News, trends, and analysis from the leading records management and information governance experts, ARMA International.
Organizations Must Manage New Risks
Traditional risk management can’t keep up with the risks of cyberspace, according to the Information Security Forum (ISF), the global authority on information security and information risk management, in its recent report “Threat Horizon 2014: Managing Risks When Threats Collide.”
“To take advantage of technology and cyberspace, organizations must manage new risks beyond those traditionally covered by the information security function, including attacks on reputation and all manner of technology,” the report stated.
The report identified three major categories of threats to today’s organizations:
- External threats, such as cybercrime
- Regulatory threats that result from regulators’ demands for more transparency and protection of data privacy
- Internal threats created by implementing new technologies without a clear understanding of the related security risks
While any of these threats is significant by itself, they pose even greater risk when combined.
Online Bank Theft Moves to Next Level
McAfee and Guardian Analytics uncovered early this year a “highly sophisticated, global financial services fraud campaign” that is believed to have attemp
ted to steal an estimated $78 million to $2 billion. The targeted financial institutions included credit unions, large global banks, and regional banks in the European Union, Latin America, and the United States.
What makes these attacks different is that they don’t require live (manual) interventions. “With no human participation required, each attack moves quickly and scales neatly,” explains McAfee’s Dave Marcus and Guardian Analytics’ Ryan Sherstobitoff, authors of the research report “Dissection Operation High Roller.”
A bank in Italy was the victim of the first series of attacks. It used Zeus and SpyEye malware to transfer funds to a “personal mule” or pre-paid credit card, allowing the thief to quickly access and move the funds anonymously. (Zeus and SpyEye are malware that control a computer and its applications. They inject code to alter browser-based forms and collect passwords, logins, and other account information that is then transmitted to the attacker.)
The malware code looked for the victim’s highest value account, looked at the balance, and transferred either a fixed percentage or a relatively small fixed amount to a prepaid debit card or bank account. Within 60 seconds, the funds were transferred out of the mule account.
Once the research team knew what to look for, it found evidence that other banks in Europe, Latin America (Columbia), and, eventually, the United States had been hit. In March 2012, with a clearer picture of the scope of the fraud, the team reported to law enforcement the location of the servers being used by the attackers in the United States.
McAffee and Guardian Analytics advise financial institutions, consumers, and corporations to “reexamine their security controls and assumptions.” They stressed in the report that:
- Many regional banks and credit unions are exposed because they lack anomaly detection software.
- Enterprises must increase their security controls and educate users about social engineering and phishing attacks.
- Although consumers are not the primary targets, they should strengthen and maintain the controls on their end and be alert to unexpected changes when performing online banking transactions.
EHRs Linked to Lower Malpractice
A new study by Harvard researchers suggests that doctors who keep electronic health records (EHRs) have fewer
The scientists’ findings were summarized in a research letter published in the June 25 issue of Archives of Internal Medicine. The findings were based on surveys of 275 physicians in 2005 and 2007. By looking at the physicians’ use of EHRs and the number of malpractice suits filed against them, it determined the rate of claims when EHRs were used was about one-sixth the rate of when EHRs were not used.
The researchers noted that since EHRs improve documentation, make patient visits more efficient, reduce medication errors, and generally make it easier for healthcare practitioners to track and manage their patients, it’s only logical that this would lead to lower malpractice claims or, at least, make them easier to defend.
Of course, unmeasured factors may also contribute to the reduction in malpractice claims attributed to EHRs. “[P]hysicians who were early adopters of EHRs may exhibit practice patterns that make them less likely to have malpractice claims, independent of EHR adoption,” wrote the researchers.
To encourage investment in EHR systems, the government offered some serious incentives. Eligible professionals can receive up to $44,000 over five years under the Medicare EHR Incentive Program and even more if they provide services in a health professional shortage area. Professionals who participate in the Medicaid EHR Incentive Program (which is voluntarily offered by individual states and territories) can receive up to $63,750 over six years. Hospital payments are based on numerous factors, but they begin with a $2 million base payment.
Hospitals had to begin their 90-day reporting period “to demonstrate meaningful use” of EHR by July 3 for the Medicare program. October 3 is the deadline for eligible professionals.
Canadian Pharmaceutical Legislation Ignites Privacy Fears
Earlier this year, British Columbia’s (BC) Minister of Health Michael de Jong introduced the Pharmaceutical Services Act (Bill 35) intended to lower the price of generic drugs. But, the bill would also allow researchers to access personal health information stored by the provincial government, which has prompted privacy advocates, including BC Privacy Commissioner Elizabeth Denham, to voice their concerns.
“I have concerns about the reduced transparency of government’s decision-making and the infringement of personal privacy that will result from this bill,” said Denham in a letter to de Jong.
Further, according to a May 2 article in The Vancouver Sun, she is concerned about the bill granting the health minister the unrestricted right to disclose personal healthcare information – a concern echoed by Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association. “What were sound protections are now being eroded,” Gogolek asserted in an interview with the newspaper.
The Sun article postulates that it was in anticipation of the bill’s introduction that former health minister and current member of the Legislative Assembly Colin Hansen wrote an opinion piece for the paper in March that advocated the benefits of allowing medical researchers access to the data.
According to the May article, Hansen has cited as an example a recent University of British Columbia research study of almost 1 million school children’s prescription records during an 11-month period. The study revealed that the younger students in a class are much more likely than the older ones to be diagnosed with attention deficit and hyperactivity disorders, suggesting that doctors are, according to the article, “medicalizing a normal range of childhood behavior.”
Hansen contends there are sufficient safeguards in place to ensure anonymity of the records and prevent their wider release. Gogolek advocates giving individuals the right to specify that their records not be released, even anonymously.
Snooping on Staff Social Media Use on Rise
Gartner’s recently published “Business Gets Social” report projects that by 2015, 60% of organizations will be watching their workers’ social media use for security breaches – compared to less than 10% who do so today.
New technologies and services have made it easier for organizations to monitor this activity, but there’s increasing concern about the ethics of doing so and the potential for it to infringe on employee privacy.
As Gartner acknowledged in its report, “There are … times when accessing the information can generate serious liabilities, such as a manager reviewing an employee’s Facebook profile to determine the employee’s religion or sexual orientation, in violation of equal employment opportunity and privacy regulations. The problem lies in the ability of surveillance tools and methods to produce large volumes of irrelevant information.”
BYOD Security Risks on the Rise
The jury is still out on whether bring your own device (BYOD) is a blessing or a curse for organizations today.
A survey of 600 IT and business leaders sponsored by Cisco earlier this year found that 95% of the organizations allow employees to use their own personal devices on the corporate network. One of the biggest challenges to organizations is supporting those devices. Thirty-six percent of the organizations surveyed support all BYOD devices, and 48% support some devices. The remaining 11% don’t offer IT support for personal devices.
Many organizations feel that BYOD is a positive because employees are happier and tend to be more productive when working with their own devices. Ensuring they remain productive is the reason so many IT organizations are supporting personal devices.
Another large challenge for organizations with a BYOD policy is dealing with the associated security risks. According to the Cisco survey results, 69% of BYOD users were using unapproved applications on their devices, which is difficult to detect. The recent staggering increase in Android malware magnifies this problem.
Trend Micro’s TrendLabs reported 5,000 new malicious Android apps were found in the first quarter of 2012; that doubled to 10,000 new apps detected in just one month during the second quarter. The most common type of malicious application is disguised as a highly popular legitimate app. For example, Trend Micro reported, Google’s application market, Google Play, was breached with 17 malicious applications, which were
downloaded 700,000 times before Google discovered and removed them.
“The growth in Android malware demonstrates sustained and focused criminal interest in the mobile platform and particularly in the Android operating system,” said Rik Ferguson, director of security research and communications at Trend Micro.
“Criminals have always followed user behavior and they continue to do so. As we move steadily to the mobile web, mobile devices offer new avenues for criminal revenue generation alongside the continuation of the old. Consumers need to use care when downloading and installing apps and should be considering installing antimalware on their mobile devices.”
These challenges are going to continue to plague users and IT organizations. Especially when there are expected to be 19 billion network-connected devices – including smart phones, notebooks, tablets, and other gadgets – by 2016, according to Cisco Systems’ annual “Visual Networking Index Forecast” released in June.
‘Internet of Things’ Sparks Privacy Concerns
There are more “things” connected to the Internet today than there are people. According to an April European Commission (EC) press release, the average person has at least two objects connected to the Internet, and by 2015, that number is expected to grow to seven for a total of 25 billion wirelessly connected devices globally. This has some experts contending that the world is entering the age of the “Internet of Things.”
This means that protecting data is no longer an issue associated only with computers; according to the press release, it extends to “everyday objects, such as phones, cars, household appliances, clothes, and even food” that are “connected to the Internet through smart chips, and can collect and share data.”
That concern was made clear in the early results of a public consultation recently undertaken by the EC that is due to be completed this summer. The consultation could be the first step toward regulation.
According to Ryan Heath, spokesperson for the commission’s Digital Agenda, in an interview with German International broadcaster DW.de, it could take up to three years for a legislative proposal to emerge from dialogue between the European Parliament and European Union member states. The trick is to protect privacy without strangling innovation from the bottom up, added Martin Spindler, a strategy consultant based in Berlin.
In the United States, the U.S. Senate passed this spring S. 1813: MAP-21, a bill that would require yet another “thing” to capture data; it mandates all vehicles to have an event data recorder, or “black box,” installed as of 2015. The House is considering similar legislation, HR 14: MAP-21.
The black box would record a standard set of data, such as direction of acceleration and time of airbag deployment, in a standardized format. What data is to be captured, what it can be used for, who owns the data, and who can legally access it are all still in need of answers and are being heatedly debated in Congress, according to a May 15 article on Edmunds insideline.com. The fear expressed by many is that the data could be accessed by the government, making it easier to monitor its people in a “Big Brother” scenario.
The Edmunds article says the Senate version specifies that the data is owned and can be accessed only by the vehicle owner except by court order and by emergency medical personal responding to a crash.
European Commission Refers Hungary to Top EU Court
The European Commission (EC) took issue with some of the reforms recently made by Hungary’s president. One of the legislative changes of particular concern would give the government the ability to fire the head of the country’s data protection agency at any time and effective immediately.
The EC questioned whether this was a violation of European Union (EU) law and referred it to the EU’s highest court in a dispute over government reforms. According to an article by German International broadcaster DW.de, the EC says the laws infringe on the independence of the judiciary and data protection agency. If the court agrees, the EC will require Hungary to change the law accordingly.
FTC Sues Wyndham Hotels for Data Security Failures
Over the course of two years, hotel operator Wyndham Worldwide experienced three network data breaches,
which ultimately led to $10.6 million in fraudulent credit card charges on consumers’ accounts and the export of 600,000 account records to a domain registered in Russia.
Three occurrences in two years was a clear indication to the U.S. Federal Trade Commission (FTC) that Wyndham Worldwide and three of its subsidiaries had failed to employ appropriate information security practices. In June, the FTC filed a lawsuit against Wyndham alleging the hotel chain failed to “maintain reasonable and appropriate data security for consumers’ sensitive personal information.”
In the filing, the FTC’s allegations included that Wyndham:
- Failed to use readily available security measures to limit access to the network
- Allowed software at the hotels to be configured so as to store payment card information unencrypted
- Failed to ensure all hotels implemented adequate information security policies and procedures
- Failed to remedy known security vulnerabilities on network servers
- Failed to employ adequate password requirements and protection
- Failed to follow proper incident response procedures
How an organization responds to a breach is critical, said Mike Reagan, chief marketing officer at LogRhythm, in a CIO Today interview. Regan said the key question for executives is, “When a breach does happen, and know it will, how prepared are we to detect it and respond rapidly to minimize the damage?
“It’s unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations,” continued Reagan. “But for others, they’re recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses.”
Security Spending on the Increase
Small and medium-sized businesses (SMBs) globally are forecasted to increase their spending on security products and services 10% annually through 2016. Spending is currently more than $19 billion a year. Cloud security services, which account for 17% of that spending, are projected to increase to 24% by 2016.
These findings, from the recent study by Access Markets International (AMI) Partners Inc. and published in the 2012 Global SMB Security Market Assessment, seem to prove that security is a growing concern for all organizations with fewer than 1,000 employees.
The key drivers behind this intensifying concern and for the adoption of cloud-based security services in particular, according to AMI-Partners, are:
- Proliferation of mobile devices, including BYOD [personal devices used for business in a “bring your own device,” or BYOD, scenario], creating significantly heightening security risk exposure, which is becoming unmanageable
- Use of devices by employees to access and disseminate organization data in the same way they do in their private lives – through a variety of social media
- Tabs on security for all these devices are a major challenge for information and communications technology (ICT) management teams
- Weak prevailing economic conditions and capital expenditure restraints that mean the cloud payment model offers a better way of procuring sophisticated ICT solutions and keeping them up-to-date
Those best positioned to take advantage of the cloud-related growth, according to AMI Partners, are hosters.
In fact, according to the AMI study, nearly a third of SMBs said they would quickly switch their cloud service provider if desired service levels are not met.
Hosters are especially well positioned in the fast-growing U.S. cloud services market, noted AMI’s report. Investments in cloud services (e.g., software-as-a-service, web hosting, and remotely managed IT services) in the United States are expected to hit $34 billion in 2012, of which 46% will flow through hosters.
Worst Data Breaches of 2012
As of July 3, the Identity Theft Resource Center (ITRC) reported it had tracked 213 U.S. data breaches in 2012, exposing about 8.5 million records. The key targets among the exposed records were payment cards and data related to customers, university students, and patients.
Among the top 15 breaches this year:
- The New York State Electric & Gas Co. located in Rochester, N.Y., suffered a breach that ex- posed 1.8 million files that contained customer Social Security numbers, dates of birth, and bank account numbers. The breach was caused by a contractor’s unauthorized access.
- Utah Department of Technology Services located in Salt Lake City, Utah, exposed 780,000 patient files related to Medicaid claims when the information was stolen from a server by hackers operating out of Europe.
- Emory Healthcare located in Georgia had 315,000 patient records exposed after the information stored on 10 computer disks went missing from a storage facility. A class action lawsuit could cost the hospital $200 million.
- South Carolina Department of Health and Human Services experienced a breach when a former employee was arrested for transferring medical information via e-mail, exposing 228,435 records.
In the absence of national requirements for breach reporting, the situation is getting worse, it said. On a positive note, the ITRC noted that:
- 96 breaches (45.1%) reported in the first half of 2012 included the exposure of Social Security Numbers, which is a significant drop from the 64.5% of the breaches that included that information during the first half of 2011.
- 41 breaches (19.2%) involved credit or debit cards, dropping considerably from the 34.6% of the breaches involving credit or debit cards in the same time period during 2011.
Australia Launches E-Health Records
Despite the recommendation to delay from the National E-Health Transition Authority (NEHTA), Australia launched its Personally Controlled Electronic Health Record Project platform on July 1. The NEHTA warned that the system, which includes a consumer portal where people can compile their own medical information, was unstable with 60 high-severity and critical bugs, according to a July 24 article in The Australian.
Indeed, according to The Australian, the system was offline and unavailable for consumers for three days in its first week of public operation. While a spokesperson said the system was taken down intentionally to test its performance, other sources said the system had crashed.
Enrollment in the system has been slow – just 320 had registered in the first five days of operation, according to a July 9 article in The Sydney Morning Herald.While several of that article’s readers commented on the difficulty of registering, others have expressed concerns about the privacy of their personal information. During its development, the system was hacked, and the breach was not detected for several months, according to The Australian.
The system will be regulated against future privacy breaches by the privacy commission and the Office of the Australian Information Commission (OAIC), according to a July 2 article from Computerworld. Both OAIC and the privacy commissioner have recommended amending the country’s privacy act to allow the OAIC to consider civil penalty provisions.
Compliance Departments’ Role Expanding
More regulation means more demand for compliance and on the compliance department. According to speakers at the Compliance Week 2012 conference in June, organizations are finally realizing the value of their data. Consequently protecting that data properly is becoming a significant element of their business strategy.
To whom will the chief executive officer (CEO) and board of directors turn to ensure this is happening? Not surprisingly, the compliance officer.
According to PricewaterhouseCoopers LLP (PWC) and Compliance Week’s “State of Compliance 2012” report, the “role of the compliance department is evolving into something akin to a primary care doctor: the physician who sets broad goals of health, monitors overall vital signs, and – most importantly – coordinates more specific medical needs with the specialists. Likewise, the chief compliance officer steers the corporation’s efforts to manage compliance and other organizational risks, while ultimate responsibility for those tasks still resides (or at least, should reside) with the business units that have the resources and expertise to respond.”
The obstacles to compliance becoming a proactive, fully integrated function are fragmented IT systems, tight budgets, shifting and growing regulatory requirements, and the challenge of proving the compliance program’s effectiveness, according to the PWC report.
One purpose of the annual survey, which was conducted in early 2012 and directed to senior-level compliance officers at U.S. corporations with annual revenue of $1 billion or more, is to learn what types of issues are dominating the compliance department’s time. This year the survey found the compliance department is now involved to some degree in “virtually every risk or regulatory issue – anti-trust, anti-corruption, ethics, import-export, supply chain social media, codes of conduct, and many more.” Hence, the reason for the primary physician metaphor. The compliance officer is working with IT, legal, internal audit, finance, and other specialists to provide guidance on risk and regulatory issues.
As a result, compliance departments also reported increased budgets and staff. Last year, 31% of respondents had budgets of less than $1 million; this year it dropped to 20%. The percentage with budgets of $3 million to $10 million increased from 14% to 21% this year. More than half (57%) of respondents said their department grew at least modestly in the last year. Only one-third reported no change in staffing levels.
This year’s report also found that reporting relationships “are moving toward the ideal of an independent chief compliance officer who answers to the board.” About one-third (32%) report formally to the audit committee; about the same percentage (33%) report formally to the general counsel; 20% report to the CEO.
“This falls in line with the U.S. Sentencing Guidelines’ revisions from 2010, which favor an independent compliance function that preferably reports to the audit committee and board,” noted the researchers. “In addition, corporate integrity agreements or other enforcement orders often stipulate that the CCO [chief compliance officer] must report to the board or the CEO.”
Dead Heads Rejoice
The University of California-Santa Cruz opened the Grateful Dead Archive to the public in June. The scholarly archive comprises the band’s collection, which was donated to the university four years ago.
An article in SFGate reported that the Dead collection consisted of “600 linear feet of office papers and the conference table the musicians sat at while shuffling those papers.” The collection has continued to grow.
Nicholas Meriwether, the counterculture historian hired specifically for this collection, told SFGate he doesn’t know how many items are in the collection and probably won’t know for years. Thousands of items have been cataloged; Meriwether chose 250 of those items, including concert posters, photos, and a letter from Jerry Garcia, for the exhibit.
Information Leaks When Employees Leave Organizations
What happens to your information assets when an employee leaves your organization? Is there a chance that the data could be leaving the organization along with the employee?
A 2012 study by Vontu Inc. and Ponemon Institute found that nearly 60% of employees steal organization information when they leave or are fired. Of those, 67% admit to taking the information to a new employer. Even more startling is the reported statistic that only 15% of the employers in the study performed any sort of review of digital or paper documents that the employees were taking.
“Organizations must become more aware of the source of information loss, and then they can adopt best practices to
address the issue,” said Joseph Ansanelli, chief executive officer of Vontu. “We believe that companies need to focus on not only preventing customer information loss, but also on the loss of other confidential information such as source code, intellectual property, merger and acquisition information, design documents, network diagrams, and marketing documents.”
The survey reports that of the top data security breaches:
- 39% involved confidential business information
- 27% involved personal information about customers
- 14% involved intellectual property, including software source code
- 10% involved personal information about employees
Information protection takes many forms – some directed toward ensuring that only authorized employees have access to particular types of information; others toward the protection of physical assets and storage locations, such as server rooms; and others toward preventing the leakage of information.
In addition to information being pilfered by departing employees, it can be leaked through e-mail transmissions or even through employees’ “sharing” on social networking sites.
Information governance professionals can take a number of steps to address any of these situations. Some actions are self-evident, such as restricting access to physical file server rooms and databases and establishing security authorizations so only authorized individuals can access sensitive information.
According to the Generally Accepted Recordkeeping Principles® (www.arma.org) published by ARMA International, organizations also should:
- Establish clear-cut policies regarding the acceptable use of organization information. These policies should establish corporate expectations for how employees use social networking sites and, generally, how company assets are managed.
- Establish procedures for appropriate information sharing outside the organization. Sometimes, it is appropriate for corporate information to be shared with external parties, such as regulators, a judicial court or party to a lawsuit, a citizen exercising freedom of information rights, a third-party storage vendor, or potential business partners. In any of these cases, a procedure should be established to outline the parameters of acceptable use to protect the organization’s ownership of the intellectual capital.
- Use technology to protect information whenever possible. Put into place data loss protection controls to prevent sensitive information from being e-mailed externally or to alert IT if a significant volume of information is being transmitted outside the organization. Use controls to limit unwarranted access to company information, even by current employees. Use passwords, file encryption, and specialized software that can remotely control mobile devices if they fall into the wrong hands.
- Establish and implement an employee exit process that addresses use of information. Terminate access to the organization’s network immediately. Change passwords on organization assets and with any third-party vendors that the employee may have access to. Retrieve organization-issued devices prior to the employee’s departure. If the situation is very serious, a forensics expert can be called in to investigate.
Smithsonian Embraces Social Media in a Big Way
If you think you have social media challenges, consider the challenges for the Smithsonian Institute, which has:
- 500 social media, social networking, and other Web 2.0 accounts
- 143 Facebook accounts
- 100 Twitter accounts
- 74 blogs
- 66 Flickr accounts
- 60 YouTube accounts
Each of these accounts, says the institute, focuses on a different audience and specializes in a unique topic. And each is considered to have historical value. So, of course, the Smithsonian preserves them.
“Preservation of any type of digital record is more complicated than paper preservation and requires more resources over time,” wrote Jennifer Wright, Smithsonian archivist and records manager, on “The Bigger Picture,” one of the organization’s 74 blogs. “Keeping this in mind, we closely look at the records to determine if we need to preserve them in their entirety. Our goal is to preserve enough data to satisfy the needs of future researchers while minimizing the amount of duplicate, extraneous, and less historically valuable data.”
Privacy is a major concern when appraising social media for preservation. “Personal information is everywhere in social media applications and we do our best to minimize the amount of that information that we capture and preserve,” Wright wrote. She added that the institute avoids capturing content outside the Smithsonian-administered account, but will include a name, profile photo, and other publicly displayed information for someone, say, who posts a comment to one of the Smithsonian sites.
“By capturing and preserving the Smithsonian’s social media presence, we are continuing to document the evolution of the Institution’s methods of sharing information and engaging new audiences,” Wright explained.
Europe Establishes Cybercrime Fighting Unit
Robert Mueller, director of the Federal Bureau of Investigation (FBI), predicts that cyber threat will eventually be the
number one threat to the United States. The European Union (EU) may not consider it the number one threat right now, but it does see it as a major challenge.
A recent item on DW.de, the German International broadcaster, stated that Interpol, the international crime police organization, said cybercrime cases caused about €750 billion ($929 billion U.S.) damage in Europe every year. The
EU estimates that 1 million of its citizens are victims of cybercrime every day. Not only is it taking a major financial toll, but it’s also taking a social one as citizens become leery of conducting business and socializing online.
Cybercrime has increased annually since the EU adopted its first guidelines on “attacks against information systems” in 2005. Disappointed by this trend, the EU Commission has decided to create a European Cybercrime Centre in The Hague.
The center, which will open in early 2013, will reportedly employ 55 investigators from the commission and member states and will be part of Europol, the EU’s criminal intelligence unit. It will provide EU-wide coordination, whereas cybercrime was previously fought by individual EU member states, but with varying levels of funding and personnel.
While the center is a step in the right direction, some individuals believe it is not enough. Internet expert and European Parliament Representative Jan Philipp Albrecht told DW.de, “Primarily we need training at police stations in the member states of the European Union. And personnel – not just centralized at The Hague, but everywhere in Europe.”
The European Network and Information Security Agency is reportedly working on a new Internet strategy for the EU Commission and routinely conducts Internet security drills in Europe in a joint effort with American authorities.
New Guidelines Issued for Using Cloud Services
In July, the European Union (EU) Article 29 Data Protection Working Party published guidance on the use of cloud computing throughout the EU.
The guideline, “Opinion 05/2012 on Cloud Computing,” acknowledges the benefits of cloud computing, including its economical and societal benefits, as well as the protection risks it triggers when deployed on a wide scale. Some of the key concerns raised by the working group include:
- Lack of transparency of an outsourcing chain consisting of multiple players
- Unavailability of a common global data portability framework
- Lack of transparency in terms of the information that can be provided to data subjects about how their personal data is processed
First and foremost, the working group advised in a July 1 press release, organizations that plan to use cloud computing should conduct a comprehensive and thorough risk analysis.
“All cloud providers offering services in the EEA [European Economic Area] should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service,” the release stated. “Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services.”
The guidance also addresses the data protection risks of cloud computing and the necessary legal framework.
About the same time the Article 29 working group submitted its guidelines, Ireland Data Protection Commissioner Billy Hawkes introduced similar guidance. On the Data Privacy Commission’s website, Hawkes stressed that organizations using cloud computing services need to ensure that their providers comply with data protection laws.
Ireland’s guidance focuses on two key data protection issues: the security and the location of the data. It requires there to be a written contract with the cloud provider and any sub-processors to address these issues. The contract must specify that the provider will process the data only as instructed by the organization processing the data, and it must provide detailed assurance regarding security measures, including those needed to guarantee the security of personal data processed outside of the EEA.
China Seeks More Control over Internet
Censorship, not cybersecurity, has prompted China to propose changes to its Internet law that would broaden the definition of “internet information service providers” to include online forums, blogs, and microblogs.
According to an article in the Morning Whistle.com, the “Methods for Governance of Internet Information’s Services” draft released by the Chinese government in June calls for microblog operators to cooperate with the government or face criminal punishment and lose their business licenses. The draft also calls for organizations that provide Internet information services to keep logs for 12 months and to provide technical assistance to the police and national security agencies.
Reuters reported that the document requires Internet information service providers who allow people to post to the Internet to ensure users are registered with their real identities. This would make it easier for the government to identify posters, thereby reducing anonymity. The draft was open for public comment until July 6, but no information was available at press time as to its outcome.
Africa Steps up Fight Against Cybercrime
The African government is becoming more aggressive in its efforts to improve cybersecurity. South Africa recently adopted a national cybersecurity policy framework that includes measures to review, update, and align related substantive and procedural laws.
Communications Deputy Minister Stella Ndabeni discussed the framework in a speech at the ITWeb Security Summit 2012 in June. Security agencies will be responsible for applying the framework under the provisions of the country’s Criminal Procedures Act.
According to SabinetLaw, Ndabeni said the solutions to the challenges facing the IT security industry include:
- Developing national best practices and guidelines
- Developing national partnership programs involving all stakeholders
- Establishing “trusted forums” for information sharing
- Developing a “cybersecurity curriculum”
- Raising cybersecurity awareness
- Encouraging the IT security industry to increase research and development of local security products
Meanwhile, Central Africa announced that it is routinely tracking Internet hackers daily. At the recent Internet Governance Forum in Central Africa, the director general of the National Agency for Information and Communication Technology said it had assigned a team to monitor cyberspace on a daily basis in search of hackers.
The challenge, of course, is the Internet has no boundaries, and governments do. Other countries in the Central African region must share the concern and the commitment to seriously address the issue.
E-crime consultant Albert Antwi-Bosiako recently told Voice of America that cybercrime – especially in the banking industry – is seriously harming West African states.
“There are merchants in Europe, retailers online and e-commerce platforms that are not accepting credit card payments from Ghana and Nigeria,” he said. “And that won’t change until they see major improvements from West Africa, the responsibility for which rests with the governments in the sub-region. They need to adopt measures (e.g., cybersecurity policing and other policies) that promote a strong digital environment that would allow businesses to thrive,” Antwi-Bosiako said.
“People here tend to act only when problems have occurred,” he explained. “It’s a big cultural setback. At the organizational level and government level, we tend not to give much importance to these things unless we are personally affected.”
Chicago Museum Mystery Solved
Imagine the shock when a Chicago antique dealer realized he had stumbled on artifacts stolen from Chicago’s Polish Museum decades earlier.
According to an article in the Chicago Tribune, an antiques shop in Chicago was approached about purchasing some old documents filled with Polish surnames and the signatures of George Washington and Thomas Jefferson. They asked for $2,000, but the store paid them $4,000. Then the owner started doing some research, which prompted him to contact the Polish Museum, the president of which, in turn, contacted the Federal Bureau of Investigation (FBI). Eventually, the items were recovered.
The museum’s president reportedly said she had heard about valuable documents that once were part of the collection, but had been missing for decades. It was never clear exactly what was missing or when it disappeared (the FBI surmises in the 1980s). The recovered artifacts were valued at $5 million.
A news release from the FBI said the items were found in a house owned by the mother of a former curator of the Polish Museum.
Download the complete PDF version here.
From September - October 2012