Archive for the ‘Data Security & Privacy’ Category

In a 3-2 vote today, the Federal Communications Commission announced it would begin to regulate the Internet, effectively prohibiting Internet Service Providers (ISPs) from discriminating against any website or online service traffic.  Seeing the futility of politicizing a topic that is so new to legislators, Democrat and Republican lawmakers simply punted for now on the debate.

If the concept of ‘Net Neutrality’ is new to the small business owner, then let me try to explain.  Imagine it is 8 a.m., and you are in a car approaching the Lincoln Tunnel for an 8:30 a.m. meeting.  Once squarely inside the Lincoln Tunnel, all the lanes, but one, are occupied by massive semi-trucks and trailers.  The only way to get past those vehicles is to get into the “car” lane with every other commuter.  The time in which it should take you to get through the Lincoln Tunnel to make that 8:30 a.m. meeting is predicated upon a number of factors – many of which you have ZERO control over.  The driving lanes and Lincoln Tunnel represent ISPs, like Comcast and AT&T; the semi-trucks and trailers represent “small” tech firms like Netflix, Etsy, and YouTube; and the car represents your place on the information superhighway.  Net Neutrality would, in effect, create rules for which all occupants of the Lincoln Tunnel would have to play by.

Is this such a bad thing?

Entrepreneur Mr. Mark Cuban opines that the FCC is incapable of keeping up with fast-paced technologies, and that the creation of such rules would allow massive ISPs to monopolize the flow of Internet traffic, effectively eliminating competition.  He goes on further to state that the fastest growing access for the Internet is mobile, and who dominates that market, Apple and Google.  Cuban’s rationale is if Apple, Google, Comcast, and other ISPs are left to duke it out with each other, then the consumer wins.

Or does the consumer?

Congress and President Ronald Reagan deregulated the airline industry back in the 1980’s as a response to end airline monopolies and oligopolies, but such deregulation seemed to produce the opposite effect.  Pan Am Airlines is now merely vintage fashion, Delta merged with NorthWest Airlines, American merged with USAirways, Continental with United, Southwest with AirTran, to name a few.  Thus, it could be argued that deregulation of the airline industry achieved absolutely nothing.

Similarly, Congress and President Bill Clinton enacted a regulatory scheme to overhaul the telecommunications industry.  The collateral byproduct of the Telecommunications Act of 1996 may have put us in the place we are today in regards to “Net Neutrality.”  The Act was intended to open telecommunication markets, which included the Internet, to promote competition.  Since 1996, what have we seen, in regards to completion, in the telecommunication space we see fewer consumer options.  Enron and MCI/WorldCom are corporate governance footnotes; Qwest merged with CenturyLink; TimeWarner was bought by Comcast; and as a result, the choices for getting consumers across that analogous river to their Midtown meeting are few.

Alas, we come to the debate of ‘Net Neutrality’.  Looking historically at the results of deregulation of industries as a way to “open” up competition in a marketplace, is regulation to keep an industry “open” such a bad idea?  I leave that answer to more intelligible minds.


Read Full Post »

Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?

When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.

Read Full Post »

In August, 2013, I blogged about an insurance company’s latest product feature that enabled their customers to download all of their insurance verification documents to their cellphone through a software application. The marketing company devised a commercial whereby a pig driving a car was pulled over, and subsequently the pig handed his cellphone over to the officer, presumably to show the officer that he had insurance information (I didn’t make this up). At that time, I suggested there would be significant unintended consequences to people who turned over their cellphone to a police agency.

In a unanimous decision Wednesday, the Supreme Court of the United States ruled that police officers need a search warrant to search cellphones of individuals arrested. This decision would likely apply to tablets and laptop computers, as well as potentially searches of homes and businesses and information held by third parties, like phone companies or cloud providers. Chief Justice John G. Roberts stated that cellphones are “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” What’s more interesting is that, in writing for the majority of the Court, Chief Justice Roberts acknowledges the fact that cellphones are more than a device that you merely speak into and listen – a truly forward thinking statement for such a traditional body of government.

When looking at this in the context of the insurance company’s phone app product, there still are significant unintended consequences that people need to be made aware. Namely, while the new law prohibits warrantless searches of cellphones, relinquishment of a cellphone to a police agency is still not advisable. They can simply confiscate the device, and then go get a warrant to search it at a later date.

Read Full Post »

The Court of Justice of the European Union issued a ruling on May 13, 2014, whereby, under certain circumstances, search engine providers, like Google, are required to remove links of Web pages containing information that is made on the basis of a person’s name and published by a third-party. The “Right to be Forgotten” lawsuit is a landmark case for EU member countries, and was derived from a Spaniards claim that search results from Google’s website disclosed details about an auction of his repossessed home over unpaid debts that was resolved many years prior and presently irrelevant.

In the wake of the EU Courts ruling, Google has posted a “Remove Information From Google” page for Europeans to request takedowns. Based on reports, it appears the number of takedown requests averages about 10,000 request per day, and growing. That number may seem high, but EU Justice Commissioner, Viviane Reding notes that Google receives and complies with millions of copyright-related takedown requests. EU regulators plan to give search engine companies time to adjust to the ruling, and define just exactly what compliance with the law should look like.

For application purposes in the United States, the ruling does raise questions as to third-party usage of public information. Query a persons name in any search engine provider, and Internet ads for information on birth and arrest records are sure to come up. Many people with similar names are then subjected to potential unnecessary embarrassment and ridicule. However, the application of the term “privacy” is entirely different in the EU than U.S., and that is why it is unlikely that the “Right to be Forgotten” will soon land upon the shores of America.

Read Full Post »

Several news outlets reported yesterday that the Federal Trade Commission (“FTC”) is urging Congress to demand that data brokers tell consumers more about their trade practices in how they collect and use consumer information. Data brokers are companies that assemble digital profiles on nearly every U.S. consumer by gathering information from credit- and debit-card transactions, public records, online tracking cookies, and smartphones, among other sources.

The FTC, in its report, concluded that there is a “fundamental lack of transparency[,]” in how data brokers go about collecting consumer information. FTC Chairwoman, Ms. Edith Ramirez, states that data brokers often “know as much – or even more – about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more.” The report, two years in the making, finds no actual harm to consumers, and only suggests potential misuses that do not occur. It also goes into depth on how data brokers operate.

The report concludes that Congress should require the creation of an Internet website whereby data brokers must disclose the sources of data they collect about consumers, and give the consumers the opportunity to opt-out. The reality of anything become law in the near future seems highly unlikely at best. Similar legislation introduced in February has gained little traction.

Read Full Post »

The Wall Street Journal reported yesterday that several software antivirus companies are reinventing their business models after decades of trying to prevent hackers from penetrating its customers IT infrastructure.  According to Mr. Brian Dye, Senior Vice President of Information Security, at Symantec, Corp., the antivirus “is dead” from a money-maker perspective.  Rather than try to thwart hackers, by keeping them out of a business’s IT network, software antivirus companies now assume hackers can get in (or are already there!), and, for a fee, will sell products and services that will provide customers with intelligence briefings that tell them two things: (1) their business is under attack; and (2) why their business is getting attacked.  However, what a customer really wants to know when it’s IT network is under attack is, how do we make it stop?

While, in and of itself, the new business model shift may create an overall issue of product integrity for the software antivirus industry (e.g. the intended purpose is not capable of being met), there is a silver lining in the message being sent.  Namely, on its face, software antivirus products and services alone will not prevent mission-critical business data from being released in an unauthorized manner.  A holistic comprehensive corporate data governance model is still the proper risk management step for organizations to employ.  Antivirus detection services from IT security companies like Symantec, Corp., Juniper Networks, Inc., FireEye, Inc., and Shape Security, Inc., are important, but should not be solely relied upon by the business organization.

Read Full Post »

The sales of cyber-insurance policies has spiked sharply this year, mainly due to the increased attention and scrutiny of massive data breaches from Target and Neiman Marcus over the last holiday season. Also, in what was once an uncommon occurrence, banks are now suing retailers who have been victimized by hackers accessing mission-critical data. These threats against corporate data have finally caused many businesses to seek out risk management practices, such as insurance coverage, to protect against loss.

In general, most cyber-insurance policies cover the cost of a data breach investigation, customer notification and credit-monitoring services, as well as legal expenses and damages resulting from consumer class action litigation. According to The Wall Street Journal today, general liability insurers are expected to adopt language specifically excluding damages arising out of cyber-attacks. The nuances of the policies have still not been perfected, and companies should have an attorney who understands this area of law examine the scope of coverage contained within each policy. Doing due diligence will help organizational leaders better determine if the insurance premium benefits the company from a cost-savings standpoint.

Read Full Post »

Older Posts »