Network World recently published an article outlining several areas of exposure for Information Technology professionals and essentially any company using technology to run its business.  The article highlights the importance of licensing software and points out the IT professional could have personal liability as the individual who makes the illegal copy is technically the infringer.  Also, the article mentions a case we previously discussed involving whether or not employee text messages are private.  In this case, the Supreme Court did decide that the employee does not have an expectation of privacy for text messages, even personal ones, sent via the pager issued by the employer. 

Click to read more ...

It’s been a few years since we have reviewed the Judicial Hellholes report from the American Tort Reform Foundation.  The 2009/2010 report ranks the top three as follows:  #1 South Florida, #2 West Virginia and #3 Cook County, IL.  In the 2008 report, the top three were the same, although South Florida was #2 and West Virginia was #1.  For the full report, visit the American Tort Reform website.

Also, released earlier this year was the 2009 study of data breach costs to U.S. companies by Ponemon Institute.  As reported by Network World, the average per-record cost was $204 in 2009.  This amount is $2 more than what Ponemon reported in the previous year’s study.  Ponemon’s 2005 study cited the average per-record cost at $138.  So, the growth in this cost appears to have slowed.  See our previous entries on data breach costs for more information.

We’ve briefly discussed Cloud Computing before but a recent article from ZDNet UK offers an interesting description of risk management issues.  The author suggests an “outside-in” approach where companies focus security measures on keeping dangerous outsiders from breaking in to their systems needs to be revamped to also consider the “inside-out” point of view. Read the article.

As the new year begins, it’s typically time for lists, including lists of top security threats.  BitDefender suggests netbooks, mobile operating systems and social networks are among the vulnerable.  ZDNet proposes Mac and iPhones are facing increased vulnerability because of their growing popularity.  McAfee includes cybercriminal activity targeted to Adobe Reader and Flash in its list of security threats.  For an overview of security threats, Network World has a review of many of the 2010 predictions from multiple sources.  Overall, social networking appears to be one of the most frequently mentioned security exposures for 2010.  But social networking isn’t necessarily a new threat as it was also listed as one of the top security exposures in 2008. 

Click to read more ...

There’s a new virus infecting iPhones in Australia that replaces the phone owner’s own wallpaper choice with a pic of Rick Astley.  The photo features a message;  “ikee is never gonna give you up.”  Interestingly, the virus only affects an iPhone if it has had its built-in security system altered, which Apple disallows in its developer program licensing agreement.  The virus works by exploiting users who have not changed the phone’s default password.  While this virus appears more irritating (amusing?) than harmful, it is a reminder of the importance of quality passwords, or at least a reminder not to use the default one that comes with the phone or whatever software or system.  Further, for third party security insurance coverages, it’s a reminder that security threats can impact more than an office computer or network. So, looking for security coverage that contemplates mobile devices is prudent.  Sometimes, the failure to prevent introduction of malicious code or virus policy language will be limited to computer systems or networks and an expansion to include other media containing content is necessary.  For a refresher on additional security issues, read LJ’s lists of what to watch out for.

A survey of about 500 companies conducted by Imperva and Ponemon Institute studied the level of compliance with the Payment Card Industry’s Data Security Standard (PCI DSS).  The results show that 71 percent of the companies surveyed do not view data security as “a strategic initiative across the enterprise.” Further about half of the companies surveyed indicated that they are not “proactive in managing privacy and data protection risks.”  Twenty-five percent of the respondents said they are not currently compliant with PCI DSS requirements. The other 75 percent had varying levels of compliance.

Click to read more ...

Entities covered by HIPPA (Health Insurance Portability and Accountability Act) are facing new regulations governing data breach notification requirements. Part of the regulation allows the HIPPA entity to be exempt from the notification requirement if the lost health information was encrypted according to the guidance set by the FTC and U.S. Department of Health and Human Services. This exemption for encrypted personal data is not uncommon, with the majority of state data breach notification laws including a provision for it.

Click to read more ...

In June, The Identity Theft Resource Center (ITRC) reported that more than 25% of data breaches it has tracked year to date are paper breaches. While we frequently discuss the cost of security breaches and the legislation regarding protecting private data, the ITRC raises an important issue: not all breaches involve electronic data. Sometimes, identity theft arises from plain old paper.

Click to read more ...