harnessing the human side of security
by Julie Fuggett Clear, concise, well-written e-mails can be the key to getting what you want, but have you ever considered that they can also save you time, headaches, and even keep you out of hot water? During the incident handling process, we all know that communication is key. Everyone on the incident handling team [...]
As Security Catalysts, it is crucial to consider both the message and the audience *before* communicating. Ignoring this step reduces desire for people to regularly engage us, directly impacting our effectiveness. Not considering our audience also means that after delivering the message, we need to actively check to make sure it was received as intended. This creates extra work, requiring more asking and creating a vicious cycle that wastes our already-limited time. Instead of talking to (or at) someone, lets converse with them.
A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information…. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications…. In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith…. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior…. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA)…. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed.
Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth…. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination. Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick…. The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them…. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site…. As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting…. Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon…. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.The Google-DoubleClick acquisition has put online privacy at the forefront of government concern.
Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.Think about that for a second…. As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.Based on a landmark ruling this past summer, it appeared the easy answer was “yes.†In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy†in their e-mail communications…. The humble beginningThe decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses.
…The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a†a 4th Amendment violation. Why is email different?Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box…. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause. Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.
Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect…. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.Minnesota PCI LegislationEffective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data…. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.†So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.Consequences for the Courts As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information…. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners. While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches…. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).Preparing for the changeAs a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion…. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information.
One of the areas I have been interested in is how teams can effectively work in a virtual environment – and in a way that protects information. I like to work virtually, and it’s the only way I can effective support the growing team of professionals behind the security catalyst (we have nearly 10 people now). I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert.
Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.The class:Building Teams and Developing TeamworkThis course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.The project:Bring new knowledge to the field of work team behaviorA group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.â€
I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient)…. With the help of Patrick Romero, this is what we found:Some Background on DisclaimersTurns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability…. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message…. However, ECPA defines “intercept†as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.  Can encryption provide privacy and confidentiality email?I have spent a lot of time reminding people recently that “solutions follow requirements†– and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications…. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).Encryption solutions are available for commercial and personal use…. Think before you press send.One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).Every organization should put in place a company policy with regards to sending confidential information through e-mail…. In the end, some do, some don’t and you get to choseCurrently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à -vis e-mail disclaimers.
You may have noticed the new look and feel for the Security Catalyst Blog. We’re in the process of rolling out a brand new website, as well as a more focused blog and podcast. To help, I am pleased to welcome Patrick Romero to the team. He has an impressive background, has served our country well – and is passionate about information protection. Patrick is currently in law school, and will be contributing on a weekly basis.Meet PatrickPatrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal.
Communications“You must be the change you wish to see in the world.â€-Mahatma GandhiIn Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst…. Our new website will be launched at the end of this month.
Catalyst Club – unique coaching, job-aids and the ability to practice and improveThe Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.We are about to start rolling out the changes…. Soon you will experience the new look, feel and functionality of our web-based services…. Watch for ‘Change is Good: Part III’ next week.
Michael Santarcangelo is the catalyst* called upon to deliver successful results when others have struggled and failed to harness the human side of security. Blending a degree in human ecology with … [Read More...]
Effective communication of security ensures that whether written, spoken or blended across delivery options efforts are positioned to reduce friction, bring technology and business objectives into alignment and inspire those we serve to … [Read More...]
Engage with Michael Santarcangelo