Up Front

Below is the latest news, trends, and analysis from the January-February 2012 issue of Information Management.

Bookmark and Share
DATA SECURITY

DoD Sued over Stolen Tricare Tapes

Four military families, along with 4.9 million Tricare beneficiaries, have filed a $4.9 billion class action lawsuit against the U.S. Department of Defense (DoD) after learning that their sensitive personal information was contained on tapes that were stolen from a car in San Antonio, Texas.

According to The Army Times, the suit alleges that U.S. government healthcare provider Tricare “intentionally, willfully, and recklessly violated” the privacy rights of the plaintiffs by failing to protect their personal information, including treatment information, diagnoses, and lab results.

In September 2011, backup tapes containing the health records of millions of active and retired military veterans and their families went missing from the car of an employee of the defense contractor responsible for taking them from one federal facility to another where they were supposed to be secured.

The data on the tapes, which were backups for the military electronic health record system, also may have included Social Security numbers, addresses, and phone numbers, Tricare admitted.

The tapes contained information for patients in 10 states who were treated at military facilities in San Antonio from 1992 to Sept. 7, 2011, and those patients who filled prescriptions or had lab tests processed at San Antonio-area military health facilities during the same period, The Army Times reported.

The suit seeks $1,000 in damages for each of the 4.9 million Tricare beneficiaries whose infor-mation was stolen. It states that the data can be retrieved easily with knowledge of an individual’s name or an identifying symbol or number, such as a phone number, The Army Times reported.

Both Tricare and Science Applications International Corp. (SAIC), the contractor involved, have said there is not much chance the data will be used for criminal intent because the thief would need an in-depth understanding of SAIC’s hardware and software, as well as knowledge of data interpretation, in order to access the data. There has been no evidence to date that the information on the missing tapes has been used for nefarious purposes.

While it has not said what kind of encryption was used, SAIC has admitted that the stolen tapes were not encrypted in compliance with federal standards. Vernon Guidry, an SAIC spokesman, said in a statement that “some personal information was encrypted prior to being backed up on the tapes.” But “the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard.”

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 American Recovery and Reinvestment Act, requires healthcare organizations to ensure that patient information in health records is unusable, unreadable, or indecipherable to unauthorized individuals.

In August 2009, the U.S. Department of Health and Human Services published an interim rule requiring either encryption or destruction to ensure the security of health records. The National Institute of Standards and Technology developed that rule and created guidelines requiring federal agencies to encrypt data using the Advanced Encryption standard, which was adopted as a federal standard in 2002, according to The Army
Times.

The suit asks the court to order Tricare to provide free credit monitoring services for class members in addition to the $1,000 in damages, an additional cost that, if a judge rules in favor of the plaintiffs, would be paid by U.S. taxpayers.

Both Tricare and Defense Secretary Leon Panetta are named in the suit; however, SAIC is not named as a defendant.

Consequently, the DoD, the General Services Administration, and the National Aeronautics and Space Administration have called for a regulation that would require all contractors that handle federal records to complete privacy training before they can access federal records, databases, or information systems that contain personally identifiable information. END

PRIVACY

 

 

 

 

 

FTC to Update Children’s Online Privacy

The Federal Trade Commission (FTC) has proposed changes to outdated regulations covering online privacy for children.

The Children’s Online Privacy Protection Act (COPPA) was enacted more than 10 years ago and does not address social media or smartphones. It requires companies to obtain parental consent before collecting any personal information about a child under age 13.

According to The New York Times, the FTC’s proposed revisions expand the definition of “personal information” to include a child’s location and any personal data collected through the use of cookies for advertising purposes. It also covers facial recognition technology. The revisions also stipulate that websites that collect a child’s information must ensure they can protect it, retain it “for only as long as is reasonably necessary,” and then safely delete it.

The FTC also suggested that parental consent should no longer be obtained through a two-step e-mail and authorization process, but through alternate methods, such as getting scanned versions of signed consent forms and videoconferencing, The Times said.

The FTC said it will finalize the proposals soon. It can enact them without Congressional approval.

It’s unclear whether the changes will affect the way Internet companies do business. Eric Goldman, a law professor at Santa Clara University, told The Times that because of the existing law, many firms avoid dealing with children under age 13 anyway.

“The requirements of complying with COPPA are onerous and expensive, and the payoffs from having under-13 kids on the site are rarely worth the financial investment,” he said. “The revisions do nothing to change the basic economics of complying with the statute.”

The rules are no substitute for parental supervision, either. Research by Consumer Reports has found that 7.5 million American children under age 13 were using Facebook even though the social media service stipulates that no one under age 13 may open an account. END

WEB STUDY

Study: Popular Websites Leak User Information

As many as 61% of high-traffic websites routinely share information, such as username or user ID, with other sites, according to a study by Stanford University’s computer security lab.

The survey found that half of the 185 popular websites studied track usernames and IDs and then share them with other sites. Google, Facebook, comScore, and Quantcast were among the top recipients of username and ID information, according to the study.

Study author Jonathan Mayer created accounts for sites and then tracked where the information was sent. He found that Photobucket sent his username to 31 other sites, NBC sent his e-mail to seven other organizations, and his name and e-mail address were sent to 13 different organizations when he viewed a local ad on HomeDepot.com.

The survey has spurred new initiatives for “do-not-track” rules. The Montreal Gazette reported that U.S. Federal Trade Commission Chairman Jon Leibowitz said the study would help the agency’s efforts to
protect consumers’ online privacy and suppress what he called the “cyberazzi,” or behavioral advertising and data collection firms that track online users’ behavior.

Leibowitz praised Microsoft, Mozilla, and Apple for adding do-nottrack features to their browsers and said he hoped Google would do the same. He added that the FTC does not intend to stop behavioral advertising, but it advocates giving consumers choices about the collection and use of their data. END

GOVERNMENT RECORDS

Dutch Senate Adopts iPads

Dutch senators have ditched paper documents for a new Senate app specifically designed for Apple iPads, according to Reuters, making the Dutch Senate the first in Europe to distribute digital documents through a tablet computer.

“We have had enormous piles of paper couriered to our houses every week, thick envelopes with planning and committee meeting documents, but now from 6 p.m. every Friday you just open the Senate app and find all the documents for the next week,” said Secretary General of the Senate Geert Jan Hamilton.

The Senate app can be used to access and manage information, including calendars, legislative bills, parliamentary correspondence, and meeting documents.

Creating the Senate app and buying the iPads cost about €150,000 ($201,053 U.S.) but, according to Hamilton, will save the Senate about €140,000 ($193,231 U.S.) in printing and courier costs during the first year. After that, he said, the annual costs for the upkeep and occasional printing of some documents will be roughly €35,000 ($48,308 U.S.).

There are no security concerns about the information stored on the app, noted Reuters, because the documents handled by the senators are already publicly available. END

COMPLIANCE

Internal Watchdog Scolds SEC for Destroying Records

An internal watchdog has scolded the Securities and Exchange Commission (SEC) for a decades-long policy of destroying documents.

Those documents – related to preliminary inquiries into possible Wall Street crimes – should have been preserved as official federal records, the agency’s inspector general said. However, SEC Inspector General David Kotz said he would not refer the matter to the Justice Department because he found no evidence of improper motives behind the policy or that it had hampered any investigations.

The SEC from 1981 to 2010 directed employees to destroy all documents connected to matters under inquiry (MUIs) that didn’t result in full-scale investigations. In his report, Kotz said, “There was a lack of clarity as to the rationale for the policy.”

The National Archives and Records Administration (NARA) had questioned the SEC in 2010 about its policy after a whistleblower, SEC enforcement attorney Darcy Flynn, claimed more than 9,000 files had been destroyed, including inquiries into potential securities law violations at several major Wall Street banks. Flynn also alleged the SEC misled NARA about its documents policy, The Wall Street Journal reported. The SEC halted its document destruction policy soon after NARA’s inquiries.

Kotz, in his report released in November, found Flynn’s allegations to be true. The report also concluded that the SEC should have retained preliminary investigation inquiry materials it had been routinely discarding.

In a letter to Sen. Charles Grassley (R-Iowa) in September, SEC Enforcement Director Robert Khuzami said no current or future investigations have been hampered by its old document policy on MUIs, partly because most are converted into investigations. Khuzami also explained that the agency keeps electronic records of all MUIs for about 20 years, helping investigators make connections to previous conduct even if it didn’t result in a formal investigation.

Whether the SEC violated the law depends on whether the records are subject to retention under a deal the SEC and NARA had in place, according to The Wall Street Journal. Khuzami said the policy through last summer was that the records weren’t subject to that agreement.

While Kotz will not recommend a criminal investigation, the SEC’s worries are not over. A government watchdog group is suing the agency over the destroyed documents. The suit filed by Citizens for Responsibility and Ethics in Washington accuses the SEC of repeatedly violating the Federal Records Act by routinely destroying documents related to preliminary investigations. END

COMPLIANCE

Germany, Romania Taken to Task over Data Retention

After years of inaction by Germany and Romania, the European Commission has given the countries a deadline by which they must implement the European Union’s (EU) Data Retention Directive.

According to IDG News, the EU’s chief regulator has ordered the two countries to take action to ensure compliance with the data retention law. However, Germany and Romania’s national constitutional courts have issued rulings blocking national laws enforcing the law.

The directive requires telecom companies to retain data identifying the user, recipient, date, type, location of the equipment, and time and duration of all e-mail, phone, and text communications. The information must be accessible to national police on a case-by-case basis. In 2010, the average European’s traffic and location data was logged in a telecom database once every six minutes, according to European Digital Rights (EDRi).

Despite German and Romanian courts’ judgments that certain aspects of the implementation of the directive are unconstitutional, they did not rule that the Data Retention Directive itself is unconstitutional. And, despite a March 2010 court ruling in Germany and an October 2009 decision in Romania, local ministers and lawmakers in both countries have been trying to turn the directive into national law, IDG News reported.

But the commission seems to have already lost patience with both countries.

“Germany and Romania’s ongoing delay in transposing the directive into national law is likely to have a negative effect on the internal market for electronic communications and on the ability of police and justice authorities to detect, investigate, and prosecute serious crime,” the commission stated.

The commission gave Germany and Romania two months to come up with ways to enact the directive; both must be in compliance by January 2012. END

LEGAL

Court to Rule on Arkansas FOIA

The Arkansas Supreme Court soon will decide whether prosecutors can pursue misdemeanor criminal charges for individuals who violate the state’s Freedom of Information Act (FOIA).

A circuit judge recently declared parts of the state’s FOIA unconstitutional. Judge James Cox issued the ruling in a lawsuit brought by Fort Smith lawyer Joey McCutchen against the city of Fort Smith. McCutchen accused the city of violating the FOIA when former City Administrator Dennis Kelly discussed the hiring and firing of
department heads with members of the city board of directors in one-on-one conversations in May 2009.

The state’s FOIA requires meetings of government bodies to be open to the public, according to the Arkansas News Bureau. Under current Arkansas law, the city officials could be fined up to $200 and spend up to 30 days in jail if they are found guilty of violating the open government law.

In his ruling, Cox noted that all 50 states have open meetings laws, but only 19 states have criminal sanctions in their laws.

The judge wrote in his decision that the definition of “meeting” and the criminal penalties for violations contained in the law are “unconstitutionally vague.” Therefore, his ruling struck down the law’s criminal penalties.

McCutchen and Attorney General Dustin McDaniel filed separate motions asking the judge to reconsider his ruling. Cox declined, so McDaniel appealed to the Arkansas Supreme Court. Cox has called on the Arkansas Legislature to clarify parts of the law. Republican State Sen. Jake Files told the Arkansas News Bureau that legislators will be watching what happens with the appeal. If the Supreme Court agrees that changes are needed,
the legislature likely will take up the law in the 2013 session, he said.

While they await the court’s decision, Arkansas officials and lawmakers have said there is no reason to change the FOIA in the near future. END

CONSUMER RECORDS

Agency Leaks Thousands of SSNs Each Year

More than 400,000 Social Security numbers (SSNs) may have been mistakenly published during the past 30 years as a result of errors made by Social Security Administration (SSA) employees, according to a report.

The Scripps Howard News Service reported that the SSA puts thousands of Americans at risk of identity theft each year by accidentally leaking their SSNs, names, and birth dates.

The leaks are caused by keying errors made by SSA employees when they enter data into the agency’s Death Master File, a database that contains the records of 90 million deceased Americans, Scripps Howard said.

Since 1980, when the SSA first started making the file publicly available, more than 400,000 SSNs of living Americans may have been inadvertently published as a result of the errors, according to the report.

In most cases, the victims of the breaches were not informed and only discovered the error after they experienced problems, such as frozen bank accounts, refused job interviews, or declined loan applications, Scripps Howard reported.

For its report, Scripps Howard reviewed three files from the Death Master File and discovered 31,931 living Americans were listed erroneously in them. Dozens of those individuals who were incorrectly listed were later contacted by the news service. Not one said the SSA had informed him or her of the breach.

In the report, Scripps Howard quotes SSA Commissioner Michael Astrue, who said that the SSA takes quick action to correct any errors it discovers. Any breach involving the accidental leakage of SSNs is also promptly reported to the U.S. Computer Emergency Response Team.

Astrue said the SSA has so far found no instances of fraud or misuse as a result of the data exposure. END

INFO TECHNOLOGY

Scientists: Table Salt Can Boost Storage Capacity

Scientists in Singapore said they have discovered a process that can expand the data storage capacity of computer hard disks six-fold by using table salt.

Singapore’s national research institute, the Agency for Science, Technology and Research, working with the National University of Singapore and the Data Storage Institute, have “developed a process that can increase the data recording density of hard disks to 3.3 terabits per square inch, six times the recording density of current models,” according to a statement.

Scientists said they were able to boost data storage capacity by packing more bits in neater patterns, as compared to the random configurations used in current hard disk drives.

The method – called bit patterning – had previously not been feasible as scientists were unable to see the outlines of the bits clearly after they had been printed onto a film in a process much like developing photographs, Agence France-Presse (AFP) reported.

However, when scientists added table salt into the solution used for bit imaging, the outlines stood out in sharp relief, allowing them to see fine lines that would normally be blurred.

Joel Yang, the scientist who made the discovery, told the AFP he believes the bit-patterning process will be adopted by the industry by 2016 “when the current techniques run out of fuel and (hard drive manufacturers) need to find alternate methods” of increasing data storage space. END

E-DISCOVERY

Study: E-Discovery Not Limited to E-Mail

E-mail is no longer the primary source of records companies produce for an e-discovery request, Symantec’s “2011 Information Retention and E-Discovery Survey” has found.

The survey also reveals that companies with the best records and information management (RIM) practices in place significantly reduce their risk of court sanctions or fines.

The survey, conducted by Applied Research, includes the responses of legal and IT employees at 2,000 companies worldwide about how they are managing their ever-increasing amounts of electronically stored information (ESI) and preparing for the possibility of an e-discovery request.

Respondents said they answered an average of 63 legal, compliance, or regulatory requests for digital information during the previous year, and IT staff spent 66 hours locating the information.

When asked what types of documents are most often part of an e-discovery request, respondents put files and documents (67%) and database or application data (61%) ahead of e-mail (58%). According to the survey, other sources companies must be ready to produce information from include: SharePoint files (51%), instant messages and text messages (44%), and social media (41%).

According to the survey, companies that employ best practices, such as automating legal holds and using an archiving tool instead of relying on backups, fare dramatically better when responding to an e-discovery request.

Companies surveyed with good RIM practices in place were:

  • 81% more likely to have a formal retention plan in place
  • 63% more likely to automate legal holds
  • 50% more likely to use a formal archiving tool

Firms that employ these practices have a 64% faster response time with a 2.3 times higher success rate when responding to an e-discovery request, the survey found. Consequently, these companies are significantly less likely to suffer negative consequences than companies without a formal information retention policy.

Such top-tier companies are:

  • 78% less likely to be sanctioned by the courts
  • 47% less likely to lead to a compromised legal position
  • 20% less likely to be fined
  • 45% less likely to disclose too much information

Despite the risks, the survey found nearly half of respondents do not have an information retention plan in place. Why? Respondents cited lack of need (41%); too costly (38%); nobody has that responsibility (27%); no time (26%); and lack of expertise (21%).

Symantec recommends the following steps for improvement:

  1. Periodically delete information according to the records policy.
  2. Use backup for recovery. Use archiving for discovery.
  3. Deploy advanced legal hold processes and risks.
  4. Conduct litigation readiness exercises to determine exposure and formulate a prioritized remediation plan.
  5. Know what ESI there is in the organization and where it lives, including text messages, social media, and data in the cloud. END
E-ACCESS

The Dead Sea Scrolls Go Digital

The Dead Sea Scrolls are now accessible and searchable to the entire world online.

Written between the third and first centuries BCE, the Dead Sea Scrolls include the oldest known biblical manuscripts in existence. In 68 BCE, they were hidden in 11 caves in the Judean desert on the shores of the Dead Sea to protect them from the approaching Roman armies. They were discovered again in 1947 by a Bedouin shepherd.

Since 1965, the scrolls have been on display at the Shrine of the Book at The Israel Museum in Jerusalem. The scrolls offer critical insights into life and religion in ancient Jerusalem, including the birth of Christianity.

Now, anyone around the world can view, read, and interact with five digitized Dead Sea Scrolls. The high-resolution photographs are up to 1,200 megapixels, almost 200 times more than the average consumer camera, so viewers can see the most minuscule details in the parchment.

Viewers can also click directly on the Hebrew text and get an English translation. The scroll text is also discoverable via web search.

The Israel Museum, Jerusalem, partnered with Google to bring the collection online. The Digital Dead Sea Scrolls can be accessed at http://dss.collections.imj.org.il/. END

PRIVACY

Google Lets Wi-Fi Owners Opt Out

Avoiding a likely fight with European privacy regulators, Google said it will allow the owners of Wi-Fi routers worldwide to remove their devices from a registry the search engine uses to locate cellphone users.

European regulators had warned Google that the unauthorized use of data sent by Wi-Fi routers violated European law. According to The New York Times, Google and other organizations use the signals from Wi-Fi routers as navigational beacons to help pinpoint the locations of nearby cellphone users. Google said that the Wi-Fi signals it uses do not identify individuals.

Germany and France, especially, have strongly criticized Google’s data collection practices, and Google has made concessions.

In Germany, Google gave consumers the option of excluding photos of their properties, apartments, and businesses from its StreetView online map service before it launched last fall, The Times said.

In May 2011, the privacy advisory panel to the European Commission said the unauthorized collection of the location data of individual cellphone users violated Europe’s privacy law, which forbids the commercial use of private data without the owner’s consent in advance.

If many owners of Wi-Fi access points decided to opt out of Google’s database, it could make it harder for users of Android phones to get a fix on their locations and thus limit Google’s ability to sell location-based
advertising, according to The Times. But the phones can also determine their location using cell towers and satellites.

Interestingly, Google’s decision, meant to appease European privacy laws, means U.S. Wi-Fi owners can opt-out, too. END

COURT RECORDS

PACER Fees to Increase by 25%

U.S. courts plan to raise fees for accessing public court records by 25%, from 8 cents per page to 10 cents per page.

PACER, the website containing U.S. judicial records, is quite lucrative for the courts. With the new price hike, the first since 2005, PACER revenues are expected to exceed $100 million annually, according to Ars Technica.

But what the courts are doing with that money may be illegal, according to an open-government expert at Princeton University.

Harlan Yu found that PACER revenue has been diverted for projects unrelated to PACER. He cited the 2002 law authorizing the PACER fees, which states that those fees may be charged “only to the extent necessary” to cover the costs of providing public access, he told Ars.

In one example, PACER fees paid for a courtroom renovation that included a flat screen monitor for every juror and the latest audio technology.

Yu called the PACER fee hike “unreasonable” with private-sector IT costs dropping, Ars said. Instead, he suggested that the courts should “rethink how PACER is built.”

Currently, there are about 200 separate PACER websites, each serving a different judicial district. Consolidating those 200 servers into a single website hosted from a modern data center would improve the user experience and dramatically reduce IT costs, Ars noted.

Yu argued that the very concept of charging for copies of public records is misguided. He suggested that instead of raising fees to fund the development of a more elaborate PACER site, the courts should publish their raw data and allow private parties, such as Google or the Internet Archive, to build websites using that data. END

WEB SECURITY

Researchers Harvest E-Mails from Fortune 500 Firms

By misspelling words, two security researchers were able to harvest a treasure trove of confidential e-mails, including trade secrets, names, and passwords, from Fortune 500 companies.

According to Security News, Peter Kim and Garrett Gee from the information security think tank Godai Group intercepted 20 gigabytes of sensitive data by setting up “doppelganger domains” – web domain names that look the same as those of legitimate organizations except they are misspelled.

This method of spoofing a real website to harness and intercept traffic is called “typosquatting.”

Kim and Gee spent six months on the project, and the results were shocking: They intercepted more than 120,000 individual e-mails from 30 Fortune 500 companies and found that 151 companies are vulnerable to such attacks, Wired reported.

Fake domain names could include a preface, such as “e-mail,” before the actual website name, or involve the change of only a period separating a subdomain name from a primary domain name. An example is seibm.com instead of the actual se.ibm.com domain that IBM uses for its division in Sweden, according to Wired.

Within the 120,000 e-mails drawn to their fake domain names were details, including user names and passwords, for an international organization that manages roadway toll systems, and the “full configuration details for the external Cisco routers for a large IT consulting firm, along with passwords for accessing the devices,” Wired reported. Kim and Gee also accessed invoices, contracts, and credit card information from other organizations.

The variety of Fortune 500 companies found to be open to such attacks was surprising – gas and electric companies, pharmaceutical firms, chemical and computer software companies, and financial firms.

The Godai Group researchers included a chart that shows 15 current doppelganger domains already in use, including “Kscisco.com” for Cisco and “e-mailkohls.com” for Kohls. Some of the spoofed domain names, the researchers discovered, are already registered to IP addresses in China “and to domains associated with malware and phishing.”

Out of the 30 doppelganger domains they set up, Wired said only one organization noticed when the researchers registered the fake domain name, and only two senders out of the entire 120,000 e-mails said they had noticed the mistake. END

GOVERNMENT RECORDS

White House Appeals Ruling on Visitor Logs

The Obama administration is appealing a judge’s ruling that Secret Service records of White House visitors are subject to disclosure under the Freedom of Information Act (FOIA).

U.S. District Judge Beryl A. Howell ruled in August that the administration now must release all records of all visitors or explain why White House visits should be kept secret under law.

The lawsuit stemmed from attempts by conservative group Judicial Watch to view the Workers Visitors Entry System records before September 15, 2009. The White House had decided to voluntarily release the names of most White House visitors after that date, but not before.

The Obama administration had argued that the records are presidential records, not “agency” records, and so are protected from release under FOIA. That is the same position taken by the George W. Bush Justice Department.

However, Howell disagreed. While the judge did not rule that every White House visit had to be disclosed, she did conclude all the data had to be made public unless the government asserted a specific exemption from FOIA, such as provisions protecting national security and privacy, according to Politico.com. END

SOCIAL MEDIA

Navy Official: ‘Snapshots’ Not Good Archiving Plan

Snapshots” of social media content are not sufficient records, according to the director of records at the Department of the Navy, Charley Barth.

Federal agencies that are simply capturing an image of social media content hosted by third parties don’t have a sufficient archiving strategy, said Barth.

Since October 2010, the National Archives and Records Administration (NARA) has stipulated that social media records should be archived, including those hosted by third parties. That means agency content on Twitter, Facebook, or YouTube is a record if the platforms add value beyond what is available on government-hosted communications. That content also requires a records schedule, according to NARA.

According to Fiercegovernment.com, Barth leads the Federal Records Council’s social media subgroup, which submitted a whitepaper recommending the following Gov. 2.0 archiving policies to NARA. The recommendations advised agencies to:

  • Copy and paste social media record content into a Microsoft Word document and in a .pdf format and save it to a records management application (RMA)
  • Copy and paste social media record content into a Word document and in a .pdf format and save it to a share drive, hard drive, or something other than the RMA
  • Use a really simple syndication (RSS) feed to collect information into an RSS aggregator, such as Google Reader
  • Use an RSS feed to pull information into an e-mail account and save the record in an RMA
  • Use one of several commercial social media archiving tools embedded within the social media site or sold commercially

According to Barth, a social media archiving tool can be embedded into the social media platform if its use is negotiated into the terms of service agreement entered into when opening an account. In addition, Fiercegovernment.com noted that agencies can ask organizations, such as Facebook and Twitter, to accommodate their records management needs rather than just scrolling through fine print and clicking “I accept.”

Embedded archiving tools may also make it easier to capture the full context of communications, Barth noted. In its research, the subgroup found that publicgenerated content in a government forum can be as important as government-generated content, Fiercegovernment.com said.

According to Barth, some agencies are simply using third-party hosted social media tools to re-post information that is already available elsewhere on the agency’s site. But other agencies are posting original content from high-level officials, according to Fiercegovernment.com. END

HEALTH RECORDS

Alabama: Records Sold to Highest Bidder

In Florence, Ala., $1,000 bought the contents of a delinquent storage unit belonging to a defunct medical imaging business. The contents included 20 boxes of personal medical records, complete with Social Security numbers, addresses, insurance information, and driver’s license details.

When Digital Diagnostic Imaging closed its doors, a company official was tasked with securing customer records. However, the bill to store the records at Climate Guard Self Storage went unpaid and so its contents were auctioned.

Bobby Roberts bid $1,000, thinking he would win medical equipment. When he realized what was auctioned, he contacted officials of the former diagnostics business, who said they would pick up the records and secure them.

According to Larry Dixon, executive director of the state board of medical examiners, when a company is closing, patients should have the chance to pick up their records, if they so choose. END

STUDY

Data Breaches Ding Reputation, Brand

Organizations that experience a data breach spend a year or more restoring their reputation after the incident, according to a new Ponemon Institute study.

The survey of 843 executives found that an organization’s brand value fell 17% to 31% after a breach depending on the type of information lost. Organizations polled estimated the economic value of their brand to be anywhere from $1 million to greater than $10 billion, with an average of $1.5 billion.

Eighty-two percent of respondents said their organization had experienced a breach involving sensitive or confidential information.

Depending on what type of data is stolen, on average, organizations lost between $184 million to more than $330 million in the value of their brand, according to the survey, sponsored by Experian Data Breach Resolution.

More than 53% of respondents said the exposures had a “moderate” impact on their organization’s reputation and brand image, while 23% called it “significant,” according to the study.

An organization’s reputation and brand image is one of its most valuable assets, the Ponemon Institute said.

Respondents estimated a data breach that involves the loss of more than 100,000 confidential employee records and is widely reported by the media would likely result in a 12% decrease in brand value, on average. Meanwhile, the study found that the loss or theft of a small number of sensitive files containing trade secrets, new product designs, or source code would likely lower brand worth by about 18%. END

ARCHIVES

Ex-NARA Official Sold Recordings on eBay

A former National Archives and Records Administration (NARA) official who guarded some of the nation’s most valuable historical records for four decades might have to spend a decade in prison for stealing hundreds of recordings and selling them online.

Leslie Charles Waffen, who had served as a top NARA official, has pleaded guilty to charges he sold stolen sound recordings on eBay. He will be sentenced in March.

According to ABC News, investigators uncovered Waffen’s “eight-year scheme” in September when he sold a 1937 tape of New York Yankees legend Babe Ruth on eBay for $34.74 under the name “hi-fi_gal.” Federal agents, tipped off to the sale, obtained the tape and traced it back to his work at NARA in College Park, Maryland. Over the next few weeks, they caught him selling other items belonging to NARA on eBay.

Agents raided Waffen’s home in October, seizing a moving truck full of boxes that held 6,153 recordings. As part of the plea deal, Waffen has agreed to forfeit at least 955 of the recordings and will reimburse the federal government for the “full amount of the loss,” ABC News reported. NARA has hired appraisers to determine the value of the items Waffen sold.

Until last summer, Waffen had spent five years as chief of NARA’s Motion Picture, Sounds and Video Recording Branch. According to The New York Times, this office holds sound and video recordings of John F. Kennedy’s assassination, including the famed “Zapruder film.”

Theft of historical records is a major problem for NARA, which sends investigators to flea markets and antique sales to recover stolen material. In another recent theft case, Barry Landau and associate Jason Savedoff, “accused of conspiring to steal irreplaceable historic documents to sell them for profit,” are awaiting federal trial in Baltimore, according to The Wall Street Journal.

Interestingly, The Journal noted, in Landau’s apartment, investigators found jackets withextra-deep pockets specifically tailored for stashing documents. END

OPEN RECORDS

9/11 Commission Records Still Sealed at the Archives

A decade after al Qaeda’s attacks on the United States, the 9/11 Commission’s records remain sealed at the National Archives and Records Administration (NARA), despite a directive from the commission to make most of the material public in 2009.

Matt Fulgham, assistant director of NARA’s center for legislative affairs, which oversees the commission documents, told Reuters that more than a third of the 575 cubic feet of records have been reviewed for possible release. But many of those documents have been withheld or heavily redacted, and the released material includes documents that have already been made public, such as news articles.

The National Commission on Terrorist Attacks Upon the United States was established by Congress in late 2002 to investigate the events leading up to the 9/11 attacks, the pre-attack effectiveness of intelligence agencies and the Federal Bureau of Investigation, and the government’s emergency response.

According to Reuters, documents still classified include a 30-page summary of an April 2004 interview by all 10 commissioners with President George W. Bush and Vice President Dick Cheney that was conducted in the Oval Office – the only time the two were formally questioned about events surrounding the attacks.

Other sealed records document actions taken by Bush on the day of the attacks, as well as the Clinton White House’s earlier responses to growing threats from al Qaeda. The material also includes vast amounts of information on al Qaeda and U.S. intelligence efforts in the years preceding the attacks, Reuters said.

Shortly before the commission ceased to exist, it turned over all its records to NARA. In a letter dated August 20, 2004, the commission’s chairman and vice chairman instructed NARA to make the mate-rial public “to the greatest extent possible” on January 2, 2009, “or as soon thereafter as possible.”

Commission Chairman Thomas Kean told Reuters he saw no justification for withholding most of the unreleased material. The commissioners had agreed on a January 2, 2009, date for release so the material would not come out until after the 2008 elections, he said.

Several former commission staff members said that because there is no comprehensive effort to unseal the remaining material, parts of the records the commission had wanted to be released by now will remain sealed indefinitely.

Fulgham told Reuters that in preparation for the 2009 deadline, NARA assigned additional employees for months to help prepare disclosure of an initial batch of records. But since then, the effort has halted, in part because of a shortage of personnel and the difficulty of dealing with classified material, Reuters reported.

One big problem, he said, is that about two-thirds of the material is still classified by the agencies that gave it to the commission.

In a 2004 letter, the commission had asked NARA to submit all classified material to the agencies that created the documents to review them for declassification. But Fulgham said NARA has not
done so.

According to Reuters, commission records held by NARA are exempt from the Freedom of Information Act (FOIA) because the commission was established by Congress and the legislative branch records are exempt from FOIA. Some of the material now public is posted on NARA’s website, but Wilhelm said most of the released material can be viewed only at the archives’ headquarters. END

Download the complete PDF version here.

From January - February 2012