Data Privacy Day a time to end personal security complacency

Data Privacy Day a time to end personal security complacency

Madison, Wis. – On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. The purpose this annual event is to raise awareness and generate discussion about data privacy practices and rights.
In recognition of Data Privacy Day, I have produced two videos and have written special feature blogs for the week. Yesterday I posted my first video on this blog to demonstrate how easily Social Security numbers can be accessed on the Web-especially on public sector Websites.
Data Privacy Day promotes privacy awareness and education among teens, especially about online privacy. On Wednesday, Data Privacy Day, I will be posting tips about “Teen Privacy Online.”
Data Privacy Day also promotes general awareness education among the public and business community on allied topics such as identity theft, national security, social networking, information security, data destruction and data transfers. On Thursday, I plan to post a video demonstrating why data encryption is such an important security safeguard for laptop users.
Data Privacy Day activities in the United States include corporations, government officials and representatives, academics, and students. Privacy and information security is required of all sectors—private, public and volunteer under numerous state and federal laws.
Consumers expect all sectors to safeguard sensitive information they entrust with them. Local governments desire to create a “privacy-friendly” economic climate, where consumers can live, play and conduct business safely with a minimal risk of identity theft and having their right to privacy violated.
Data Privacy Day serves the important purpose of furthering international collaboration and cooperation around privacy issues. I intend to do my part in recognizing this important day this year and throughout the future, what about you?
Stealing Social Security Numbers on the Web
Your Social Security Number and birth date may be available to anyone on the web or by visiting your local city or county clerk’s office. If they are, it makes it easy for identity thieves to use your information for financial fraud, to commit crimes in your name, to gain employment illegally, to get medical treatment under your name or many other types of identity fraud.
I produced the aforementioned video on Social Security to give one example of a county Website that allows access to sensitive information without much ethical or legal concern about the consequences to taxpayers.
Identity theft has been estimated to a strike 10 million or more Americans each year, and some local governments seem to have little concern. Identity theft can take years to resolve and cost you thousands of dollars. As a taxpayer you should also be concerned because our local government and officials could face expensive lawsuits and penalties, which will be paid with our tax dollars.
Do you accept credit cards? Beware
If your business or organization (non-profit, school, local government) accepts credits cards, you are subject to the Payment Card Industry’s Data Security Standard (PCI-DSS). I write for the small organizations, and from my viewpoint as a security consultant, the PCI-DSS is extremely onerous on small enterprises.
There is a positive aspect of PCI-DSS compliance. First, merchants are exonerated from liability with the credit card companies if they comply. Second, compliance will lower your risks of a data breach and thus help foster consumer trust and confidence.
Most small merchants never heard of PCI-DSS. Sometimes I describe it as a closely guarded secret. If merchants realized the risks and liabilities that they have by accepting credit cards, they would look for third-party alternatives to directly accepting credit cards or they may choose not to accept credit cards at all.
If a merchant is 100 percent e-commerce, it can skirt PCI-DSS by using a payment card solution like PayPal. Once credit cards are accepted in person, by phone or e-mail, excruciating security requirements must be implemented to comply or otherwise be subject to significant risks.
The average cost to merchants is $300 to $600 including fraudulent purchases, fees and legal costs for each compromised credit card according to Forrester Research. The cost to a small merchant with 100 compromised credit card records is $30,000 to $60,000; a thousand will cost $300,000 to $600,000, any of which can drive a small merchant into financial crisis if not out of business.
However, the financial liability is the least of the problems. Customers will be coming after you too.
Inauguration Day marked the announcement of potentially the largest credit card data breach in history. Journalist Brian Krebs runs a Security Blog at the Washington Post. Read the comments on his Security Fix Blog concerning the mega-breach by Heartland Payment Systems to gain a sense on how the public and, more importantly, your customers will react to a security breach announced by your organization.
Some of the descriptive language used by consumer bloggers against Heartland Payment Systems includes: deceptive, cover up, shut down, criminal negligence, idiots, do business elsewhere, bankruptcy, irresponsible, jail, and class action lawsuit. One law firm blogged a promotion to solicit potential victims to join a class action lawsuit against Heartland Payment Systems.
Now close your eyes and imagine that your organization compromised just 10 or 100 accounts. Listen; do you hear 10 customers at your door shouting those same disapprovals?
Are you interested in learning more about PCI-DSS now?
Public surveillance
The public should be concerned about the increased use of government surveillance cameras in public places.
Privacy advocates detest the use of surveillance cameras in public places as an invasion of privacy. Public safety advocates argue that if you aren’t doing anything illegal, what’s the concern. After all, you are in a public place, not a private place.
Surveillance in public places has deterred and aided in solving crime on the streets. The use of surveillance cameras need to follow best practices just as an employer must who uses surveillance cameras in the workplace.
Are cities that use surveillance cameras following best practices? Do they have policies and procedures for their use; do they have a privacy officer who monitors their use and who is responsible for oversight and corrective action?
The city that I live in has surveillance cameras in a popular downtown area. What is their policy for acquiring, storing, maintaining and erasing or destroying acquired photographic information? If a police officer was recorded doing something inappropriate, would the recorded information disappear or would it be retained?
Last spring, a city employee was photographing plantings along the lot-line of my home, which borders city property, with a city-issued camera. I watched the employee take several pictures. When he trespassed on my property to take a certain picture of a no trespassing sign located on my property, I shouted from a distance, “what are you doing?” He turned and took a picture me!
I contacted both the director of the department and the person’s supervisor and requested a copy of all the pictures taken of my property and me by the employee. A few days later, I received an email with an attachment of the digital photos. Should I have been surprised that the last three pictures, including the one taken of me, were missing? When asked about the missing picture, the supervisor claimed that the ones I received were the only pictures taken.
So what is the policy on retention of photographs taken by the City, and who is responsible for complaints and enforcement? From what I learned, there are no policies and procedures on acceptable use, retention, destruction, or corrective action.
Had the photographs revealed that I had done something wrong, the pictures probably would have been there. Because the employee took the pictures while trespassing on private property and violated an existing city policy by taking a picture of me without my permission, the pictures were apparently suppressed or erased.
This is a simple example of what could happen when surveillance cameras are in the hands of the government with limited or no policies and procedures. While no great harm in this situation, you can see what could happen under a set of circumstances that could be criminal or a violation of one’s right to privacy.
What is information security?
If you have been reading my blog you probably know that one of my peeves is that the term “information security” is often misused to mean computer security, information systems security, network security, etc. Misuse causes confusion and increased risks.
Information comes in many forms. Information is recorded on paper, photographically, magnetically, electronically and in our brains —where is can be retrieved and communicated in writing and by the spoken word.
All enterprises have the responsibility to appropriately safeguard sensitive information that their employees, customers, patrons and constituents entrust to them, regardless of the form of the information. Yes, even if the information is on paper or disclosed through the spoken word. That’s information security.
Here are two examples. The FACT Act’s Disposal Rule applies to every enterprise that uses sensitive consumer information for a business purpose. It requires destruction of the information in conjunction with the disposal process regardless of its form-paper, electronic, etc.
HIPAA protects personal health information (PHI) in all forms. A medical professional who inappropriately discloses PHI by word of mouth violates medical privacy and may be subject to HIPAA enforcement or a violation of privacy under common law.
My recent analysis of data breaches conclude that 10 to 20 percent of the reported breaches result from the compromise of information on paper, the mail, and social engineering.
Doesn’t seem like a lot? Here’s my prediction. The majority of data breaches that occur are non-electronic. They go undetected and unreported. With the strong buzz that information security is computer and network related, many businesses are forgetting that information comes in all forms. Out of sight, out of mind, and not considered.
Corrective action required
During a recent radio interview, I referred to two publicized examples of privacy breaches that involved President Obama and Senator McCain. One involved accessed of their passport records by State Department employees, and the other involved the access of then President-elect Obama’s cell phone records by Verizon employees. It is likely that thousands of privacy breaches like this unauthorized access to personal records of citizens and consumers occur daily throughout the U.S.
Each of the two responsible organizations responded with corrective action that included the termination of certain employees, disciplinary action of others, and (very likely) reminders to all employees that any violation of the organization’s privacy policy is a serious offense. My host suggested that these reactions were only the result of the nature of the personalities involved-Obama and McCain. Let’s hope not.
Organizations must evenly enforce violations of an organizational privacy and information security policy whether violations involve the President- elect of the United States, a Senator or Joe the Plumber (any person). If not, such an omission can be used to pierce the armor of safe harbor, a legal defense created through a faithfully implemented privacy and information security best practices program.
In other words, as part of a defense against a claim of tort or violation of regulatory laws an organization may be called to task in court to prove they have done everything a reasonable person would have expected them to do to protect sensitive information. However, if a person harmed by such a privacy breach can demonstrate that the organization does not faithfully follow the best practices program, for example, the organization does not take appropriate corrective action, the safe harbor afforded by having a privacy and information security best practices program can be reduced if not destroyed.
Have a privacy or information security violation in the workplace? Write up the corrective action and at least provide a written warning to the employees involved with a written reminder to those employees who have access to sensitive information that your organization takes your privacy and information security policies and procedures seriously.
Dealing with death and identity theft
This is peeve week, maybe because I’m getting cabin fever after several days of being locked away from the sub-zero Midwest weather. So here’s another peeve.
Do employers sponsor programs on “Death and Illness” or do they sponsor “Health and Fitness” or “Wellness” programs? Do insurance professionals sell “Death,” or do they sell “Life Insurance?” Do businesses focus on “cooking the books” and accounting fraud and errors, or do they focus on following “Generally Acceptable Accounting Practices” (GAAP)?
I view myself as helping organizations with their Privacy and Information Security Best Practices Program – safeguarding sensitive information and preventing its unauthorized dissemination.
A couple of weeks ago I was interviewed on business radio. I struggled to keep the interview focused on privacy and information security, but it kept deviating to identity theft.
Enterprises should care about privacy and information security best practices. A lax security program can result in violations of personal privacy, the compromise of sensitive information that has negative consequences to consumers and to the business itself, for example the compromise of trade secrets. Lousy information security can hurt a business even if it doesn’t result in identity theft.
Identity theft is one of several possible effects of poor privacy and information security practices.
Similarly, illness and death are the effects of poor health and fitness practices.
A risk with focusing on effects, instead of on the cause, is that the discussion can be deflected away from how to take responsibility for avoiding the effect.
Focusing on death and illness can lead to discussions on the various types of cancers, effects and treatments instead of on prevention. Similarly over focus on identity theft can avoid addressing an important preventive factor – business responsibility for safeguarding the information that it is entrusted with.

Joe Campana is a certified identity theft risk management specialist and an identity theft, privacy, and information security consultant with J. Campana & Associates, which tracks data breaches in Wisconsin and beyond.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of the Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.