Category Archives: Security

Cases of Interest, Criminal Liability, Duties, Security

The Password is ‘P-R-I-S-O-N’

J0387776 This is my 200th post.  Thanks to all the readers out there who've kept this thing going!

This is the bizarre story of a San Francisco network engineer, working for the Department of Technology, who faces two-five years in prison for withholding passwords from the City.  I don't consider this a California story, though; this could happen anywhere.  Follow the link for details, but I'm not posting this to debate his actions or motives (which are somewhat suspect), but to pose a question for the IT people out there; could you envision a legitimate situation where a superior demands a password and you're not sure whether you should surrender it?  How about if there's litigation underway and an e-discovery attorney like myself requests access?

The reason I bring this up is, I was faced with this very scenario once, and although it may seem like the answer is easy, let me assure you, it isn't.

I was the head email consultant in Los Angeles for a world-wide conglomerate, but I reported directly to the domestic CIO, not the world-wide CIO, who was based in New York.  Our CEO & CIO were called to New York for a meeting with the world-wide group.  I received a call from my CIO's subordinate, an Executive Vice President, who informed me that our CEO was being fired, that I was not to ask any questions nor seek confirmation from anyone else, and that I was to immediately disable my CEO's password and supply it to him.

So, I'm being asked by an executive two-levels below the CEO to disable the CEO's password, on his word alone; nothing in writing.  And if it so happens there are political games going on – which occurred frequently at the company – this would result in my firing, at minimum.  "Trust me", he said.

Would you?  I made my decision purely on the good faith of what I was being told, then
hoped I hadn't made the wrong choice.  Luckily, I hadn't.

Unfortunately, the relief didn't last long.  The former CEO sued the company for $66 million shortly thereafter.  Yes, crazy things like this do happen…this is why E&O insurance exists.

eDiscovery California, Law, Security, Technology

The Boston (I)T Party

J0443189 InformationWeek just came out with an excellent treatise on a new data protection law in Massachusetts (note – the link is an excerpt, but you may access the entire article if you're willing to register). In my opinion, this is a must-read.  Here's an excerpt of the preamble:

"The new Massachusetts data security law, 201 CMR
17.00, is a prime example of the increasingly aggressive role states are
taking to protect their citizens. More than 40 states have data breach
notification laws already on the books–a trend that started with
California's SB 1386 but certainly didn't end there. Much like those
other laws, Massachusetts' has impact beyond the state's borders and
could spur similar legislation in other states.

Federal action is also a distinct possibility."

If that doesn't whet your appetite to continue reading, I don't know what will…

eDiscovery 101, Security, Technology

e-Discovery 101: More on Security & Passwords

J0438759 We covered the sad state of affairs of passwords back in January.  But this blog post from Symantec goes deeper into the issue.  I realize it's a fairly small sample and also is likely weighted toward more experienced users, but that should actually prompt you to think about what the general population is doing.

No matter where you fit, be it end-user, employee, IT, attorney, etc., seeing how your peers approach passwords should give you an idea of the true level of security of your data; within and without the enterprise.

How do you measure up?

Management, Security, Technology

Spam Available at Walmart

J0422476 Too bad it's this kind of spam, not this kind

It's 'Security Awareness Friday' here on e-Discovery Insights.  I'm not picking on Walmart; I'm simply using them to illustrate that this may happen to anyone.  Microsoft's IE 8 has security problems as well.

Here's a news flash; IT and Security departments aren't in sync about how they're dealing with these issues.

What's my mission statement for this blog?  Facilitating the relationship between legal and technology professionals.  Maybe I should add 'facilitating the relationship between technology and technology professionals'…

Science, Security, Technology

They Know, Whether You Tell Them or Not

J0442485 Bear with me this week, folks.  My home network is completely down and it looks like it won't be up again until next Tuesday.  In the meantime, I'm a nomad in search of wireless networks…

If you want to take a look into the way information – and evidence – will be compiled in the future, this New York Times article spells it out in chilling detail.  Using a combination of data mining and modeling, individuals – who are a lot smarter than I am, by the way – have proven their ability to profile us by accumulating information from several sources.

I'd read about the Netflix issue before and considered posting about it, but the one that really scares me is the report from two Carnegie Mellon researchers who claimed they "could accurately predict the full, nine-digit Social Security numbers
for 8.5 percent of the people born in the United States between 1989 and
2003 — nearly five million individuals."

Keep this in mind as you reveal more and more about yourselves online…

Media, Security, Technology

Take a Picture…It’ll Last Longer…

J0433115 Privacy is taking another hit to the chops.  A Swedish firm named The Astonishing Tribe has created an application called Recognizr which allows you to snap a picture of a total stranger, then it crawls the web to find information about that person.

Stalker's dream, anyone? 

Well, if you believe the sensationalist media, yes, but in reality, not quite.  It's an opt-in service so what we're really talking about is, people who don't understand the implications voluntarily opting-in (e.g. singles who think it would be a fun way to meet people), unscrupulous entities that opt you in without your consent, or perhaps an employer demanding that their staff opt-in.  You think not?  I saw an ad seeking an employee for Best Buy that required the candidate to have a Twitter account and at least 250 followers.

Based on what we see with social networking, plenty of people don't seem to be too concerned about their privacy so there'll potentially be plenty of 'volunteers' from the 1st group.  My guess is that the 2nd group would quickly be discovered, lambasted from one end of the Web to the other and quickly shut down (Google Buzz, anyone?).  As for the 3rd?  That's a question for the future.

As a lawyer, I certainly can envision practical uses for the application.  I've been to trials where there's a person who sits at the back of the courtroom every day, I know they have an interest in the case (e.g. insurance carrier's attorney) but they won't tell me who they are or why they're there.  Wouldn't I love a tool that would tell me for them…

Duties, Security, Technology

Don’t Blow Sunshine Up My (Ad)Dress!

J0438526 I've kvetched about cloud computing, as you well know, but underlying it all is my concern about maintaining security and privacy.  You lawyers out there are particularly vulnerable to client privacy issues. 

I was reading this really interesting article about alleged misuse of people's address books by a site called Reunion.com and the hubbub that ensued (no, really, they even say "hubbub" in the article…).  You've seen these solicitations, haven't you?  You sign up for a free email account and they tell you the great news; if you would be so kind as to upload your address book, they're only too happy to manage it for you, find your contacts on the web and generally make life easy for you.

What is my response?  No.  Every single time, no – even when it might benefit me considerably.  For example, I use Earthlink services, and if I upload my address book to them, I can use their tools to control incoming spam with a lot more efficiency.

Do I do so?  No.

Here's an idea.  Why don't you just leave your PDA on a restaurant counter somewhere?  What's the difference?  You're trusting your most prized possession to strangers and it's only as safe as the stranger's attention to security.

My PDA is password-protected.  It's an incredible pain.  I hate it.  It makes things cumbersome.  For all I know, it isn't even that effective.  But you know what?  At least I'm doing everything within my power to protect my client information.  At the very least, it will slow down a hacker while I call up my service-provider and get them to send a signal that wipes out the data (yes, they can do that).

I think my clients deserve nothing less.  How about yours?