This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Where governance is concerned, virtualization brings about changes in separation of duties and policy definition.

In traditional IT environments, distinct teams with specialized skill sets manage and operate various pieces of the infrastructure. Network engineering and administration teams manage routers and switches, Windows systems admins manage Windows servers, etc. With virtualization technologies, all of these functions are collapsed into a generally cohesive management structure, such as VMware’s vCenter Server.

This leads invariably to challenges with “who manages what” – many IT shops tend to put the burden of managing VMware solutions on Windows admins, for example. These admins now manage the virtual machines, the underlying hypervisor platforms, the virtual networks, storage connections, etc. All of these can be regarded as separate disciplines, and having one team manage them all flies in the face of proper separation of duties.

Along with this problem comes the definition of policies governing the use and oversight of these technologies – who drafts the policies, and which teams are the policy owners?

The overall risk landscape changes dramatically with virtualization, too.

Many of the risks are similar to those we understand today, but are present in a somewhat different form. The lack of proper change management and configuration management programs are still viable risks that can lead to innumerable security issues, but they’re compounded by the operational nuances of virtualization technologies themselves. For example, the act of creating and provisioning systems is simplified immensely – keep a template, generate a new virtual machine from it, move the VM to a host platform, and flip the switch.

Without ensuring that a) the template configuration is patched and up to date, and b) the VM provisioning has gone through change control, the risk of having a new system online that has OS or application-specific vulnerabilities is exponentially higher. Threat vectors change, too – if the hypervisor platform is compromised by an attacker, the entire group of virtual machines hosted on that platform is immediately at risk, which tells us that new risks inherent in hypervisors hold much greater impacts than single-system risks that we’ve managed before this, potentially.

On the compliance front, there is a considerable amount of grey area around how virtualization plays a role. On the one hand, most compliance mandates (SOX, HIPAA, GLBA) are vague enough to leave the interpretation open to both auditors and auditees alike. Herein the issue lies, however – compliance mandates open to subjective interpretation are bad, since potentially unsafe practices may be considered acceptable by different auditors and organizations who don’t understand the risks, technologies, or both.

Even more prescriptive regulations like the PCI DSS don’t specifically address virtualization, which has led to a number of issues around interpretation. For example, PCI DSS section 2.2.1 mandates that all servers involved with payment card data should only have a single function, such as a dedicated Web server or database server. What about virtualization hosts like VMware ESX, though? It’s a single server, but runs VMs that perform a variety of different functions. Although a Virtualization Special Interest Group (SIG) has worked on this, there’s no clear timeframe for integrating their work into the standard. In addition, many auditors just don’t understand virtualization technology, and default to the most restrictive possible implementation methods “just to be safe” – any “knee jerk” reactions of this type are probably a bad thing, in either direction.

Virtualization can help organizations reduce operating costs, and many feel that it’s a key component to “Green IT” strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.

Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is also a SANS Analyst, instructor, course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He’s worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Creative Commons is the legal equivalent of the telephone. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?

Not so fast. The full license covers a range of essential topics that people don’t usually take time to think about.  These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on author’s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

Privacy Policies: Not a “Necessary Evil,” Just Necessary

Like telephony infrastructure and the Creative Commons licenses, Privacy Policies aren’t a “necessary evil,” they’re just a necessary part of running a business. If your business has customers or employees, then you need to safeguard and use personal information. Your business must develop privacy practices unique to your business. Laws mandate that you protect personal information, but they do not usually establish privacy practices. That’s why you need a privacy policy.

Writing a privacy policy is a tall order because it must address the broad range of activities in which your company engages, and be as simple to use as a telephone.

Privacy policies should cover online as well as offline uses of personal information, because each use carries unique challenges.  As you establish Privacy Practices and your Privacy Policy, consider the following activities:

• Goods and Services Activities: Does your privacy policy cover the information collected at point-of-sale, your iPhone app, online store, and through PayPal? Does your software periodically send licensing, version, or other information to your centralized servers? Do you collect or share purchase history, preferences, and demographic information with employees, other people, users, or other companies?
• Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?  Where is the information stored, and do you have physical and legal control over the servers?
• Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
• Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
• Education Activities: Does your company sell education material, or conduct certifications?
• Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?  What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
• Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?  Do your employees understand what they should consider private and what is accessible to the company?
• Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
• Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
• Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?

You should cover each of these topics in a customer-facing Privacy Policy or an employee-facing Privacy Policy in your employee handbook.

Beyond the Basics

Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.

Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.

State Laws. A few state laws give specific guidance on what you should include in your privacy policy. For example, California law requires any company which collects personally identifying information over the Internet to conspicuously post a privacy policy. The privacy policy must identify the categories of personal information collected, how consumers will be notified of changes, and how to update personal information. Texas has similar requirements for any company which requires the disclosure of a social security number. Massachusetts requires encryption of personal information in certain circumstances.

Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.

European Union. Unlike the United States, which has adopted narrow privacy regulations aimed at mitigating specific threats, the European Union regulates privacy on a much broader basis. If your company transfers information from the EU to the United States, you must either comply with EU law or the EU “safe harbor” principles. The U.S. Commerce Department promulgates guidance on what to include in your privacy policy, to comply with the EU safe harbor provisions.

Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.

This is by no means an exhaustive list of privacy statutes or regulations, but it should remind you that a privacy policy is more than just a formality.

7 Reasons

So to summarize, here are the 7 reasons you need a privacy policy:

1. If you have customers or employees, you need to safeguard personal information.
2. Laws do not usually establish Privacy Practices.  Privacy Policies create Privacy Practices.
3. Privacy Policies are often required by law or regulation.
4. Your business faces privacy challenges which nobody else faces.
5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
7. Your company has affirmative privacy obligations with respect to minors under 13 years old.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy.
2. Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.
3. Evaluate and Update. Evaluate your privacy policy and employee manual to make sure that they cover the range of possible privacy implications.

by Dennis Kuntz

“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.

Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.

They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).

On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”

My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.

This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.

Putting Compliance In Its Place

Focusing only on compliance almost by definition limits its usefulness.

Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.

However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.

Answering for Your Efforts

Having to “answer for your compliance efforts” doesn’t always mean an audit.

Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to  understand their role.

When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).

Often, auditors are looking for proof the “letter of the law”  was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.

The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).

Using Compliance for the Greater Good

Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.

This can be an advantage to manage the company’s risk.

Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.

Ultimately our job is to protect company assets and help to manage risk.

While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.

A common statement an auditor hears is, “our IT department is mature; we have everything we need for an IT Audit.”

A common thought an auditor thinks is, “yeah, right.”

So which of these statements is more accurate? More importantly, which one increases or decreases risk?

Without creating a laundry list, let’s take a look from the auditors’ perspective by breaking down the components of compliance into five main domains:

• Logical Access
• Physical Access
• Operations
• Change Management
• System Development

In my last article, I introduced the concept of developing a “Culture of Compliance”  — something to keep in mind as we delve deeper into each section.

Logical Access

Logical access is the way people (employees, contractors, partners) gain access to the systems that process information. An auditor looks for clearly defined and followed processes.

In my experience, this is where IT needs to work with the whole organization on the core of logical access: user provisioning (my fellow contributor Ioana Bazavan Justus is authoring a great series on Identity Management).

Once defined, logical access must be certified with established tools or a manual effort. The ideal approach is a preventive control that flags segregation of duty access across application systems. Few organizations use this today, but I strongly urge the consideration and adoption of this capability. The more common approach is a “detective” control that works, but requires a significant budget and hours to complete. To be clear, “complete” means re-testing!

Access reviews need to include identification of administrative accounts (including who has access to these accounts) and validation if the level of access is actually required. I recommend not taking anyone’s word for this, test and document it. It is important to have a documented methodology of monitoring administrative accounts and logs to prove it.

Physical Access

Physical access covers access to buildings, data centers and other sensitive areas. The appropriate policies and reviews need to cover the entire process for new hire, transfers, terminations, contractors, vendors, etc. To be effective, this often requires cooperation with Human Resources (HR), Legal, and Compliance and possibly some business units.

Think like an auditor: once access to the data center is documented, reviewed (quarterly) and signed, the auditor(s) will generally pick a terminated IT staff member to audit.

This is where the “culture of compliance” comes in – rather than hoping the process works, it pays to establish an environment where employees take the right actions as a course of action. In this case, it means they log all entry by contractors, vendors and other guests and validate this list against an electronic record of entrance.

A quick sign of success is when even escorted coworkers are asked to sign a log file for entrance into the Data Center.

Operations

Operations are the lifeblood of the organization.

Many organizations have a facilities department separate from IT, which requires cooperation between teams. This is also a reason to have a single person drive the compliance and audit process – to streamline these connections and provide a measure of continuity.

Make sure vendor contracts are in order for the facilities/physical equipment such as fire suppression, heating/cooling and other support systems. When the culture understands the importance of protecting this information, each department will notify others of changes and work together to ensure updates and “coverage.”

Good auditors look to assess if the team has a handle on inventory or manages by incomplete spreadsheets with a hope of accuracy. This is an area where the use of automated discovery tools pays dividends.

Much ground to be covered here, and it must include the details of who, what, where and when of Job Scheduling. Changes to job scheduling is  a process, whether it is for changing frequencies, adding, deleting, and even emergency procedures.

Another area of focus: ensure backup processes are documented, reviewed,  and followed.

Think like an auditor: provide logging details, be ready to explain the job failures and how they are handled! If an auditor asks about failures and the response is “we have none,” it triggers (or should) a lot more questions.

Change Management

In general the key to change management/development is authorizations.

This starts from the top with project approval forums all the way down to and including authorization to put code into production. Each phase, QA, testing, and CM should define requirements, necessary documentations and authorizations. Where appropriate several levels of approvals is required.

Change control is not limited to applications.

Include network configuration (port address) changes and changes to OS configurations need to follow  the change control process. Emergency changes often fall through the cracks of standard procedures. Establish a process that allows flexibility to get the task completed but make sure you have post documentation, and verbal approvals documented after the fact.

System Development

Time to really consider, implement and/or follow SDLC documentation (need a starting point, check out:  http://www.shellmethod.com/refs/SDLC.pdf). Pay close attention to the two primary parties, the end user and developer parties and their responsibilities.

A simple question to start the process: does the current process, what people are actually doing, match what is documented?

In many cases – maybe even most – the answer is either no, or worse, “documentation, we don’t have documentation!” Larger, more mature organizations tend to have a dedicated quality assurance (QA) department that often engages in auditing or assessing the system development process.

In general, workflow applications are great but avoid the concept of “assumed authorizations”. The workflow better meet the documented levels of authorization.

Some people may sneer at the concept of “culture of compliance,” but their personal experiences don’t diminish the importance of engaging people in every aspect of the process – to the point where it is ingrained in the very culture of the organization. The reality is that compliance becomes a process, and the organizations that are focused on engaging their people are able to meet compliance goals without imposing (too many) additional burdens.

Quite simply, this is establishing, nurturing and supporting a culture of compliance.

By considering these five areas, it is possible to provide some structure and ask good, probing questions that lead to conversations that ultimately inform the decisions and actions of others. Change the way people think when developing and making system changes and 85% of your challenges will gradually melt away.

This is simple to test:

1 – Have a manager ask an SE to grant him admin rights, completed with a bit of a story. If the result is a change in access on the fly, there is an immediate opportunity to educate. In my experience, the education might be better as a discussion with questions, as opposed to scolding and “gotcha.” Connecting the person to the consequences of their actions – in their words – goes much further.

2- Ask the customer if they do post implementation testing. Does it meet the initial scope of the project? Are “lessons-learned” documented and kept on file.

3 – Ask the Data Center manager when the next scheduled fire suppressant equipment inspection is due. Not needed instantly but they should be able to produce a copy of the contract and last maintenance records.

What do you think?

Share your challenges, successes or questions about how to effectively drive your audit and compliance program in the comments below.

The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?

In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.

Developing a “Culture of Compliance”

Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished.  Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.

This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.

Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.

Sell the concept, reap the benefits

Management responsibility – wait for it –  “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.

Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?

Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.

Building Support

Step one: find the right internal sponsor.  This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.

Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.

Should IT audit and compliance be managed internally?

This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.

Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this  — and he makes it easy for others to do it, too).

One of the best tangible outcomes of this whole process is detailed documentation. Interesting how  there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.

What’s in it for me?

Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!

Sound off

How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

In chapter 3 : Breaking the Security Diet

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Put the power of Into the Breach to work for you

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

One of the principle missions of the Federal Trade Commission is to protect American consumers against activities such as false advertising and unfair business practices. Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth.

The FTC held a two-day forum earlier this month regarding online advertising and privacy. The meeting concerned the tactics of behavioral targeting, which is used by online publishers and advertisers to deliver ads based on user’s web-browsing behavior. Advertisers believe that this information helps them deliver better information to consumers and increases the effectiveness of their campaigns. Opponents and civil liberty advocates warn against the erosion of privacy and lack of consent by consumers. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination.

Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick. While Google collects the history of its users through its search engine, DoubleClick tracks what websites people visit. In order to do this, DoubleClick creates profiles for users based on their IP address, domain, browser, local time and date, operating system, and page viewed. The ability for one company with the power to collect data on millions of individuals without any government oversight is disconcerting, to say the least.

The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them. There has even been recent controversy as to whether this type of targeted advertising is even legal or not.

Past attempts to stop behavioral targeting have been unsuccessful. In 2001, a class action lawsuit was brought against DoubleClick for keeping cookies stored on internet user’s computers without their consent. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site. The court held that since the user consents to Double Click’s access by visiting the website affiliated with the advertisement, there was no law being violated.

As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting. Privacy organizations are calling on the FTC to establish, among other things, an opt-out policy similar to the one applied to telemarketers. They would like to see fines for non-compliance and disclosure of all data-collection practices clearly visible on websites that engage in behavioral targeting.

Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon. The most successful internet companies rely heavily on advertising dollars to sustain their growth and need this capital to generate new technologies. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.

The Google-DoubleClick acquisition has put online privacy at the forefront of government concern. Congress and the EU have scheduled hearings on the impact that these two companies will have on consumer’s online experience. Proposals for government intervention will surely be considered in order to control how information is used and stored. The debate as to whether there should even be state intervention in this country appears to have begun.

Previously, we explored whether you should be issuing and relying on email disclaimers. This week, we look deeper into email communication to find out if your emails are considered private communications or not.

When speaking with audiences, this is a topic that generates a lot of questions, opinions and sometimes controversy. While everyone is entitled to his or her opinion on the topic, we wanted to take a look at any legal grounding to form a more complete answer.

In the business world, the answer is pretty clear: if you are using the resources of your company, then you have no expectation of privacy. However, what about when you’re using your personal email account, on non-company resources? Do you have a reasonable expectation of privacy for those messages?

The crux of the argument here is one of the fourth amendment. Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.

Think about that for a second.

This has implications for both you personally, and for your organization. What standard is the government required to produce in order to obtain your email records? As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.

Based on a landmark ruling this past summer, it appeared the easy answer was “yes.” In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy” in their e-mail communications.

No so fast
Yet what was hailed as a victory for privacy advocates was short-lived. Just days ago, on October 9th, 2007, the 6th Circuit granted a rehearing en banc, thereby vacating their earlier decision. This is significant, as an en banc hearing means that instead of the usual three-judge panel decision, all sixteen active judges of the Court will hear this case.

The humble beginning
The decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses. The government obtained a court order directing ISP Yahoo! and NuVox Communications to turn over information pertaining to Warshak’s e-mail account. The order was issued under the Stored Communications Act (SCA) of the Electronic Communications Privacy Act. The SCA requires the government to show that there be “reasonable grounds to believe that the contents of a wire or electronic communication…are relevant and material to an ongoing criminal investigation.”

The government argued that the court order issued under the SCA to the ISPs were not searches but rather compelled disclosures, akin to subpoenas. As a result, the higher burden of probable cause required under the 4th Amendment for a search and seizure was inapplicable. The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a” a 4th Amendment violation.

Why is email different?
Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box. Americans naively assume that e-mails a private and require that the government seek a warrant supported by probable cause to access. Whereas telephone calls due have this judicial standard, e-mails today are not afforded the same level of protection due their technological differences.

The seminal case that enshrined our privacy laws was Katz v. United States
. The Supreme Court held that that the 4th Amendment protects individuals against unreasonable searches and seizes if an individual can justifiable expect that is communications would remain private. Justice Steward wrote that “no less than an individual in a business office, in a friend’s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the 4th Amendment.”

The government argued that e-mails are not analogous to telephone communications because they require an intermediary. E-mail works by breaking the contents into individual packets that are routed to the senders ISP. The ISP then stores and copies the e-mail on their server before transmitting it to the recipient. The government’s theory runs along the lines that since the ISP stores and copies the e-mail, the information was voluntarily turned over. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause.

Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.

Fallout of the Decision
So what does this mean for you and me? The Court will hear the case again and determine whether the government’s action were in violation of federal law. While it is always difficult to predict the outcomes of such a case, the issues raised by Warshak should be of concern to all Americans. The decision of the court will be one of the most important decisions involving fundamental Constitutional protections. Due to the prevalent use of new technologies, Americans are not being adequately protected by federal statutes. The need for the courts like the 6th Circuit to establish clearer guidelines to the government and Americans is critically needed to prevent confusion and abuse in the digital age.

In the meantime – remember that email works on a store-and-forward system, and if you are not willing to read what you wrote in the newspaper, you may not want to send it.

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.

Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

By participating, you’ll be helping some grad students – and we’ll all get the results with a podcast! We only need 100 people to help – please take a few minutes and share your experiences.

Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.

Here is some additional background.

The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.

The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.

The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.

Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

If you’re like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?

During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.

It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:

Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.

So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.

Can e-mail disclaimers guarantee the privacy and confidentiality of documents?

Generally speaking, e-mail disclaimers are not legally enforceable.

The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.

One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.

If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send

1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.

I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).

Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use – please start with your requirements and then select your solution.

2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.

Think about it – how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.

While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.

3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).

Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.

In the end, some do, some don’t and you get to chose

Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.