It doesn’t have the panic-fostering ability of a massive worm or the intrigue of online espionage, but data loss is a very real and significant risk for any business organization. And if a data loss incident is serious and far-reaching enough, it can certainly grab and hold on to headlines. However, for many organizations, data loss prevention has typically been a “we’ll-get-around-to-it” item, at least beyond protecting any data that relates to a compliance measure, such as PCI DSS or HIPAA.

But after watching other well-known companies suffer embarrassing (and preventable) breaches that have affected millions of customers and damaged brand reputations, more organizations are beginning to understand the importance of proactively protecting their data.

The thought of insiders making mischief, particularly during the recent financial crisis, has many executives feeling nervous. They wonder what intellectual property and other sensitive data have slipped away with former employees because no one removed access rights or paid attention to whether employees had been collaborating via unsecure, online applications.

And what about mobile devices, like smartphones and laptops? Are employees using equipment supported or allowed by the enterprise strictly for business purposes? (The answer: probably not.)

Add the cloud to this list and consider that large portions of critical data are being sent outside of the organization—and out of its control.

As businesses make data loss prevention a higher priority, they quickly realize how complicated the process can be, and how securing data is only the tip of the iceberg. There’s the challenge of  figuring out what needs to be protected, then the various “silos” must be convinced to coordinate and communicate, finally organizations must determine who (or what functional group) will be responsible for managing the effort. Not to mention, determining what technology solutions are available for protecting data and enforcing policy.

Protecting sensitive information is a complicated undertaking requiring dedicated resources, the active involvement of many stakeholders, and the support of technology. But it is a necessary process, and in the long term, could save your organization from brand damage, loss of business, and legal and financial repercussions brought on by a security breach committed by just one insider or hacker.

Excerpt from Cisco 2009 Annual Security Report: Highlighting global security threats and trends. Copyright © 2009 Cisco Systems, Inc. Download the complete report online.

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.

Stop Making Excuses About Offsite Backup

I’ve been in this line of work for awhile and I’ve got to say, I’ve heard every excuse in the book for not performing proper offsite computer backups. Honestly, I hear them so much I even wrote an article about it a few years back. Take a gander and let me know what you think ( Top 9 Worst Excuses For Not Performing Daily Offsite Computer Backup ).

Now.. here we are.. you’ve read the article (hopefully). Are you going to be one of those people that call me wanting my help after they have lost all of their data due to a business halting event or scenario? I hope not.

You may think that I’m throwing this out there to use a little fear tactics so that you use my service. I’m not. You don’t have to use my service at all. There are plenty of ways for you to backup your data properly. They all have risks involved with them. For instance, if you use tape they are prone to be influenced and damaged by dust, heat, humidity and electromagnetic fields etc., but if you transport and store them in a proper environment you mitigate the amount of risk you are exposed too. I have another article about all of that stuff I’ll post in the future. So, STOP making excuses and really take a look at what you’re doing with your data. Honestly, your business could depend on it. If you choose to just pass this post by, ignore it and something happens…

Sorry 'Bout Ya Bad Luck

If you hadn’t guessed this happened today to a business colleague so it’s been on my mind. If you have questions, want more direction, need a little help don’t hesitate to post a comment and I’ll point you in the right direction.

S

In my last post I talked about the huge benefits and competitive advantage to be had for business by using cloud computing services. However, like everything else in life, all is not sweetness and light; there are some downsides to using these services. The good news is that these issues are not insurmountable; you can do something about it.

In fact the risks you face are the same as the risks that you face with any computing application that is running in house. The difference here is that someone else will be mitigating these risks for you.

But first let’s look at what the risks are.

Loss of control of your data – this includes the risk of data theft, data destruction,  corruption and disclosure – How the data is backed up – You are putting your business data into someone else’s computers so you need to be sure they are going to take good care of that data.

Disruption of service – if the cloud service you are using is business critical and the provider’s service goes down then you will have a major problem; the loss of any service is going to cause problems and inconvenience at the least. To avoid this you will need to think about how you, or the provider, will deal with this situation.

You also are placing extra reliance on your own communications links so will need to see they are resilient.

Compliance and regulation – one aspect of this is the compliance requirements of your organisation. You will need to ensure that the cloud provider is meeting all the requirements that you are subject to for the information it is handling on your behalf. This is critical for your business as the responsibility and liability remains with you even though someone else is implementing the compliance requirements.

Another aspect to consider is the location of the cloud provider’s systems that are hosting your services and information. You will need to check whether that location means that your business falls within a different jurisdiction that imposes different or additional compliance requirements on you.

Security is one of the biggest risks facing you as you move to cloud computing services. It is seen by some commentators as the stumbling block to the take up of cloud computing services. There is the security of communication between you and the provider as you are conducting your business over communication links to remote computer systems, and there is the security of your business information as it is stored, processed and moved on the provider’s IT systems.

Despite these risks we are seeing more and more take up of cloud computing services, so businesses are either find ways to mitigate these risks, or are finding the business benefits so large that they are willing to take the risk. More worryingly, there are some who are ignoring or are unaware of the risks and are potentially putting their businesses, which might be holding your personal data, in danger.

In a future posting I will look at the steps that can be taken to mitigate some of these risks.

by J. Kirk
Sr. Product Solutions Manager
Axway

For those companies responsible for data loss, a spate of punishments is coming down the pike. But as Dan Raywood of scmagazineuk.com notes in his article this week, “Proposals to unveil harsher punishments for data loss will lessen the problem but not be a silver bullet.”

He may be right. But is that a temporary or permanent condition?

Let’s take a look at some legislation already out there (or, at least, soon to be out there).

On July 1, 2003, the personal privacy law known as California Senate Bill 1386 was enacted, and to this day, it affects anyone who has personal information within the state of California. It states that if there’s any personal information that’s breached—whether it’s somehow lost in transit or in storage (e.g., stolen laptops, misplaced thumb drives, etc.)—the company responsible for the breach must notify all individuals involved and make a public announcement.

This certainly bruises the company’s reputation, but it’s not really a punishment. To be certain, it’s a bad thing for the company, but it’s an intangibly bad thing for the company, and teaches the company about as much as a five-minute detention teaches a misbehaved child.

Whenever you get a letter from a company apologizing for losing your data and offering you a free credit report, you experience the consequences of toothless, unintimidating legislation like this.

But things are changing. In October 2008, in Nevada, a statute called NRS-597.970 went into effect. It states:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

While no penalties are identified in NRS-597.970, the statute’s specificity exposes companies to virtually unlimited liability should they not abide.

Finally, in January 2010, just weeks from now, in Massachusetts, a law known as 201 CMR 17.00 goes into effect.

Under this law, if there is a data breach at a non-compliant business—e.g., lost driver’s license information, social security numbers, credit card information, or any combination associated with personal contact information—the Attorney General of Massachusetts can assess a maximum of $5,000 per violation. Plus, anyone affected by the breach can also recover legal and investigation costs, and that’s to say nothing about what kind of lawsuit the Attorney General may file, or what degree of punitive damages the courts will order.

Now that regulation’s got teeth.

So Dan Raywood is right: harsher punishments will not be a silver bullet in the short term. But in the long term, you can count on this: once a few firms are impacted—and in the matter of data breaches, any company who ignores the law will be impacted—society will recognize just how devastating this legislation can be. On that day, the bullet of harsher punishments will take on a decidedly more silver sheen.

How important is your data?  Imagine walking into your office one morning to discover that your network is down due to server failure.  All your data is gone, e.g. your payroll, your accounts receivable, your prospects lists, invoices, everything.  Those tape backups turn out to be meaningless.  The tape wasn’t installed.

Where do you turn?  How do you recover?  Can you afford to lose a month, a week, or even a day?  Protecting your data is vital and everyone needs a backup strategy.  Traditional onsite backups are time consuming and in some cases complicated.  If multiple external hard drives are involved someone has to keep track of which hard drive is in use.  Someone also has to make sure to switch the hard drives.  If the strategy involves sending the data home with a staff member for off-site protection that person must remember to handle the storage unit with care.  More importantly, they must remember to bring the unit back at the correct time in the rotation.  These solutions waste valuable time; time that could be spent on revenue generating activity.

Enter the Versa R2000 Backup and Recovery System – a data backup and recovery system designed to be a stand alone system that includes 5 integral parts in managing data backup, protection, and imaging.  With the R2000 you’ll get complete nightly backup of your data at blazing gigabit speeds.  This enterprise level solution also provides for continuous real time data protection and easy file restoration.  When ever data changes on the network it is replicated to the R2000.  Point in time images of your network servers and workstations for immediate disaster recovery with bare metal restore.  Recovery of an entire system is easy and fast.  The R2000 Vault will backup critical data to secure off-site location, i.e. your data can be secured on the Cloud.  The R2000 replicator allows a primary R2000 to replicate secondary unit off-site at a Data-Center or remote office.

Your data is critical to every aspect of your business.  Gain piece of mind and access to an enterprise level data protection solution.

A little bit on life …

Hello, comrades.

It’s been quite a while since I posted and I apologize if anyone’s been checking up on the site.

Life has been dandy lately. I’m still trying to recover from the loss of ALL data on my laptop. After talking to the IT expert at work, he thinks my hard drive exploded (figuratively, of course). This really came at a bad time because finals are in less than two weeks. I guess this should be an incentive to study harder!

I finally took my first, full practice LSAT. I’ve been trying to study in “busy” areas so I can learn how to take tests without letting anything distract me. This would come in handy if the proctor had a terrible, persistent cough on testing day. After studying in “busy” areas, a cough shouldn’t distract me from doing the best on the test (hey, that rhymed! I love it when that happens).

Anyway, I didn’t get the score I wanted on the test. Despite this, I think it’s a good thing. I say that because it means I can only improve from here. Thank goodness I started studying early.

I’ve been looking more into specific “traits” of specific law schools. I found a renewed sense of hope when I looked at The University of Akron Law School (based in Akron, Ohio). Most law schools accept students on a rolling admission basis starting in November. However, Akron starts admissions in March. This is wonderful news.

Many of the schools I’m looking into offer dual/joint degree programs. I might end up getting a JD and Master’s degree in Public Administration or Political Science. Then again, this all depends on where I end up.

Publicity has started for The KlezMormons

Next week, The KlezMormons will be performing on home turf in the Wilkinson Center at BYU. It will be an informal event with food, dancing, and music (of course).  We will also be having a reporter from the Mormon Times. It’s probably a good idea to have some “bases” in the publicity realm before having an article done about us, so I unleashed The KlezMormons on Twitter (follow us at twitter.com/klezmormons) and Facebook (click here for the link). Similarly, we can also be contacted through e-mail at klezmormons@gmail.com. We’re still eager to perform at any place we can get.

Recently in the Kansas City Business Journal there was an article about data theft and the insurance options out there. It is nice to see someone finally bringing this issue to light and I hope this will make people realize that the threat is real. Over the past few months, I’ve spent a considerable amount of time trying to educate my clients and prospects on the need for this type of coverage but many business owners still think they are immune to a data theft.

To read the entire article, click here.

 Doctors sometimes have a hard time being the patient. After they have the experience they usually have more compassion toward their patients.

I had recently upgraded my main work computer to a custom built machine to run all the programs I need to run (all at once). I Love my new machine. My machine has suffered an anomaly and is not functional at this time.

I PREACH to my clients, friends and family:: BACK UP YOUR DATA!!! I now have a new message. If you, for your business run any sort of industry specific software that has specific requirements of your hardware, and you can’t function without that software, then get a secondary machine that is capable of running that software. I have my data backed up. And I can do the day to day things, but I have several applications that are on hold.

 So about that compassion. I am also the last one to get tech help. I extend the knowledge base and service of my team out to my customers to ensure that their networks are running, that new systems we are setting up are on schedule. At the end of the day, whatever time is left… has been dedicated to the diagnosis and repair of my machine.

To my customers who have lost data, and whose work and life was on hold while data recovery was executed…

To my customers who have lost hardware, and whose work and life was on hold while we waited for parts to come…

To my customers who have lost network components, and whose work and life was on hold while we waited for outside vendors…

To anyone who has suffered because of a loss of technology that had become a additction…

I feel your pain…I understand.. I have a greater compassion for you.

Fuente:  IDG COMMUNICATIONS   – Autor: Marta Cabanillas -Fecha: 26/10/2009 

El gigante del sector seguros Zurich ha perdido una cinta de backup que contenía información sensible y personal sobre las cuentas de 641.000 clientes. 

La compañía ha admitido haber extraviado la cinta de backup hace alrededor de un año en Sudáfrica. El hecho ocurrió en agosto de 2008, durante el traslado físico de la cinta a una unidad de almacenamiento seguro. Pero Zurich asegura que hasta ahora no había detectado el incidente y que, inmediatamente, tras conocerlo, ha abierto una investigación con el fin de aclarar los detalles del suceso. 

La cinta contenía datos de la totalidad de la base de clientes de la compañía en Sudáfrica, cifra que asciende a 550.000, así como información de 51.000 y 40.000 de sus clientes en Reino Unido y en la República de Botsuana. En algunos casos, los datos comprometidos incluyen nombres y detalles de contacto, así como información bancaria utilizada para la realización de pagos a los clientes. 

Zurich se ha disculpado por el incidente, y ha informado al respecto a la autoridad británica Financial Services Authority. Además, la compañía ha contratado a la firma KPMG para investigar el caso. 

Annette Court, máxima responsable de garantías generales de Zurich Financial Services en Europa, ha calificado la pérdida de “inaceptable” y ha insistido en que la firma se toma la protección de su información “muy seriamente”. 

“Estamos destinando una gran inversión a reforzar nuestros procesos internos para garantizar que incidentes como éste no puedan volver a producirse en el futuro”, ha declarado Court.

From The Times  October 23, 2009 Miles Costello  

Zurich Insurance, the UK arm of the Swiss insurer, admitted yesterday that it had lost a tape containing the confidential personal details of 51,000 of its British customers.Zurich, which apologised for the mishap, revealed that the tape had been lost more than a year ago while it was in transit in South Africa and is still missing.

The company said that a recent routine check had revealed that the tape was not in a storage centre where it should be kept and its whereabouts remain unknown.

Annette Court, chief executive of general insurance for Europe at Zurich Financial Services, said that regulators, including the Financial Services Authority (FSA), had been told. 

She said that the tape, which was being taken from a Zurich office to a secure storage centre, also contained policy details of all its 550,000 customers in South Africa and 40,000 in Botswana. She said that Zurich had called in consultants at KPMG to investigate.

Ms Court admitted that Zurich’s security procedures had failed, but she said that the insurer would tighten its internal controls.

Zurich has written to every customer who may have been affected, but Ms Court said that the company had not yet discovered any examples of customers’ accounts being tampered with or any of their personal details being cloned.

In some cases, the lost data included bank sort codes and personal contact information, including addresses and telephone numbers.

Ms Court said that data covering both individual customers and small businesses were included on the tape. She described the affair as “unacceptable both for us and our customers”.

She added: “A data tape was lost in August last year during a routine transfer. It only came to light in the UK very recently that this was the case. We apologise unreservedly to all our customers, although we have no evidence that any of their details have been compromised.”

The lapse at Zurich is the latest to involve confidential customer data stored electronically.

In February 2007, Nationwide, the building society, was fined £1 million by the FSA after a laptop containing confidential customer details was stolen from an employee’s house.

Nationwide’s control procedures were criticised by the regulator, as was its three-week delay in beginning an investigation.

Also in 2007, Paul Gray, the chairman of HM Revenue & Customs, resigned after two CDs containing the personal and bank details of 25 million people, including almost every child benefit claimant in the country, were lost in the post.

Ms Court emphasised that only general insurance customers, of which Zurich has a total of 4 million in the UK, were potentially affected. She said life policy customers did not need to be concerned.

Nevertheless, the insurer is advising customers to contact their banks to ensure that their account details remain safe.

During the six months to the end of June, 267 complaints were registered against Zurich Insurance, according to figures released last month as part of a new “name and shame” policy by the Financial Ombudsman Service (FOS). Of those, 263 were complaints about general insurance policies.

As far as Zurich’s larger rivals are concerned, Aviva Insurance UK generated 669 complaints about general insurance in the same period, while 513 complaints were lodged against Axa Insurance UK, also during the same period, according to the FOS.

The Ombudsman noted that larger insurers would inevitably receive a greater number of complaints.

Zurich is offering to pick up the cost of any ID protection cover that any affected customers might need to take out.

The company has set up a UK helpline for policyholders who may have concerns. The number is 0800 0152183. Customers outside Britain may call +44 1709 764401.

The website zurich.co.uk/id contains further information.

COMPUTER WEEKLY.com Karl Flinders Friday 23 October 2009 12:33 

Swiss insurance giant Zurich Insurance has lost the personal details of 51,000 British customers in South Africa. 

The personal details of hundreds of thousands of African customers also went missing. 

A computer tape containing the customer information went missing over a year ago when it was being transferred to a storage centre in South Africa, the company disclosed. 

Zurich Insurance, which called in KPMG to investigate, said there is no evidence that customer details had been used to commit fraud. 

Annette Court, CEO Europe general insurance of Zurich Financial Services Group, said the company is investing money to improve its data security. 

“Protecting our customers’ interest is at the top of our agenda. We are putting a great deal of investment into strengthening our internal processes to ensure that incidents of this nature do not happen again in the future.” 

But Jamie Cowper, marketing director EMEA at data encryption firm PGP Corporation, said there are often dangers when customer data is held overseas. 

“Zurich UK’s customers might be surprised to hear that their data is being kept in South Africa, a country which is yet to pass the Protection of Personal Information Bill, its equivalent of the Data Protection Act,” he added. ” However, global trends around data outsourcing mean that confidential customer data could be held absolutely anywhere.”

 From The Registrer (London) October 23, 2009 By John Oates 

Zurich Insurance has admitted losing the personal account details for more than half a million people more than a year ago. 

51, 000 British customers’ details were on the tape, along with hundreds of thousands of details from people in South Africa and Botswana. They should have received letters warning them of the loss in recent days.

 The data was backed up on tape and was on its way to a South African storage centre when it was lost in August 2008. It included account details for 51, 000 British customers, 550, 000 South African customers and about 40, 000 accounts from Botswana. The insurer said it had seen no evidence that the information was being used for ID fraud or otherwise exploited.

Customers at risk are those with Zurich general insurance, not life insurance.

Zurich has hired KPMG to sort out its data protection policies and has also kept the Financial Services Authority and the Information Commissioner’s Office informed.

A spokeswoman for Zurich told the Register: “People have been calling the phonelines for reassurance and generally the response has not been bad. We’ve hired KPMG to find out why it has taken so long for this loss to come to light.”

Annette Court, chief exec of Zurich UK, apologised for the loss and said the firm was improving internal procedures to “ensure that incidents of this nature do not happen again.”.

There is a dedicated phoneline number included in customers’ letters or you can call 08000 152 183 from the UK or +44 1709 764 401 from outside the UK. There is also information at http://www.zurich.co.uk/home/aboutus/id.htm

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

It is a black, black, BLACK day my friends.

1860's Civil War Mourning Dress, from http://19thcenturyartofmourning.com

If I had it laying about, this is the outfit I’d be wearing this week.  Those of you on Facebook already know — I knocked my godforsaken external hard drive off a shelf, it fell about a foot, the reader head ground the disc as it was spinning and that’s it — at least a solid year of work, but much worse, ALL the photographs (family, travels, everything) just went up in smoke.  And no, it wasn’t backed up because I am catastrophically dopey.

Sent the drive off to a data recovery place (everyone I talked to said it needed to be opened in a “clean room” with little guys in white booties running around in a dust and static free zone), and they just called and said “There is nothing recoverable on here.”  Which just BLEW MY MIND.  Nothing?  This is the place people send laptops that fall out of helicopters over burning oil fields in Kuwait!  They can recover stuff from a drive that’s been sitting in the belly of an alligator in swamp sludge for a month!  In my worst nightmares I thought “I bet I lost all the Halloween party photos, dammit!”  Or maybe, if I really let my thoughts go down a dark path — “What if I lost the entire summer and fall???”  It literally never occurred to me that all of it might be toasted.

Absolutely had to get out of the house or I was going to stick my head in the oven, so Nico and I went for a little creek hike.  At one point he almost fell in when he jumped onto a big boulder than wasn’t as rock solid as it looked.  He scraped his hand a bit, and I said “Hey, better than being in the creek!” (because it’s my job to provide annoying perspective at times like this) and he said “Yeah, or being in the creek with the boulder on top of you and both your eyes poked out!”  (Clearly it’s his job to provide really bracing, gorey perspective to any situation.)

So yeah, lost a year or more of photos, but at least I’m not laying in a creek bed with a boulder on my chest and my eyes poked out.  I think that’s a real “glass half full” situation right there.  And as I keep trying to tell myself:  I didn’t lose the people in the photographs, we’re all still here, and my hard drive didn’t get wiped — I still have the memories of all those trips and events.  But fuck, I am really, really sad.

If anybody out there has any photos of me and mine from 2009, I’d love to see ‘em.  If you were at Comic-con, my opening at the Shooting Gallery, NY in Sept., ANYWHERE that any of us were this year, I’d love to try to re-build that chunk of our history with your help.  Send any historical scraps to:  isamaras@mac.com

And the second you’re done with that — go back everything up.  And then back it up again!  Think about offsite storage so when California tumbles into the sea you can swim to shore and download your data from some storage facility in a missile silo in the midwest.

Seriously, go back up all your stuff right now.