DV>DR= Success. Where D=Data, V= value, and R=risk. An interesting formula. One of the nations' most respected privacy professionals and fortunately for me a friend is now using this as a part of her blog signature. It's a great way to remind us all that it is our job as privacy professionals to strive to lower the risk of data misuse while at the same time using technological channels for their intended purpose, communication.
I have added another factor to the formula called the mitigating Factor (mF) and reworked the formula as below;
mF/DR < DV = success
Where we never want to actually devalue the data I think it is imperative to lower the resale value in order to reduce the risk. The mitigating factor is the N value or unknown. I'm working on that one.
In my opinion it has been demonstrated time and again that we cannot prevent data theft as long as there is a resale value. No amount of technological roadblocks in the form of red flag (mismatch) protocols, encryption algorithms, or any other plug-in solution can prevent the clever thief from accessing data if the value is high enough. So we need to think in terms of removing the financial motive from thieves.
John
mF/DR< DV= success
Thursday, July 31, 2008
Friday, July 25, 2008
Pardon me
I'd like to get off subject for a bit. This is a column about identity theft but I would like to think that it is also a column about common sense. When we are confronted with a new situation or a new set of problems what is the most productive way to solve it? Well, the most common way to look at new problems is through the lens of history. A response like "history tells us" or "conventional wisdom is" and so forth is pretty common. That means comparing new situations to previous ones. Quite impossible to do. A healthier way to tackle a new problem is to consider the results you want and think "What if history doesn't repeat itself?"
In the turmoil of our current economic crisis we seem to be applying old remedies to new problems. Look at the lending institutions as an example. Not every bank is going to fail. The institutions that will most likely fail are the ones that did not concern themselves with the probabilities that the lending economy might not be able to sustain itself without some dramatic changes. There are plenty of organizations both small and global that saw this likelihood however. JP Morgan, for example divested from loans to the government bond market. As the mortgage crisis grew they found themselves, as predicted, doing better rather than worse. What does this tell us about conventional thinking? In the simplest terms it means that we need to look at the worst case scenario and weigh that against the likelihood of it occurring. One will mitigate the other every time. The worst case is always possible and the likelihood will raise or lower the possibility, but the possibility always exists. This means one thing must be done. Get cheap insurance. Always hedge your liability with a tool. History will not repeat itself. If you don't count on the past to predict the future but instead guard against the worst case you cannot fail.
As most of you know I represent Pre-Paid Legal Service plans for small businesses and families. I speak with HR managers who due to the economy are increasingly concerned that their constituents can't afford or most likely won't want to participate in a Pre-Paid Legal plan for their families due to the cost. I understand the concerns they have. The real cost is obvious. So is the investment value, and it is that value I feel we must stress.
What do you think would have happened if the majority of the homeowners with an ARM who are faced with foreclosure had used an attorney to look over their loan documents before they signed? Do you think that at least some of them might have listened to counsel and not signed on to something they could not afford? That is just one example that in times such as these using an attorney is even more critical than ever. This amounts to cheap insurance. History will not repeat itself. Every situation we encounter is new and requires a new solution. Contrary to conventional belief there is no longer a correlation between a persons' assets and using lawyers. The risk of making mistakes is the same, and the downside is relative. Scale is merely that, a scale. There is no difference between JP Morgan and operating a family of four living on a tight budget except scale. When Morgan saw the coming crisis they sought the counsel of experts and made a prudent decision. That one decision effectively separated them from Bear Stearns, which Morgan eventually bought at a few cents on the dollar. When a family seeks counsel before making a major decision they are doing exactly the same thing. We ought to be preparing for the future not relying on the past. Now more than ever a good understanding of the law and individual rights and options is crucial. Over the last few years my family has saved several thousands simply by utilizing the counsel and help of our attorneys not to chase law suits but to seek counsel and be aware of our rights and exercise them when it became necessary.
This also relates to identity theft. In case you haven't noticed you have no privacy. Everything there is to know about a person is readily available for a price. From the day we were born to the present most every thing we have done is in a database somewhere. those databases have proved over the years to be sieves, leaking their contents to anyone who wants them. Do you know anyone foolish enough to try to plug up a sieve? We cannot apply old solutions to new issues.
In the turmoil of our current economic crisis we seem to be applying old remedies to new problems. Look at the lending institutions as an example. Not every bank is going to fail. The institutions that will most likely fail are the ones that did not concern themselves with the probabilities that the lending economy might not be able to sustain itself without some dramatic changes. There are plenty of organizations both small and global that saw this likelihood however. JP Morgan, for example divested from loans to the government bond market. As the mortgage crisis grew they found themselves, as predicted, doing better rather than worse. What does this tell us about conventional thinking? In the simplest terms it means that we need to look at the worst case scenario and weigh that against the likelihood of it occurring. One will mitigate the other every time. The worst case is always possible and the likelihood will raise or lower the possibility, but the possibility always exists. This means one thing must be done. Get cheap insurance. Always hedge your liability with a tool. History will not repeat itself. If you don't count on the past to predict the future but instead guard against the worst case you cannot fail.
As most of you know I represent Pre-Paid Legal Service plans for small businesses and families. I speak with HR managers who due to the economy are increasingly concerned that their constituents can't afford or most likely won't want to participate in a Pre-Paid Legal plan for their families due to the cost. I understand the concerns they have. The real cost is obvious. So is the investment value, and it is that value I feel we must stress.
What do you think would have happened if the majority of the homeowners with an ARM who are faced with foreclosure had used an attorney to look over their loan documents before they signed? Do you think that at least some of them might have listened to counsel and not signed on to something they could not afford? That is just one example that in times such as these using an attorney is even more critical than ever. This amounts to cheap insurance. History will not repeat itself. Every situation we encounter is new and requires a new solution. Contrary to conventional belief there is no longer a correlation between a persons' assets and using lawyers. The risk of making mistakes is the same, and the downside is relative. Scale is merely that, a scale. There is no difference between JP Morgan and operating a family of four living on a tight budget except scale. When Morgan saw the coming crisis they sought the counsel of experts and made a prudent decision. That one decision effectively separated them from Bear Stearns, which Morgan eventually bought at a few cents on the dollar. When a family seeks counsel before making a major decision they are doing exactly the same thing. We ought to be preparing for the future not relying on the past. Now more than ever a good understanding of the law and individual rights and options is crucial. Over the last few years my family has saved several thousands simply by utilizing the counsel and help of our attorneys not to chase law suits but to seek counsel and be aware of our rights and exercise them when it became necessary.
This also relates to identity theft. In case you haven't noticed you have no privacy. Everything there is to know about a person is readily available for a price. From the day we were born to the present most every thing we have done is in a database somewhere. those databases have proved over the years to be sieves, leaking their contents to anyone who wants them. Do you know anyone foolish enough to try to plug up a sieve? We cannot apply old solutions to new issues.
Thursday, July 24, 2008
Before I go on
I know in my last post I said I would talk about the value of our data to thieves but I wanted to weigh in on one other subject first.
When it comes to a company initiating a policy regarding sensitive information and employee responsibilities I repeatedly run into the issue of corporate or management participation.
It is absolutely essential for management, whether a board of directors, company president, or owner, to totally commit to the implementation of the policy. The policy must be a part of the business' commitment to excellence and be an integral part of daily procedure. The policy needs to be understood by everyone in the company in order for the "culture of security" to work.
I like to rant on about training but there is a reason. When it comes to data security the human factor is the most critical link. Staff needs to understand both the what and the why of the procedures they are supposed to follow. Management will set the tone by their participation. If management is ambivalent then the employees will take the same attitude. If management is engaged then so will the employees. Fortunately more executives are seeing the benefit of a non-public information policy and training. It will greatly enhance the business' confidence that everything that can be done is being done to avoid data loss and theft.
With all of the national press about identity theft the public is very wary of business losing important information. The savvy business owner can actually benefit in the market place by showing the attention they are giving to this issue in ads and press releases.
When it comes to a company initiating a policy regarding sensitive information and employee responsibilities I repeatedly run into the issue of corporate or management participation.
It is absolutely essential for management, whether a board of directors, company president, or owner, to totally commit to the implementation of the policy. The policy must be a part of the business' commitment to excellence and be an integral part of daily procedure. The policy needs to be understood by everyone in the company in order for the "culture of security" to work.
I like to rant on about training but there is a reason. When it comes to data security the human factor is the most critical link. Staff needs to understand both the what and the why of the procedures they are supposed to follow. Management will set the tone by their participation. If management is ambivalent then the employees will take the same attitude. If management is engaged then so will the employees. Fortunately more executives are seeing the benefit of a non-public information policy and training. It will greatly enhance the business' confidence that everything that can be done is being done to avoid data loss and theft.
With all of the national press about identity theft the public is very wary of business losing important information. The savvy business owner can actually benefit in the market place by showing the attention they are giving to this issue in ads and press releases.
Tuesday, July 22, 2008
and now for my next trick
Fiduciary trust. Rather than Web 2.0 I think we could name the new paradigm in data sharing "What everyone agrees to do and actually does with all my stuff." Everything about Web 2.0 is inherently reliant on all file sharing being done for all the right reasons. All the big companies are on record swearing to be vigilant. Since all that delicious information is packeted in encrypted bits where could it go wrong? Google, Microsoft, ChoicePoint, all the players have a gun to each others' head, promising to be good, or else.
Well, I guess with the biggies and all the software solutions in place we can put data loss behind us as a real issue. All that softsaber rattling sure is impressive. The "solutions" are so sophisticated and the marketing language is so fraught with inside gibberish no one really knows what is going on, but it sure is impressive so it must work, right? Hold on just a minute! Even the word solutions conjures an image intended to make us think that if we plug in a piece of software our data security problems are solved. A hundred years ago that was called snake oil. The guy would come into town, put on a little show, and sell you a bottle of alcohol and cocaine laced mint water for a buck and cure all your ills. With all that alcohol you simply forgot you had a problem, and maybe what you thought was your problem wasn't the problem after all. Whats' the difference with today's' solutions hucksters?
In the final analysis there is only one way to solve the problem of data theft and misuse. I hate being right early but alas, someone has to. Are you ready for the solution? Here it is;
Take the value out of the data. Now, wasn't that easy? No one ever steals anything that is worthless, I guarantee it. Wait a minute, you say you can't take the value out of the data? Then, I posit, you can't solve the problem either. I'm afraid all those solutions are just commerce in the guise of an elixir. As long as the data has value there just as many clever people working day and night to crack the vault as there are folks dedicated to locking it. That's just free enterprise. There is one way to take the value out of the data however. In my next column I promise to show you the only foolproof way to short-circuit the problem of data theft. I will indeed show you how to take the value from the goldmine. Until then..
Well, I guess with the biggies and all the software solutions in place we can put data loss behind us as a real issue. All that softsaber rattling sure is impressive. The "solutions" are so sophisticated and the marketing language is so fraught with inside gibberish no one really knows what is going on, but it sure is impressive so it must work, right? Hold on just a minute! Even the word solutions conjures an image intended to make us think that if we plug in a piece of software our data security problems are solved. A hundred years ago that was called snake oil. The guy would come into town, put on a little show, and sell you a bottle of alcohol and cocaine laced mint water for a buck and cure all your ills. With all that alcohol you simply forgot you had a problem, and maybe what you thought was your problem wasn't the problem after all. Whats' the difference with today's' solutions hucksters?
In the final analysis there is only one way to solve the problem of data theft and misuse. I hate being right early but alas, someone has to. Are you ready for the solution? Here it is;
Take the value out of the data. Now, wasn't that easy? No one ever steals anything that is worthless, I guarantee it. Wait a minute, you say you can't take the value out of the data? Then, I posit, you can't solve the problem either. I'm afraid all those solutions are just commerce in the guise of an elixir. As long as the data has value there just as many clever people working day and night to crack the vault as there are folks dedicated to locking it. That's just free enterprise. There is one way to take the value out of the data however. In my next column I promise to show you the only foolproof way to short-circuit the problem of data theft. I will indeed show you how to take the value from the goldmine. Until then..
Monday, July 21, 2008
Your Privacy
Some would rather die than to change. That is a frightening thing to consider. Imagine being so entrenched in your habits or thinking that it becomes easier to trade your life as compared to making some adjustments in your life. We are all confronted with that decision every day and I'm sad to say most of us make the wrong choice. We eat the wrong foods, ignore health warnings our bodies scream at us every day. Someone once said we dig our graves with our teeth. Will today's' greasy hamburger take you down? Probably not, but eat three or four of them every week and you will soon understand the effect of compounded errors in judgement.
So it is with the trade off between our individual privacy and the convenience of databased information. As a people we seem to be quite willing to trade one for the other. And this is most assuredly a trade off. That's a societal right. Societies have to determine for themselves what is tolerable and what isn't. It is impossible to maintain individual privacy in our databased world, that is the fact of the matter. And so long as our individual pieces of data have value there will be a trade market in that value. In fact there will be two markets, the first where companies sell your information, and the second where people steal it. Again, that is reality. So long as we take into account what we risk when we consciously opt for convenience then we must accept the reality of identity misuse and theft.
So it is with the trade off between our individual privacy and the convenience of databased information. As a people we seem to be quite willing to trade one for the other. And this is most assuredly a trade off. That's a societal right. Societies have to determine for themselves what is tolerable and what isn't. It is impossible to maintain individual privacy in our databased world, that is the fact of the matter. And so long as our individual pieces of data have value there will be a trade market in that value. In fact there will be two markets, the first where companies sell your information, and the second where people steal it. Again, that is reality. So long as we take into account what we risk when we consciously opt for convenience then we must accept the reality of identity misuse and theft.
Thursday, July 3, 2008
Independence Day
You bet we're gonna do some grilling this weekend! As a matter of fact my wife and I will be pouring beer at the Lions' Club booth at our county fair. Families, fireworks, and a liberal dose of fun is the agenda for us this 4th of July weekend. Our county fair takes place in a grassy park in the shadow of the county offices and court building. Now what, do you ask, does this have to do with identity theft? Well, normally nothing but fate and an ironic turn of events brings me to the story.
We were in the courthouse recently as a part of an ongoing program aimed at helping adolescents. As such we routinely get notices about the program. My wife (and business partner), happened to turn one sheet over and discovered to her surprise that on the other side was a photocopy of a check that had been entered into evidence in the courts over a year ago. On the check was the persons' name, address, phone number, federal tax ID number, drivers licence number, and of course the bank account and routing info. The first thing we thought was how many other copies of this were in circulation? And how many other such recycled sheets of paper containing PII on county residents were floating around? Is this kind of recycling a county policy?
We were glad that this one landed in our laps and not into the wrong hands so we took it back to the courthouse and gave it to the judge who runs the court. I mentioned that the person should be contacted just to be on the safe side. The judge was somewhat indignant and counselled me that as this was a piece of evidence it was a matter of public record. Not understanding that public records need to be protected from data thieves the same as non-public records the judge dismissed the matter as insignificant.
I don't think that the person whose information was passed around with no regard to his privacy would share that sentiment.
Since items and information are entered into evidence by the attorneys in a case, in my opinion those attorneys need to redact the information available to public scrutiny as a matter of county policy. Under the FCRA private business has to adhere to very specific disposal practices. I doubt seriously if the personal information printed on the check was relevant to the case. Even if it were, shredding and disposal procedures should be in place to prevent this sort of thing from happening.
There oughta be a law! Wait a minute, there is!
The worst thing about this incident for me however was the judges' casual dismissal of the whole thing. This lack of understanding of the risks of identity theft on the part of a well respected judge leads me to be concerned about the procedures practiced by the clerks and administrative staff throughout the county offices every day.
What difference would it make with a policy in place and guidelines for all of the county employees to handle the data they move around in a safe and responsible manner? How about some identity theft education for the employees? What effect might that have?
Why do people treat identity theft and the fallout from lost or stolen information with such a casual air? It hasn't happened to them... yet, is my guess. It is remarkable what happens when someone becomes a victim, attitudes change. Following the simple but effective guidelines already published by the FTC alone can dramatically reduce incidents like this, and even the more egregious breaches we see in the news almost daily.
As I wrote in a previous post. "Its our information at stake, not someone elses'." I live in this county and I am not impressed by the attitude of prominent officials who treat my personal information as though it was of no consequence if it just "got lost".
Now I feel better, time to crank up the grill and take a coupla days off.
Happy Fourth of July!!
We were in the courthouse recently as a part of an ongoing program aimed at helping adolescents. As such we routinely get notices about the program. My wife (and business partner), happened to turn one sheet over and discovered to her surprise that on the other side was a photocopy of a check that had been entered into evidence in the courts over a year ago. On the check was the persons' name, address, phone number, federal tax ID number, drivers licence number, and of course the bank account and routing info. The first thing we thought was how many other copies of this were in circulation? And how many other such recycled sheets of paper containing PII on county residents were floating around? Is this kind of recycling a county policy?
We were glad that this one landed in our laps and not into the wrong hands so we took it back to the courthouse and gave it to the judge who runs the court. I mentioned that the person should be contacted just to be on the safe side. The judge was somewhat indignant and counselled me that as this was a piece of evidence it was a matter of public record. Not understanding that public records need to be protected from data thieves the same as non-public records the judge dismissed the matter as insignificant.
I don't think that the person whose information was passed around with no regard to his privacy would share that sentiment.
Since items and information are entered into evidence by the attorneys in a case, in my opinion those attorneys need to redact the information available to public scrutiny as a matter of county policy. Under the FCRA private business has to adhere to very specific disposal practices. I doubt seriously if the personal information printed on the check was relevant to the case. Even if it were, shredding and disposal procedures should be in place to prevent this sort of thing from happening.
There oughta be a law! Wait a minute, there is!
The worst thing about this incident for me however was the judges' casual dismissal of the whole thing. This lack of understanding of the risks of identity theft on the part of a well respected judge leads me to be concerned about the procedures practiced by the clerks and administrative staff throughout the county offices every day.
What difference would it make with a policy in place and guidelines for all of the county employees to handle the data they move around in a safe and responsible manner? How about some identity theft education for the employees? What effect might that have?
Why do people treat identity theft and the fallout from lost or stolen information with such a casual air? It hasn't happened to them... yet, is my guess. It is remarkable what happens when someone becomes a victim, attitudes change. Following the simple but effective guidelines already published by the FTC alone can dramatically reduce incidents like this, and even the more egregious breaches we see in the news almost daily.
As I wrote in a previous post. "Its our information at stake, not someone elses'." I live in this county and I am not impressed by the attitude of prominent officials who treat my personal information as though it was of no consequence if it just "got lost".
Now I feel better, time to crank up the grill and take a coupla days off.
Happy Fourth of July!!
Friday, June 27, 2008
Red Flag Rule Controversy
Lately I have seen a flurry of words attempting to define just what business entity is, and what business entity isn't affected by the Red Flag Rule, (FACTA section 114). The focus has been on what is a "covered account", and seems to try to define this in extremely narrow terms. Too narrow in my opinion. The tendency seems to be to look at terms like affected entity and covered account as though it was a bad thing to be a covered business. The image of
costly and expansive compliance programs raises its ugly head. That isn't the intention at all.
I think it is high time to back up a bit and take a fresh view. The Red Flag Rule, like all other consumer protection legislation is intended to help rather than to penalize. To be sure there are penalties to business owners for not doing the right thing by taking the responsibility to act. Depending on the type of business experiencing a breach the federal government via the FTC or the banking authorities can impose substantial fines and mandate risk assessment audits, even call for the removal of officers and criminal charges under certain circumstances.
All of this is very preventable and easy to avoid. If every business and local government agency were to adopt the steps recommended by federal and state authorities, we could reduce the incidents of data loss and breaches from business databases to a great degree. Identity theft could become a smaller problem rather than a growing one. By how much? Only by adopting an educational and proactive program across the board will we find out. Education is a powerful tool.
This does require the "buy in" from management however. A commitment to address identity theft from the top down is essential.
I ran across the following from the Institute of Fraud Risk Management that sums it up pretty well.
"From a practical risk management standpoint, every business (and government entity) should take appropriate risk management actions and seek to meet the requirements and standards of consumer privacy and data security laws, whether or not it has a statutory obligation to do so. Similarly, businesses and government entities should also not take "the easy way out" and seek to only protect that information which is specifically identified as protected under the strictest interpretations of the law. There is a moral and ethical obligation that attaches to the use and possession of anothers' information. Many forward-thinking companies have recognized that information security and careful protection of confidential consumer information is not only an investment well worth making, but it can even provide a significant competitive advantage.
Compliance is a choice, and in the Information Age, where confidential information is the currency of thieves, it is a choice that every entity should make - large or small, public or private. "
Michael Barnett, CITRMS
CEO The Institute of Fraud Risk Management, Inc.
Copyright 2008 by The Institute of Fraud Risk Management, Inc. All rights reserved.
Now is not the time to mince the language into superfine bits and haggle over the definition of "is". That cannot lead to anything productive. This is the time to do the right thing and provide education and procedures for everyone to follow to ensure that each business is doing what it can to safely handle the personal information it keeps, and to prevent it from falling into the wrong hands.
It is all our information that is at stake, yours and mine, not someone elses'.
costly and expansive compliance programs raises its ugly head. That isn't the intention at all.
I think it is high time to back up a bit and take a fresh view. The Red Flag Rule, like all other consumer protection legislation is intended to help rather than to penalize. To be sure there are penalties to business owners for not doing the right thing by taking the responsibility to act. Depending on the type of business experiencing a breach the federal government via the FTC or the banking authorities can impose substantial fines and mandate risk assessment audits, even call for the removal of officers and criminal charges under certain circumstances.
All of this is very preventable and easy to avoid. If every business and local government agency were to adopt the steps recommended by federal and state authorities, we could reduce the incidents of data loss and breaches from business databases to a great degree. Identity theft could become a smaller problem rather than a growing one. By how much? Only by adopting an educational and proactive program across the board will we find out. Education is a powerful tool.
This does require the "buy in" from management however. A commitment to address identity theft from the top down is essential.
I ran across the following from the Institute of Fraud Risk Management that sums it up pretty well.
"From a practical risk management standpoint, every business (and government entity) should take appropriate risk management actions and seek to meet the requirements and standards of consumer privacy and data security laws, whether or not it has a statutory obligation to do so. Similarly, businesses and government entities should also not take "the easy way out" and seek to only protect that information which is specifically identified as protected under the strictest interpretations of the law. There is a moral and ethical obligation that attaches to the use and possession of anothers' information. Many forward-thinking companies have recognized that information security and careful protection of confidential consumer information is not only an investment well worth making, but it can even provide a significant competitive advantage.
Compliance is a choice, and in the Information Age, where confidential information is the currency of thieves, it is a choice that every entity should make - large or small, public or private. "
Michael Barnett, CITRMS
CEO The Institute of Fraud Risk Management, Inc.
Copyright 2008 by The Institute of Fraud Risk Management, Inc. All rights reserved.
Now is not the time to mince the language into superfine bits and haggle over the definition of "is". That cannot lead to anything productive. This is the time to do the right thing and provide education and procedures for everyone to follow to ensure that each business is doing what it can to safely handle the personal information it keeps, and to prevent it from falling into the wrong hands.
It is all our information that is at stake, yours and mine, not someone elses'.
Subscribe to:
Posts (Atom)
