sure you subscribe to my RSS feed!

You may have noticed the new look and feel for the Security Catalyst Blog. We’re in the process of rolling out a brand new website, as well as a more focused blog and podcast. To help, I am pleased to welcome Patrick Romero to the team. He has an impressive background, has served our country well - and is passionate about information protection. Patrick is currently in law school, and will be contributing on a weekly basis.

Meet Patrick
Patrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal. He speaks Spanish, French and Arabic.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Communications

“You must be the change you wish to see in the world.”
-Mahatma Gandhi

In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.

Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:

• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club - unique coaching, job-aids and the ability to practice and improve

The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.

We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.

Watch for ‘Change is Good: Part III’ next week.

If you enjoyed this post, make sure you subscribe to my RSS feed!