Tag Archive for Data

| October 1, 2010
2 comments

Banks & Bosses Use Social Media to Assess Risk

Updated 10-22-10 – GigaOm has a post about Rapleaf here.

If you’re among the 67% of the global online population which Nielsen Online says uses social media networks to stay in touch with friends, grow their business, or just have fun then your information is for sale to banks, insurance companies, employers, and the government. Some banks are turning to social media analytics firms to enhance their credit-check procedures.

Banks are now looking at an applicant’s social media profile, behavior, and associations on sites like Facebook (FB), Twitter, and MySpace according to a recent article on the banking industry site CreditCards.com. The banker’s theory is that people run with folks who share their values and behavior. If your Facebook friends are deadbeats, the banks theorize you are a deadbeat also. These assumptions may make it harder to get a credit card or mortgage, according to CreditCards.com.

Many banks are now outsourcing their social network data mining operations to firms such as Rapleaf. Rapleaf, is a San Francisco, CA-based company that specializes in social media monitoring. According to CreditCard.com, Rapleaf compiles everything you and your network do – including status updates, “tweets,” joining online clubs, linking a Web site or posting a comment on a blog or news Web site. These firms turn the conversations into consumer profiles called social graphs. Social graphs give companies insight into behavior patterns: what you like and dislike, want and don’t want, do well and do poorly.

Banks & Bosses Use Social Media to Assess RiskIn the article, Rapleaf characterizes its social network data mining operations as “a unique way to improve customer experience by whitelisting customers based on their social circles and friend relationships.”  Since the firm uses data to “whitelist” people, it may also very easily be used to “blacklist” people and deny them a credit card or a job. “Who you hang around with has empirical implications with how you behave,” Joel Jewitt, Rapleaf’s vice president of business development told FastCompany.

“It’s a marketing trend as opposed to a credit score trend,” says Jewitt.  Despite his assurances, Rapleaf’s Web site suggests that clients “use friend networks to enhance … credit scoring” according to FastCompany. Jesse Torres, president, and CEO of Pan American Bank in Los Angeles told CreditCards.com that online information aggregators fill a need within the banking community. “They’re able to scour the social media universe. They are constantly listening and reporting back.”

The bankers are protecting their bottom line, “credit card companies have been stung very hard during this downturn, and they’re going to work that much harder to avoid extending credit…,” Ken Clark, author of The Complete Idiot’s Guide to Boosting Your Financial IQ told CreditCards.com. Rob Garcia, senior director of product strategy at The Lending Club, a peer-to-peer lender, says his firm uses multiple sources of “social information collateral” for its decision-making processes “It’s a wealth of information about a person,” says Garcia.

Not everyone in the industry is data mining social networks. “It’s difficult to make a judgment about an individual’s credit based on the people around them,” says Gregory Meyer, community relations manager for Meriwest Credit Union in San José, CA.  Meriwest only assesses credit reports and application data to make lending decisions. “[Social media] is a great way to keep up with what my 10-year-old nephew is up to, but it doesn’t have a place in the credit process.”

What you divulge can have an unintended impact. “We’ve seen this with applicants not getting jobs and employees getting fired for their Facebook and Twitter-based escapades,” financial personality Clark told CreditCards.com, “so we shouldn’t imagine this to be any different.” There are steps to take to guard your privacy. “I think it is crucial that everyone visit the privacy notices for the sites they use, read them, and change their settings to limit who can see their information,” says Clark. “For example, on Facebook, you can change your privacy settings so that only your acknowledged friends can see the majority of your information.” You can also enable “private filtering” on your browser. Do so and your activity will be entirely out of the Web profiling system.

Scott Stevenson, president, and CEO of EliminateIDTheft.com told CreditCards.com people should:

  1. Don’t accept invitations until you check the profile out first.
  2. Be acutely aware of what you write. Don’t make public anything you don’t want public.
  3. Take an annual inventory of all your social networking sites and delete people and information that can potentially damage you in the eyes of a creditor or employer.

Rapleaf offers a service to discover your online footprint and see what others might see on your social graph. Google (GOOG) offers a similar tool, the Google Privacy Dashboard. which presents an overview of the accounts and information you are connected with through Google. Take advantage of tools like these to check your own online reputation. What you don’t know can hurt you. Rapleaf’s Jewitt reminds users that, “The custodian of the information is you.”

rb-

There is nothing illegal about social network data mining banks and firms like Rapleaf do. Facebook and the other social networks are legal commercial enterprises that openly broker user data for exactly these kinds of purposes. People freely put information on Facebook with the full knowledge that it will become permanent parts of the public Internet record. Users need to know about this kind of data mining for two reasons. First, the stakes are high. It’s about getting access to credit that might be necessary for your family or business or even getting your next job.

Second, data mining gives the lenders insights into relationships that are unknown to and often completely out of the control of the applicant. Maybe being a Facebook fan of NASCAR says something in the sum about your socioeconomic status and your creditworthiness or employability, according to some second-order derivative analysis of millions of data records.

The asymmetry in the relationship between data-driven marketers and consumers is structural and permanent. Institutions like banks (and, potentially, insurance companies, employers, and the government) will use it to gain an advantage, because that’s what they do.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , , ,
| January 28, 2010
Comments Off on Privacy Day 2010

Privacy Day 2010

Privacy Day 2010Data Privacy Day is January 28, 2010.  Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information according to its sponsors. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it?

For its part, Google (GOOG) has released a video highlighting the ways it uses some of that personal data it collects about you to make your life easier and then explains that you can opt-out of some of Google’s data collection policies.

Nicrosoft logoMicrosoft (MSFT) has released the results of a study on data privacy.  According to the Microsoft survey, the results illustrate how we, as a society, are still grappling with the intersection of privacy and online life. For example, 63 percent of consumers surveyed are concerned that online reputation might affect their personal and/or professional life, yet, less than half even consider their reputations when they post online content.

Finally, Fewer than 15%  of consumers in any of the countries surveyed believe that information found online would have an impact on their getting a job.  The Microsoft study found 70% of surveyed HR professionals in the U.S. have rejected a candidate based on online reputation information. Reputation can also have a positive effect as in the United States, 86% of HR professionals stated that a positive online reputation influences the candidate’s application to some extent; almost half stated that it does so to a great extent.

Electronic Frontier FoundationFor its part, the Electronic Frontier Foundation (EFF) has published, “The E-Book Buyer’s Guide to Privacy ” which outlines six elements of Ebook readers’ privacy policies:

The EFF surveyed the policies and found that Google Books and Amazon Kindle will monitor what you’re reading. The EFF also found that all the E-book readers will keep track of book searches and book purchases.  The Kindle, Nook, and Reader shared information collected on your book selections, searches, and purchases is shared outside the company without your consent. The good news is that the a free, open-source FBReader (for Windows/Linux) does not collect data on your book selections or searches.

Google Books and Amazon Kindle will monitor what you're readingThese privacy issues are important for citizens and businesses. Firms have to consider whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| July 4, 2009
Comments Off on Data Destruction Policy Suggestions

Data Destruction Policy Suggestions

Data Destruction Policy SuggestionsHumans have created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.

Highlights of a data destruction policy

  1. Data destruction is intended to be permanent.
  2. Policies must be consistently enforced.
  3. The goal is to identify and classify what data the firm has and create effective policies for disposing of it.
  4. Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.
  5. A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence.
  6. Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.

General rules

  1. The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.
    • When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.
    • Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.
  2. Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
    • Sarbanes-Oxley,
    • Gramm-Leach-Bliley,
    • The Fair and Accurate Credit Transactions Act,
    • HIPAA,
    • Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company’s situation.
  3. Not heavily regulated firms can look to other destruction standards:
    • U.S. Department of  Defense standards and methods (DoD 5220.22-M,
    • National Institute of Standards and Technology’s Guidelines for Media Sanitation (NIST SP 80-88),
    • International, national, state, and local laws, rules, and regulations.
  4. Should address how to classify and handle each type of data residing on the media.
  5. Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.
  6. Classifications and contents of data will play a role.
  7. Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.
  8. Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.
  9. Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.
  10. When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.
  11. In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
  12. Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.

The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| February 21, 2009
Comments Off on Costs of Data Breach is Increasing

Costs of Data Breach is Increasing

Costs of Data Breach's IncreasingThe annual Cost of Data Breach survey conducted by the Traverse City, MI-based Ponemon Institute and funded by encryption vendor PGP Corp. found the total average costs associated with data breaches rose slightly since 2007.

The fourth annual U.S. Cost of a Data Breach Study (registration required) surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).

Depending on the size of the breach, costs could become astronomically expensive, said Dr. Larry Ponemon, chair and founder of The Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continue to climb. The lost business now accounts for 69% of data breach costs, up from 65% in 2007.

“Our model suggests that people haven’t reached the point of indifference yet,” Ponemon said. “When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year.”

The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first-time data breach is $243 versus $192 for experienced companies.

“It’s impossible to create an environment where you cannot have a data breach,” Ponemon said. “Data breaches will probably continue even for the best of companies, but it’s how you detect it, how you respond to it, and how you manage the risk that matters most.”

Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.

Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.

“One of the mistakes people make with encryption is they’ll go and encrypt a laptop and forget about thumb drives, email or FTP servers,” he said. “People are addressing some issues but not addressing the entire problem.”

Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »