Up Front

ARMA International: Information Management Magazine

Up Front

Below is tghe latest news, trends, and analysis from the May-June 2010 issue of Information Management. At the end of each item is an "END" mark, just in case you need to step away and pick up where you left off.

E-DISCOVERY

Rosenthal Rules on Rimkus

Legal experts have called U. S. District Court Judge Lee H. Rosenthal’s decision in Rimkus Consulting Group Inc. v. Cammarata (S.D.Tex. Feb. 19, 2010) one of the most important e-discovery decisions of the year, equally or perhaps even more significant than U. S. District Court Judge Shira Scheindlin’s recent ruling in Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities, et al (S.D.N.Y. Jan 15, 2010).

In Rimkus, a group of employees left to start a competing business and sued its former employer, Rimkus Consulting, to release its members from their non-compete agreements. In a countersuit, Rimkus accused the former employees of violating those agreements and stealing trade secrets and proprietary data for use in their new business.

The defendants in Rimkus had previously been plaintiffs in a “preemptive” action they brought against Rimkus in another jurisdiction. Rosenthal’s U.S. District Court for the Southern District of Texas determined that the duty to preserve records arose when the defendants decided to sue Rimkus, no later than November 11, 2006. Instead of preserving electronically stored information (ESI) at that point, however, the defendants continued to routinely destroy documents, court records show. The defendants said they had to delete e-mails on a regular basis due to storage space limitations, but Rosenthal flatly rejected that argument.

Rosenthal found that at least some of the deleted evidence would have been relevant and favorable to Rimkus’s case. Therefore, Rosenthal found that the e-mail deletion on the employees’ part was intentional.

Yet, Rosenthal said there was no clear evidence of “bad faith” on the plaintiffs’ part. Because of this, and because some of the deleted materials were recovered from other sources, some of the deleted materials were favorable to defendants, and the plaintiffs had extensive evidence even without the deleted materials, the judge said the most severe sanctions were not justified.

While acknowledging that the plaintiff had suffered some prejudice, Rosenthal said it was far from irreparable, and the issuance of a terminating sanction, such as a dismissal or default judgment, is appropriate only if the spoliation of evidence results in “‘irreparable prejudice’ and no lesser sanction would suffice.”

Interestingly, Rosenthal decided not to tell the jury that the defendants intentionally deleted e-mails, leaving it to the jury to decide whether defendants’ actions constituted “bad faith.” Unless there is clear evidence of bad faith coupled with prejudice, Rosenthal made it clear that she does not believe severe sanctions are appropriate.

According to the “Legal Holds and Trigger Events” blog, this is at odds with Scheindlin’s Pension Committee opinion that sanctioned the parties for gross negligence in preserving ESI by failing to properly implement a written litigation hold. END

STUDY

Data Multiplies as Storage Costs Fall

According to The International Data Corporation (IDC), the amount of data in the world doubles every 18 months and is expected to hit 18,000 exabytes (1 million terabytes) by 2011. A single exabyte is roughly equal to the information contained in 12 stacks of books extending from the Earth to the sun, IDC said.

The cost of everyday data storage has fallen dramatically in recent years. Today’s 2,000 GB drive is the same size, weight, and cost of an 18 GB drive in 1998, IDC said. Also, a single megabyte, which was worth $10,000 in 1956 and fell to around $300 in 1983, sells for just $0.0005 today, while a 250 GB drive retails for around $125. END

FOIA

It's Not Easy Being Transparent

Federal agencies are not being as transparent as President Barack Obama would like them to be. In fact, a study of how they handle the Freedom of Information Act (FOIA) reveals that some of them are having trouble with Obama’s “new era of open government” mandate.

According to the National Security Archive, a private group that publishes declassified government information and uses the FOIA and lawsuits to gain access to official records, 90 agencies were studied on how they have responded to Obama’s directives to open more records, the Associated Press (AP) said. The group discovered that some agencies have improved their transparency, while others didn’t appear to get Obama’s memo.

When he became president, Obama rescinded George W. Bush’s policy of withholding information first and foremost. Obama ordered agencies to release all information unless the disclosure was prohibited by law or would cause harm.

According to the report, the Obama administration “has clearly stated a new policy direction for open government but has not conquered the challenge of communicating and enforcing that message throughout the executive branch.”

The report found several troubling issues, including:

Old requests still linger, and 33 of the 90 agencies now have an older unfulfilled request than they did on September 30, 2008.
Five agencies reported releasing less and withholding more information during the 2009 budget year, which includes the first nine months of the Obama administration, than they did the previous year.
Of the agencies polled, 35 out of 90 said they had no records of implementing Obama’s new FOIA policies.
The departments of State, Transportation, and the Treasury, along with NASA and the National Reconnaissance Office, granted full or partial releases to fewer requests and completely denied more requests than the year before.

The good news is the audit found that 20 of the 90 agencies had improved the date of their oldest open request from 2008 by more than one month, the AP reported. The CIA improved its oldest request by nearly a year and a half.

Four agencies – the departments of Justice and Agriculture, the Office of Management and Budget, and the Small Business Administration – had increased the number of requests that were fulfilled completely or partially and decreased the number that were denied, compared with 2008.

The auditors found 13 of the 90 agencies could document concrete changes to their FOIA practices as a result of Obama’s policy, and another 14 said they had enhanced their training about Obama’s presumption of disclosure. END

ARCHIVES

Visiting the Rotunda? Leave Camera at Home

If you want a picture of yourself standing next to the original Declaration of Independence, you are out of luck. To protect several valuable historical documents displayed, The National Archives has banned all photography in the Rotunda in Washington, D.C., where the original copies of the Declaration, the U.S. Constitution, and the Bill of Rights are on display.

Over many decades, flash photography has taken its toll on the old, fragile records. Kitty Nicholson, the Archive’s senior conservator, estimates the documents had been exposed to more than 50,000 bright flashes each year before the ban.

In an interview with National Public Radio, she said it was actually the public that expressed concern for the documents. The ink on the parchment of the Declaration is so faded that only the big print can be read. Two centuries of heat, humidity, and bright light has turned the signatures on the document into unreadable smudges, Nicholson said.

Visitors can download a copy of the documents for free from the Archives’ website. END

COMPLIANCE

Texas Metro Transit Authority Broke Records Law

Texas’ Metropolitan Transit Authority (Metro) has been breaking the state records and documents preservation law for nearly 20 years, according to Texas officials.

The law requires local government agencies to establish a records management program and file records detailing how long they will retain certain public records before destroying them, but officials at the Texas State Library and Archives Commission said the Metro has failed to do so since 1991.

And that’s not the Metro’s only records management mistake. The agency also has been accused of shredding public records that may have revealed alleged misappropriation of public money.

A simple request for Metro records brought the problems to light. Attorney Lloyd Kelley requested certain records related to Parsons Transportation, the company building the Metro’s light rail lines. Kelley told the Houston Chronicle the documents he received appeared to have been “sanitized” and “incomplete.” Metro President Frank Wilson admitted to Houston television station KHOU that some documents were destroyed, but he said nothing related to Kelley’s request was shredded.

The agency now faces a lawsuit, a criminal investigation into the destruction of public records, and judicial oversight to make sure nothing else disappears.

In March, a civil court order was issued instructing the Metro not to destroy any documents. District Judge Al Bennett said this includes all physical documents, paper and electronic, but not voicemails.

According to KHOU, Metro officials called the state in October 2009 to clarify the state’s records-related requirements. The state said it e-mailed the requested information to three Metro officials in response.

KHOU said it also discovered an internal training video dated July 29, 2009, produced by the Metro, that features a former Metro staff attorney explaining a new policy of destroying documents on a regular basis to avoid time-consuming public records requests.

In the video, former Metro attorney Jakki Hansen said, “The public information requests require a lot of digging … and if we have a consistent destruction policy, if we’re getting rid of documents as we should, then our response can truthfully, honestly, and legally be, that we don’t have certain documents.”

Hansen also says in the video that deleted e-mails will be destroyed on a daily basis under the new policy.

But John Beckworth, an attorney for the Metro, told a court that there is no policy in place calling for employees to destroy documents saying, “As of this date, we do not know of any wrongful document destruction.”

Wilson told the Chronicle that except for a brief time in 2008, the Metro’s practice has been to retain every document. END

OPEN GOVERNMENT

CIO Council Wins Dubious Award

The CIO Council, which handles the federal government’s IT needs, has been given the Rosemary Award for doing a horrible job preserving e-mails for federal offices.

The award is given out annually by the National Security Archive (NSA) at George Washington University to the federal agency with the worst open-government practices. The Rosemary Award is named in honor of President Richard Nixon’s secretary, Rose Mary Woods, who tried to defend Nixon’s erasing of 18.5 minutes of a key Watergate tape by saying she did it accidentally while stretching.

The NSA said the CIO Council had failed to install a secure backup of all federal e-mails, even after it was discovered
that former Bush administration officials were able to destroy critical e-mails related to the authorized use of torture against detainees. END

DATA SECURITY

FTC: Data Leaked to P2P Networks

Employees at more than 100 U.S. companies and agencies are regularly leaking vast amounts of private customer and employee data via peer-to-peer (P2P), file-sharing networks, according to the Federal Trade Commission (FTC).

While the FTC did not release names of the organizations or the P2P networks, FTC Chairman Jon Leibowitz said, “Companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk.” He said the FTC found health-related information, financial records, and drivers’ license and Social Security numbers, which is the kind of information that could lead to identity theft.

The FTC sent the notice letters to public and private businesses, schools, and other government agencies, urging them to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure they are reasonable, appropriate, and in compliance with the law. The letters state, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many businesses may be required by state or federal law to notify breach victims.

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P filesharing programs and that authorized programs are properly configured and secure,” Leibowitz said. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks.

P2P technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, videos, and documents. But when P2P file-sharing software is not configured properly, files not meant to be shared may be accessible to anyone on the P2P network. For example, if employees take company files home and load them onto their personal computer, and that computer is also used to download free music from a P2P network, the work files can be exposed to all users of the network. This occurrence has become so common that there have been dozens of studies and even congressional hearings into the issue. Law enforcement agencies around the world have evidence of cyber crime gangs who specifically stalk P2P sites looking for sensitive work documents.

Still, many people are not yet aware of the problem. To help spread the word, the FTC has released new education materials to help companies manage the risks. “Peer-to-Peer File Sharing: A Guide for Business” explains how to safeguard sensitive information and provides other security recommendations and is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm. END

CLOUD COMPUTING

UK Embraces Cloud Computing

The United Kingdom Cabinet Office announced a plan to develop a cloud computing system that could save up to £3.2 billion (more than $4.8 billion U.S.) a year from an annual bill of more than £16 billion (more than $24 billion U.S.).

Cabinet Office Minister Angela Smith said the UK’s governmental computing power will be concentrated “into a series of about a dozen highly secure data centers, each costing up to £250 million [more than $377 million U.S.] to build, which will replace more than 500 presently used by central government, police forces, and local authorities,” The Guardian reported.

According to the same source, the Cabinet Office “will also push for open source software to be used more widely among central and local government’s 4 million desktop computers.” Further, “estimates suggest the cloud system could save £900 million [more than $1.4 billion U.S.] in the first five years, and £300 million [more than $452 million U.S.] annually after that compared to the present structure.” END

LEGISLATION

Mass. Data Security Law Is Nation’s Toughest

The toughest law regulating the use of personally identifiable information in the United States went into effect March 1, 2010, in Massachusetts.

The Massachusetts Data Breach Law, passed in 2007, requires personal information in networked systems to be protected by strong encryption, firewalls, antivirus, access controls, and a formal security plan.

The law is a response to the TJX Companies data breach in 2007 in which more than 45 million credit card accounts were breached by a hacker.

The regulation defines “personal information” as name plus a Social Security number, driver’s license or other government-issued number, or bank or credit card account number, The National Law Journal reported.

According to Government Computer News (GCN), the law is designed to ensure “the security and confidentiality of customer information,” based on current industry standards, focusing on threats that can or should be anticipated. The regulations consider the size of a business, the amount of resources available to it, the amount of personal data held, and the sensitivity of that data. It requires that paper and electronic records be protected by physical and IT security.

GCN reported that, while the law’s IT security regulations are largely technology-neutral, they do require “reasonably up-to-date” firewall protection, operating system security patches, antivirus tools, and signatures. The law also mandates user authentication with passwords or other factors of appropriate strength and least privilege access policies, along with systems monitoring for unauthorized access. Encryption is also required for personal data transmitted via public or wireless networks and stored on portable devices, such as laptops. The law defines encryption as using at least 128-bit keys, GCN said.

Organizations doing business with Massachusetts residents are also required to develop, implement, and maintain comprehensive written information security plans. They must cover physical and IT security, a designated security manager, and include everything from system monitoring to employee training, GCN reported. END

SOCIAL MEDIA

More Using Social Media at Work

A new AIIM survey reveals the social networks of choice for what it calls “social media activists” in the information management industry.

LinkedIn is king in terms of the preferred social network for business purposes. AIIM found that more than 30% of individuals in organizations that use IM technologies use LinkedIn at least once a day. Among those individuals from supplier and consulting organizations, the percentage is even higher – 48% and 54%, respectively.

Twitter ranks second behind LinkedIn. Overall, almost 30% of the sample use Twitter at least once a day for business purposes.

Facebook use for business purposes is much less but still significant. Overall, about 12% of survey participants use Facebook at least once a day for business purposes. END

LEGISLATION

PATRIOT Act Provisions Renewed

President Barack Obama has signed a one-year extension of the USA PATRIOT Act without any new limits on government surveillance powers, despite privacy advocates’ calls for changes.

As a result, three key sections that were set to expire will stay in force for another year, including those that:

Authorize court-approved roving wiretaps that allow authorities to monitor multiple communication devices
Permit court-approved seizure of records and property in anti-terrorism operations without the suspect’s knowledge
Allow surveillance against a so-called lone wolf, a non-U.S. citizen engaged in terrorism who may not have ties to a recognized terrorist group

The American Civil Liberties Union (ACLU) had called for the act’s section 215, which gives the government easier access to a suspect’s records, to be amended. Michelle Richardson, ACLU legislative counsel, told the Christian
Science Monitor that “this very powerful tool” should be limited to “suspected terrorists only.” Currently, it gives the government overly broad power to seize records in investigations not connected to terrorism, she added.

Senate Democrats had proposed privacy protections, including restrictions and greater scrutiny on the government’s authority to spy on Americans and seize their records, but they lacked the votes to pass them.

As a senator, Obama said the law, which was passed after 9/11, should be dialed back. However, recent events during his young presidency, including a Christmas-day bombing attempt on an American airliner and a domestic attack on Fort Hood, may have changed his perspective. END

CYBER CRIME

Hackers Seeking Trade Secrets

Hackers still try to steal customer credit card information, but they are increasingly interested in corporate trade secrets and other more lucrative data, according to security software maker Symantec Corp.

The company said the theft of trade secrets and customer information cost companies an average of $2 million each last year. In a survey of 2,100 technology executives worldwide, 75% said they experienced cyber attacks last year. Most were attempts to steal a company’s intellectual property, such as product designs, according to Symantec.

“We can expect to see companies going out of business because their intellectual property is stolen,” said Maureen Kelly, senior director of product marketing, in an interview. “For some, this is a matter of life or death.”

Experts say hackers have become more sophisticated. They often use one person to break in, another to retrieve data, a third to install software to steal information, and a fourth to encrypt it and distribute it, Symantec said. END

PRIVACY

German Court Overturns Data Retention Law

Germany’s highest court has ruled that the country’s law enforcement agencies cannot collect and retain phone and e-mail records sent and received by German citizens.

The Federal Constitutional Court determined the law violated every German citizen’s inalienable constitutional right to engage in “private correspondence” without fear of state surveillance. The court also concluded the law represented a “grave intrusion” into individuals’ privacy rights.

The ruling effectively reverses a law that allowed the government to collect and retain records of citizens’ communications. The court called the law unbalanced and partial because it failed to balance privacy rights with national security responsibilities.

The court also ruled that data retention itself is neither wrong nor unconstitutional, but that the existing law was badly written in that it permitted state agencies to go too far. The court said, “The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data, and such retention represents an especially grave intrusion to individual liberty.”

It ordered that access to subscriber data can now be obtained only by court order and then only if there is evidence of “concrete and imminent danger.” In addition, the court ruled that all subscriber information must be held by a private civilian company that will be subject to rigorous legal oversight and control. The data must not be kept in one place; therefore, it must be distributed across many servers and sites. In addition, the court ordered the immediate deletion of all data already collected and stored by the government.

The German law was passed in response to the 2006 European Union Data Retention Directive requiring telecom providers to collect, retain, and make available to authorities the call, e-mail, and Internet-use records of subscribers as part of its anti-terrorism efforts. German law called for the records to be retained for only six months.

Privacy advocates have credited the German citizenry for the victory. According to media reports, more than 35,000 Germans submitted statements to the court demanding the law be scrapped, perhaps as soon as 2011. END

INFO SECURITY

Citibank Exposes 600,000 SSNs

In late January, Citibank mailed year-end tax statements to 600,000 Citi customers. The problem was, the customers’ Social Security numbers (SSNs) were printed on the outside of the envelopes.

Citi called the mistake a “processing error.” The SSN appeared at the lower edge of the envelope along with other numbers and letters that together resembled a mail routing number.

According to the Chicago Tribune, Executive Vice President and Director of Citibank Client Services Norman White sent notification letters to every affected Citi customer during the week of February 15, 2010, apologizing for the error. The letter offered Citi customers the option to enroll in a free, 180-day credit monitoring service arranged by Citibank, but White also encouraged customers to regularly review activity on their accounts.

Citibank said in a statement they believe the error produced little to no risk to its customers and that it has been corrected for all Citibank’s future mailings.

“Although there is little or no risk to our customers, we decided to be completely transparent to our customers by notifying them of the error,” the statement said. “It is an important part of our commitment to our customers to be fully transparent and to give them the peace of mind that comes from banking with people they trust.” END

STUDY

Breaches Cost $204 per Record

A recent study from the Ponemon Institute reveals that the cost of a data breach continues to increase. The fifth annual “U.S. Cost of a Data Breach Study” found that data breaches cost U.S. firms $204 per compromised record in 2009, up from $202 in 2008. According to Network World, when the Ponemon Institute began its study five years ago, the cost per compromised record was $138.

While the number of reported breaches actually fell (498 in 2009 vs. 657 in 2008, according to the Identity Theft Resource Center), the average total per-incident cost increased from $6.65 million in 2008 to $6.75 million in 2009, according to the study.

Sponsored by PGP Corp., the study tracked several cost factors related to a breach, including the cost of detection, escalation, notification, and response, along with legal, investigative, and administrative fees, customer losses, opportunity loss, reputation management, and costs associated with customer support, such as information hotlines and credit monitoring subscriptions. The survey reviewed breaches that involved between 5,000 and 101,000 records from 15 different industry sectors. Estimates were based on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year.

The study also found that:

The cost of a data breach as the result of malicious attacks and botnets were more costly and severe.
Negligent insider breaches have decreased in number and cost, likely because training and awareness programs have heightened employees’ awareness about protecting personal information. The study found that 58% of firms surveyed have expanded their use of encryption, up from 44% in 2009.
Organizations are spending more on legal defense costs due to increasing fears of successful class actions resulting from customer, consumer, or employee data loss.
Third-party organizations accounted for 42% of all breach cases, dropping from 44% of all cases in 2008. These are still the most expensive form of data breaches due to additional investigation and consulting fees.
The most costly data breach event included in the 2009 study cost a company nearly $31 million to resolve. The least expensive cost of data breach for a company was $750,000. According to the study, the more records lost, the more the breach will cost to resolve.

Interestingly, the survey found that a chief information security officer (CISO), or an individual in an equivalent position, apparently helps reduce the cost of a data breach. The average per capita cost of an incident was $157 per record for companies with a CISO, versus $236 for companies without one, the study revealed. END

DATA SECURITY

Tips for Protecting Business Data

According to the Federal Trade Commission, approximately 9 million Americans become victims of identity theft each year. Cintas Corp. offers the following tips for safeguarding customer and business information:

Implement a document management program.
Implement a document retention schedule.
Regularly shred sensitive documents.
Keep documents securely offsite.
Limit acquisition of confidential customer data.
Protect sensitive data with passwords.
Install and update virus protection software.
Wipe data on the hard drive before disposing of old computers.
Review company credit card statements for unauthorized charges.
Restrict the use of file-sharing programs. If they must be used, protect your system with a strong firewall and virus protection software. END

E-MAIL

French Court: Employers Can Read Employee E-Mail

A recent decision from the French high labor court (the Cour de Cassation Chambre Sociale) may allow a party in France to review a French employee’s e-mails and electronically stored information (ESI) to determine whether the data is relevant to U.S. litigation, without the employee’s knowledge.

European Union (EU) policies protecting personal privacy often conflict with U.S. policies, which grant litigants full and complete discovery of documents and ESI in U.S. court actions.

In France, a French corporation that cooperates in U.S. litigation may break the French Blocking Statute, data processing laws, and the EU Directive 95/46 on Personal Data, among others. French authorities, in fact, have prosecuted French citizens who attempted to comply with U.S. court orders for producing records.

French and EU law actually prevent a litigant engaged in the U.S. litigation discovery process from collecting employees’ e-mails for litigation purposes, as well as viewing those e-mails to determine whether they contain relevant data.

Legal experts say Bruno B. vs. Giraud et Migot (Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264) may be a watershed case. In the case, an audit discovered files on Bruno’s work computer addressed to government regulators. In the files, he criticized the firm for alleged tax fraud, as well as poor working conditions.

The firm fired Bruno, and he sued for damages, arguing the firm violated his rights under EU privacy conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.

On appeal, the court ruled against Bruno, finding that because he had not marked the documents as “private,” the firm was justified in assuming the documents were work-related when they accessed them.

Legal experts say the Bruno case means that employees have no right to privacy when it comes to their ESI, unless they specifically designate the information as private. END

GOVERNMENT RECORDS

Britain Doesn’t Want UFO Reports

The British Ministry of Defense announced it will destroy all future unidentified flying object (UFO) reports it receives to avoid having to make them public, according to a secret memo dated November 11, 2009.

Britain’s official UFO investigation unit and hotline were closed in December. Since then, reports of UFOs have been kept for 30 days before being discarded, the document shows. That means defense officials do not have to publish the information in response to freedom of information requests or provide it to the National Archives.

The memo noted that the number of reports the department received skyrocketed last year, consuming extra resources and diverting staff from more important activities. The department recorded 634 UFO sightings in 2009, compared to only about 150 reports a year over the past decade. END

SOCIAL MEDIA

DoD Allows Flash Drive, Social Media Use

The Department of Defense (DoD) has lifted a ban on portable storage devices, but users must follow the agency’s strict rules.

Changes to DoD computer systems have made the devices safer to use, according to Vice Administrator Carl Mauney, deputy commander of the U.S. Strategic Command.

“After extensive testing of mitigation measures, DOD decided to make this technology available again on a strictly controlled basis on DOD computers,” said Mauney in a Government Computer News (GCN) e-mail. “Since the order restricting use of removable media, DOD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to missionessential operations, and only after strict compliance requirements are met.”

One of those requirements is that staff can use only governmentprocured and government-owned devices. Personally owned devices are still barred from all DoD networks and computers.

Flash media can be used only as a last resort to transfer data from one location to another, and only when other authorized network resources are not available, GCN said. Individual services and agencies will determine whether flash media may be used in their individual organizations, Mauney said. For example, Army officials plan to maintain their ban on flash drives, according to the Army News Service. The new policy states that the department will occasionally audit randomly selected users and drives.

The DoD ban on the devices was issued in November 2008 after a virus spread through military networks by copying itself from one removable drive to another, GCN reported. The ban covered all forms of USB flash media, such as thumb drives, memory sticks, memory cards, and camera memory cards, as well as other removable media.

The department has also lifted a three-year ban on social media networks (e.g., Facebook and Twitter). The ban was implemented in part because those sites consume a lot of bandwidth but, after a six-month review, officials found the ban did little to reduce the bandwidth demand, the Marine Corps Times reported.

Local commanders will monitor and temporarily limit usage if bandwidth demands or viral infections become a problem. They will also check “for compliance with security requirements and for fraudulent or objectionable use,” said Bryan Whitman, Pentagon spokesman.

The DoD has more than 15,000 networks and operates some 7 million devices ranging from desktop computers to handheld devices, Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman, told the Marine Corps Times. Its networks are “probed” millions of times and are attacked thousands of times each day. END

ARCHIVES

Saving Haiti’s Past

Thousands of historical documents are believed to be trapped inside two libraries in downtown Port-au-Prince, buried in rubble caused by the 7.0-magnitude earthquake that struck Haiti January 12, 2010.

UNESCO, the United Nations’ cultural agency, has launched a campaign to protect Haiti’s heritage. It has called for a ban on the “trade or transfer of Haitian cultural property” to prevent looting from art galleries, museums, and historical sites, according to media reports.

Haiti’s La Bibliothèque Haitienne des Pères du Saint-Esprit housed a collection of letters, manuscripts, newspapers, and books spanning the 18th, 19th, and 20th centuries, according to The National Post. Included in the archives are one-of-a-kind documents from the 13-year Haitian revolution from 1791 to 1804, which resulted in Haiti becoming the first independent Western nation ruled by people of African descent and the first to abolish slavery.

Another downtown library, at the seminary Les Freres de l’Instruction Chretienne, contains letters penned by revolutionary leaders Toussaint Louverture and Jean-Jacques Dessalines, books from French missionaries, and documents by statesmen and ex-presidents who still influence Haitian politics, according to historians.

While many documents about Haiti’s colonial history are kept in other countries, such as France, most from the revolution remain in Haiti, said David Geggus, a professor in colonial Haitian history at the University of Florida. END

PRIVACY

Constabulary to Monitor Employees

In Britain, the Lancashire Constabulary is deploying software to monitor its employees to prevent information being leaked from its intelligence database.

The move was spurred by new regulations from the Association of Chief Police Officers (ACPO) that call for all United Kingdom police forces to be audited to ensure the proper protocols are in place to safeguard the integrity of confidential and private information stored in police databases. According to an article by Computing, “Statistics recently released by police show that over 400 police officers and civilian staff were disciplined for misusing computers at work in the last five years.”

According to Detective Superintendent Martyn Leveridge, the operations manager for the Lancashire Constabulary’s professional standards department, “The sole purpose is to counter corruption on a national basis, disclosure of information, inappropriate association with criminals, and misuse of force systems.”

A recent case highlights the need for such surveillance within the constabularies. Authorities say Robert Campbell allegedly used the Hampshire Constabulary’s electronic records management system to collect information about three women between July 2006 and April 2009. The British News reported the unauthorized searches were an attempt by Campbell to establish relationships with the women. Campbell, who is still employed as a police officer on a reduced basis, has denied four counts of misconduct. END

LEGAL

Sweden’s Data Retention Delays Must End

Sweden is the last holdout in implementing a 2006 measure requiring telecom providers to retain customer phone and e-mail records, and the European Court of Justice is not happy.
Sweden is the last holdout in implementing a 2006 measure requiring telecom providers to retain customer phone and e-mail records, and the European Court of Justice is not happy.

In April 2009, the European Commission (EC) filed suit against Sweden in the European Court of Justice, and the court determined that Sweden must implement the European Union (EU) Data Retention Directive. The court also ordered Sweden to pay all court costs.

The directive, approved by Brussels in March 2006, requires member states to pass laws mandating telecoms to collect and retain data about their customers’ Internet and phone use.

Four years after the law was passed, Sweden has not implemented it. The Swedish government assured the court that the EU directive would become law in Sweden on April 1, 2010. However, after that statement was made, Justice Minister Beatrice Ask told news agency TT that the government would not be preparing a legislative proposal on the issue before Sweden’s general election in the fall.

“The extent to which private companies should be forced to store information about the activities of individuals is an important matter of principle,” Ask told TT. She added that the government will wait until the completion of an investigation into police methods; the findings are expected to be released in early summer. END

COMPLIANCE

Truckers Sue DOT Over Recordkeeping

The trucking industry wants to know exactly what records it must retain to prove that its employees are complying with federal limits on truckers’ driving time – and it is suing the Department of Transportation (DOT) to get the answer.

In 2008, the Bush administration issued new regulations for truck drivers’ hours on the road. The DOT’s Federal Motor Carrier Safety Administration (FMCSA) is revising those, and it could result in a shorter workday for truckers or even higher costs for carriers and shippers.

According to the Journal of Commerce Online, in November 2009 the FMCSA said it would release a proposed hours-of-service (HOS) rule this year and a final rule by August 2011.

In the meantime, the department released informal guidelines that broadly define supporting documents that are required, identifying 34 categories of records, and ruling that any document “could” possibly be used to verify HOS records, including everything from driver log books to fuel and toll receipts, or more. The American Trucking Association (ATA) took issue with that, arguing that carriers cannot possibly save everything and they cannot comply if they don’t know what the rules are.

In a lawsuit filed January 19, 2010, the association asked the U.S. District Court for the District of Columbia to order DOT to issue a notice of proposed rule-making within 60 days on the supporting HOS documents carriers must keep and how long they must be retained.

“ATA has been seeking a fair and cost-effective regulation, consistent with federal law, for more than 15 years,” said Dave Osiecki, ATA senior vice president of policy and regulatory affairs. “The requirements have never been established by regulation.”

DOT has revised the HOS rules three times in the past decade, according to the Journal of Commerce Online. The department is also working on a rule that could require electronic onboard recorders on trucks.

“We have a tremendous amount of respect for the Department of Transportation and the work they do, but we had to show the department just how important the supporting documents issue is to our industry,” said ATA President and CEO Bill Graves.

“We hope this lawsuit prompts a greater focus on the issue and that the department will be willing to work with us to get the regulation out within a reasonable time frame,” Graves added. END

PRIVACY

City Hands Over Residents’ E-Mails

A Cary, N.C., resident filed a public records request for thousands of e-mail addresses stored in the town’s database, and officials handed them over, as state law requires. But other residents are shocked and angry that their personal information was handed out.

The town alerted thousands of residents whose e-mails were given to John Beimler, the resident who made the request. Beimler received 19,000 e-mail addresses from the town’s database, according to Cary spokesperson Susan Moran.

Also alarming is there are no legal restrictions on what Beimler can do with those addresses now that he has them. He could even sell them. But Beimler told Cary’s ABC News affiliate that he doesn’t have nefarious plans for the e-mail addresses. In fact, he said he requested them to prove a point – that state law should be changed so cities cannot simply turn over thousands of e-mail addresses to anyone who asks.

Moran said Cary cannot give out private information (e.g., Social Security numbers and bank account numbers) because public records laws don’t apply to those sorts of items. She also said this wasn’t the first time Cary has given out e-mail addresses. Last summer, she said e-mails were released to several political campaigns. And since Beimler’s request, three other people have asked for the very same list. END

Download the PDF version here. (12 pages total)