Data Security: Out To Lunch, Er, Dinner::Brought to you by TechWeb

Mar 28, 2006 (09:03 AM EST)

Data Security: Out To Lunch, Er, Dinner

Read the Original Article at InformationWeek

Listen to a podcast version of this newsletter

In This Issue:
1. Editor's Note: Data Security: Out To Lunch, Er, Dinner
2. Today's Top Story: Microsoft
    - Microsoft Preps IE Flaw Fix; Sites Exploiting Bug Multiply
    Related Story:
    - Microsoft Launches IE7 Bug Database
3. Breaking News
    - Internal E-Mails Detail More Questionable Behavior At Morgan Stanley
    - Brief: Yahoo Updates Toolbar With Tabbed Browsing For IE
    - BMC Acquires Identify Software For $150 Million
    - Report: Vista Delay Won't Impact PC Sales Much
    - Lycos Enters VoIP Market Bundled With Goodies
    - Microsoft And Eclipse: A Showdown For Ajax Leadership
    - Azul Plans 48-Core Processor For 2007
    - Next-Generation Vehicles: Drivers Optional
    - U.S. Railroads Rolling Out High-Tech Logistics
    - State And Local Governments Want To Keep The Jobs, But Still Outsource The IT
    - Spyware And Adware Continue To Plague PCs
4. Grab Bag: Skype And iPods
    - Skype Sued Over Peer-To-Peer Technology (CNNMoney.com)
    - Denmark Considers Separating iTunes Store From iPod (PC Pro)
5. In Depth: Mobile Commerce
    - Mobile Commerce Gets Renewed Push
    - Visa Expands Contactless Card Efforts
    - Need An Easier Way To Spend Money? PayPal's Trying
6. Voice Of Authority
    - Down To Business: The Economics Of Metro Wi-Fi
7. White Papers
    - Bridging The Divide: Integrating PLM And ERP
8. Get More Out Of InformationWeek
9. Manage Your Newsletter Subscription

Quote of the day:
"Incompetents invariably make trouble for people other than themselves." -- Larry McMurtry in "Lonesome Dove"

1. Editor's Note: Data Security: Out To Lunch, Er, Dinner

It was just last week that InformationWeek published the latest exhaustive analysis of what's emerging as the IT story of the first decade of this century: complete corporate and government ineptitude when it comes to managing sensitive personal data.

It didn't take long for another company--Fidelity Investments--to get a black eye for mishandling a laptop containing personal information on 196,000 current and former employees of Hewlett-Packard. Lest you think some poor unsuspecting Fidelity employee was robbed of the laptop at gunpoint, or had their home forcibly broken into and the laptop stolen, think again.

The employee in question left the laptop in a rental car while having a three-hour dinner with colleagues, according to a story in the Wall Street Journal" [subscription required] that included details from a police report. At some point in the evening, the vehicle's keys were given to a colleague to retrieve an item from the vehicle ("Here, take my keys, don't worry about the 200,000 customer names sitting unprotected in the car..."). The colleague, it seems, left the vehicle unlocked, and the laptop went missing. It was just one of 65 laptops reported stolen from restaurant parking lots in Palo Alto, Calif., in the last 15 months.

A Fidelity spokesperson said the company takes information security "very seriously" (can't you tell?) and that company policy wasn't followed. Such mealy mouthed excuses grow increasingly tired with each of the 130-plus data breaches since early 2005. Because companies can't seem to institute policies or adequate technical safeguards, here's a few suggestions for ensuring your company doesn't let incompetent third parties or its own employees mishandle its data:

* Oftentimes, it's an outside data handler that's the cause of the problem. In this case, the data handler forced HP to deal with any and all issues affecting the 196,000 current and former employees. One can only imagine the potential for lost productivity at HP as employees figure out if their identity has been stolen. That alone is enough to fire Fidelity, just as any company that's the victim in such a case should consider doing if a third party loses their data. While you're at it, fire knuckleheaded employees that traipse around with reams of data about their customers. If corporate policy doesn't explicitly forbid such behavior, fire the corporate policy department.

* Companies should demand documented policies, procedures, and safeguards from any vendor handling sensitive data on their behalf. Ongoing audits should be used to verify compliance. Failure to maintain compliance should result in stiff financial penalties up to and including termination of a business relationship.

* Do away, once and for all, with the practice of storing sensitive or private data on laptop computers, which by their very definition are intended to be transported and are therefore vulnerable to theft. There may be a completely valid reason that one person needs to have personal data on 196,000 customers on their laptop, but I doubt it.

HP was just one of three incidents last week (see the comprehensive list since 2005 here and more gory details here), and more may be in the offing.

Our friends in the federal government--not exactly a bastion of personal data protection--are at it again.

The Government Accountability Office says the IRS' IT security weaknesses "increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection." Oh boy.

I've shared my recommendations on what companies need to do, mostly by putting the screws to their vendors, to protect themselves and their employee and customer data. What do you think needs to happen next? Please weigh in at my blog entry.

Tom Smith
tsmith@cmp.com
www.informationweek.com

2. Today's Top Story: Microsoft

Microsoft Preps IE Flaw Fix; Sites Exploiting Bug Multiply
The software company is working on a fix for a flaw in Internet Explorer that security experts said is being used by a growing number of Web sites to install spyware on users' computers.

Related Story:

Microsoft Launches IE7 Bug Database
Testers will need a Passport account to access the Internet Explorer Feedback site.

3. Breaking News

Internal E-Mails Detail More Questionable Behavior At Morgan Stanley
New E-mails filed as evidence in a wrongful dismissal suit apparently show IT executives receiving hard-to-find sports tickets and other favors from vendors, trying to use IT spending to lure customers for Morgan Stanley's banking business, and trying to electronically wall off top executives from being contacted by whistle-blowers. Morgan Stanley says the allegations are rubbish.

Brief: Yahoo Updates Toolbar With Tabbed Browsing For IE
A similar feature helped boost the popularity of Mozilla Corp.'s Firefox browser.

BMC Acquires Identify Software For $150 Million
BMC Software said Monday that it will acquire Israel-based Identify Software Ltd. for about $150 million in cash in a move to beef up its transaction management solutions.

Report: Vista Delay Won't Impact PC Sales Much
PC shipments are still expected to grow at slightly more than 10% a year over the next several years, an IDC report said Monday.

Lycos Enters VoIP Market Bundled With Goodies
The VoIP marketplace is getting another major player in the form of Lycos Phone, which is offering a bundle of free features and services.

Microsoft And Eclipse: A Showdown For Ajax Leadership
Dueling Ajax efforts could determine who controls the user interface for interactive Web applications.

Azul Plans 48-Core Processor For 2007
The new processor will let Azul design a server platform that can scale up to a 768-way multiprocessing system with up to 768 gigabytes of memory.

Next-Generation Vehicles: Drivers Optional
The self-driving car that won DARPA's 2005 autonomous-vehicle race will be on an interstate near you by 2008.

U.S. Railroads Rolling Out High-Tech Logistics
Railroad executives are trying to introduce systems that pinpoint bottlenecks and predict traffic. The four top U.S. railroads have said they will spend about 17% more this year than in 2005 upgrading and maintaining their networks.

State And Local Governments Want To Keep The Jobs, But Still Outsource The IT
They want to have it both ways. However, the latest deals show they still have a lot to prove.

Spyware And Adware Continue To Plague PCs
More businesses deploy anti-spyware apps, while efforts to control the parasitic code are widening as watchdog groups employ new tactics and law enforcement cracks down on suspects.

All Our Latest News

----- The latest research, polls, and tools -----

New From InformationWeek: Get Your News In A Flash--Literally
InformationWeek.com's latest service is automated E-mail news flashes. You pick the topic and the frequency (real time, daily, or weekly), and we'll do the rest. Sign up by following the link below and be one of the first to take advantage of this latest service.

Do You Access Our Content From A BlackBerry Or Treo?
Many of our readers do, and we want to ensure that you get the best experience in using our content. So we've created a PDA-friendly version of our news content, with similarly streamlined content pages, to make your PDA experience a good one. Check out our latest enhancement.

-----------------------------------------

4. Grab Bag: Skype And iPods

Skype Sued Over Peer-To-Peer Technology (CNNMoney.com)
StreamCast Networks claims Skype is using its peer-to-peer technology. Plus: Satellite photos show an iPod-like structure in western Australia. Could it be an Apple ad?

Denmark Considers Separating iTunes Store From iPod (PC Pro)
According to reports, the Danish government is being petitioned by native companies to follow France and force Apple to break its tight integration of iTunes and the iPod and make its music store DRM-interoperable.

5. In Depth: Mobile Commerce

Mobile Commerce Gets Renewed Push
Still, technology, logistics, and the right relationships have to be in place--and there's far from universal agreement that all the pieces are ready.

Visa Expands Contactless Card Efforts
Visa pushes contactless radio-frequency devices as a more convenient and possibly safer alternative to debit cards.

Need An Easier Way To Spend Money? PayPal's Trying
Cell phones are getting so smart, why not let them pay the bills? That's PayPal's reasoning behind an upcoming service that will let its customers use text messaging on their phones to make payments.

6. Voice Of Authority

Down To Business: The Economics Of Metro Wi-Fi
Forget the political and social squabbles. City wireless networks will thrive or falter based on how efficiently they scale and perform.

7. White Papers

Bridging The Divide: Integrating PLM And ERP
The benefits of IBM WebSphere are available to companies of all sizes. This brochure provides an overview of the value of using SMARTEAM and WebSphere Business Integration Server to integrate a company's PLM and ERP systems.

8. Get More Out Of InformationWeek

Try InformationWeek's RSS Feed

Discover all InformationWeek's sites and newsletters

Recommend This Newsletter To A Friend
Do you have friends or colleagues who might enjoy this newsletter? Please forward it to them and point out the subscription page.

9. Manage Your Newsletter Subscription

To unsubscribe from, subscribe to, or change your E-mail address for this newsletter, please visit the InformationWeek Subscription Center.

Note: To change your E-mail address, please subscribe your new address and unsubscribe your old one.

Keep Getting This Newsletter
Don't let future editions of InformationWeek Daily go missing. Take a moment to add the newsletter's address to your anti-spam white list:
InfoWeek@update.informationweek.com

If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks.

We take your privacy very seriously. Please review our Privacy Policy.

InformationWeek Daily Newsletter
A free service of InformationWeek and the TechWeb Network.
Copyright (c) 2006 CMP Media LLC
600 Community Drive
Manhasset, N.Y. 11030