Tag Archive for Privacy

| May 8, 2010
Comments Off on SCOTUS Look At Texting and Sexting

SCOTUS Look At Texting and Sexting

SCOTUS Look At Texting & SextingThe U.S. Supreme Court recently heard oral arguments in the sexting case City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al.  According to the Workplace Privacy Data Management & Security Report by the legal firm of Jackson|Lewis, this case highlights the effects new technologies continue to have on workplace privacy issues.

Sexting messages

One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal “sexting” messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer and ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

Police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant filed the original suit. The suit started after one of Quon’s superiors audited his messages and found that many of them were sexually explicit “sexting” and personal. Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

Arch Wireless contracted with the employer, the City of Ontario, California, to provide text-messaging services using pagers. The City distributed the pagers to various employees. The employees signed an “Employee Acknowledgment” of the City’s general “Computer Usage, Internet, and E-mail Policy.”

The policy stated that the City reserved the right to “monitor and log all network activity including e-mail and Internet use, with or without notice.” The policy also stated that “[u]sers should have no expectation of privacy or confidentiality when using these resources.” Quon also attended a meeting during which a police Lieutenant stated that pager messages “were considered e-mail and that those messages would fall under the City’s policy as public information and eligible for auditing.”

A certain number of characters each month were allocated to each pager per month, Quon exceeded his allotment on several occasions. The Lieutenant attempted to determine whether the overages were business-related and obtained transcripts of text messages for the employees with overages. After auditing the transcripts provided by Arch Wireless the matter was referred to the City’s Internal Affairs agency. Where it was determined that Quon exceeded his monthly character allotment and many of his messages were personal and not business-related.

Court rulings

The case went to trial and the jury ruled in favor of the employer. The plaintiffs appealed the ruling. The Court of Appeals ruled that the plaintiff had a reasonable expectation of privacy in the text messages. The Court held that he had a reasonable expectation of privacy because the City:

  • Had a practice of not reviewing the messages if employees paid the overage charges.
  • Did not review Quon’s messages even though he exceeded the character allotment several times.

Significantly, the author points out, the court held that the City’s practice trumped its own written policy, its employees’ acknowledgments that they had no privacy interest in electronic communications and its statements in staff meetings that it viewed text messages as e-mail.

no-privacyAmong the issues the Supreme Court will look at in this case is whether the Department’s official “no-privacy” policy conflicts with its informal policy of allowing some personal use of pagers according to the blog. The blog says that this area of the law remains unsettled.

They recommend a well-drafted policy to lower an employee’s expectation of privacy when using employer owned equipment. The law firm cites estimates that 100 million people will use text messages in 2010 and recommends that employers be ready with comprehensive computer and electronic equipment usage policies. Further, the firm says it is critical that:

  • Practices and policies are consistent.
  • Policies reflect current technologies.
  • Employees acknowledge receiving and reviewing policies and procedures, particularly when introducing new technologies.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or private employers.

rb-

While I’m no lawyer, the biggest message out of this case and one out of New Jersey, which I noted earlier are policies need to be clear and consistent to be enforceable. In the New Jersey case, The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” The issue in the CA case seems to be the conflict between official policy and informal policy.

Some of the policy suggestions we make to clients include:

  • Have senior management and legal counsel make policy
  • Update the policy often
  • Reduce expectation of privacy
  • Distribute the policy to employees at regular intervals
  • Specify who can change policy in the policy
  • Train managers about the policy
  • Specify that company equipment be used only for business communications
  • Do not allow third-party emails.

Of course don’t forget the example Kwame Kilpatrick

SCOTUS Look At Texting & Sexting

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| January 28, 2010
Comments Off on Privacy Day 2010

Privacy Day 2010

Privacy Day 2010Data Privacy Day is January 28, 2010.  Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information according to its sponsors. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it?

For its part, Google (GOOG) has released a video highlighting the ways it uses some of that personal data it collects about you to make your life easier and then explains that you can opt-out of some of Google’s data collection policies.

Nicrosoft logoMicrosoft (MSFT) has released the results of a study on data privacy.  According to the Microsoft survey, the results illustrate how we, as a society, are still grappling with the intersection of privacy and online life. For example, 63 percent of consumers surveyed are concerned that online reputation might affect their personal and/or professional life, yet, less than half even consider their reputations when they post online content.

Finally, Fewer than 15%  of consumers in any of the countries surveyed believe that information found online would have an impact on their getting a job.  The Microsoft study found 70% of surveyed HR professionals in the U.S. have rejected a candidate based on online reputation information. Reputation can also have a positive effect as in the United States, 86% of HR professionals stated that a positive online reputation influences the candidate’s application to some extent; almost half stated that it does so to a great extent.

Electronic Frontier FoundationFor its part, the Electronic Frontier Foundation (EFF) has published, “The E-Book Buyer’s Guide to Privacy ” which outlines six elements of Ebook readers’ privacy policies:

The EFF surveyed the policies and found that Google Books and Amazon Kindle will monitor what you’re reading. The EFF also found that all the E-book readers will keep track of book searches and book purchases.  The Kindle, Nook, and Reader shared information collected on your book selections, searches, and purchases is shared outside the company without your consent. The good news is that the a free, open-source FBReader (for Windows/Linux) does not collect data on your book selections or searches.

Google Books and Amazon Kindle will monitor what you're readingThese privacy issues are important for citizens and businesses. Firms have to consider whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| September 7, 2009
Comments Off on Feds Still Want to Federalize Internet

Feds Still Want to Federalize Internet

Feds Still Want to Federalize InternetSenator Jay Rockefeller (D-WV) has released a revised version of his bill that would federalize the Internet (I covered this topic earlier here). The current draft would allow the president to “declare a cybersecurity emergency” on “non-governmental” computer networks and do what’s necessary to respond to the threat.

Feds Still Want to Federalize NetSection 3 (2) (B) Defines “Cyber” as any matter relating to, or involving the use of, computers or computer networks. Section 201 (2) (B), permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.”

I think the redraft, while improved, remains troubling due to its vagueness,” Larry Clinton told CNETIt is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill,” said Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board.

Senate Intelligence Committee Chairman JAY ROCKEFELLER (D-WV)A Senate source familiar with the bill told CNET that the president’s power to take control of portions of the Internet is comparable to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

Section 201 (5) the bill requires the White House to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco told CNET. “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue,” he says.

The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.

Rb-

If your network is determined to be “critical” by the Feds, there is likely a new set of regulations coming from the same people who are giving themselves failing grades for their own cyber-security.

These new rules could impact staffing decisions, disclosure policies and open the door to a government can take over your IT systems. This bill requires watching by anybody that uses or manages computers, a private network, or the Internet. It is likely they will sweep it in as pork on another unrelated bill, to limit public discussion.

Contact your representatives in DC.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| February 1, 2009
Comments Off on What Is Your Digital Shadow?

What Is Your Digital Shadow?

What Is Your Digital Shadow?IDC recently released a study, The Diverse and Exploding Digital Universe: An Updated Forecast of Worldwide Information Growth Through 2011“, sponsored by storage vendor EMC. The report updates a similar study conducted in 2007. The report forecasts your digital shadow. Your digital shadow is the amounts and types of digital information in the world. The new IDC 2008 research shows the digital universe is bigger and growing more rapidly than 2007 estimates.

This growth is in part a result of:

  • Growing Internet access in emerging countries,
  • Social networks made up of digital content created by many millions users,
  • Growth in worldwide shipments of digital cameras, digital surveillance cameras, and digital televisions.

According to the study, the digital universe in 2007 was equal to almost 45 gigabytes (GB) of digital information for every person on Earth.

IDC’s research also examines how society and the digital universe interact with each another, how individuals actively contribute to the digital universe – leaving a digital footprint as Internet and social network users, email use, through use of cell phones, digital cameras and credit card transactions. “… we discovered that only about half of your digital footprint is related to your individual actions – taking pictures, sending emails, or making digital voice calls,” said John Gantz, Chief Research Officer and Senior Vice President, IDC.

What is your digital shadow

Enterprise IT organizations that gather the information which makes up digital shadows have a tremendous responsibility – in many cases mandated by law – for the security, privacy protection, reliability and legal compliance of this information According to Joe Tucci, EMC Chairman, President and CEO. “As people’s digital footprints continue growing, so too will the responsibility of organizations for the privacy, protection, availability and reliability of that information. The burden is on IT departments within organizations to address the risks and compliance rules around information misuse, data leakage and safeguarding against security breaches.”

The responsibility for governance of digital information remains primarily on the enterprise. Approximately 70% of the digital universe is created by individuals, yet enterprises are responsible for the security, privacy, reliability, and compliance of 85% of the digital universe.

Additional IDC findings

  • At 281 billion gigabytes (281 exabytes), the digital universe in 2007 was 10% bigger than originally estimated,
  • With a compound annual growth rate of almost 60%, the digital universe is projected to be nearly 1.8 zettabytes (1,800 exabytes) in 2011, a 10-fold increase over the next five years,
  • The information explosion, in raw gigabytes, is predominately visual: images, camcorder clips, digital TV signals, and surveillance streams.

Digital Diversity – Because of the growth of VoIP, sensors, and RFID, the number of electronic information “containers” – files, images, packets, tag contents – is growing 50% faster than the number of gigabytes. The information created in 2011 will be contained in more than 20 quadrillion – 20 million billion – of such containers, a tremendous management challenge for both businesses and consumers.

  • Digital Cameras – In 2007 fewer than 10% of all still images were captured on film.
  • Digital Surveillance – Shipments of networked digital surveillance cameras are doubling every year.
  • A single email with a 1Mb attachment can create over 50 Mb of digital footprint,

EMC also provides a tool to calculate the size of your own digital footprint, download a copy of the Personal Digital Footprint Calculator

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
  Recent Entries »