Living in the Cloud(s)

February 16th, 2012

I wrote about cloud computing in an earlier post and discussed some of the general pros and cons involved with the idea.  For attorneys, doctors and other professionals that are regulated, cloud computing creates some new wrinkles.  For attorneys, protecting the confidences of clients is an ethical obligation.  The unauthorized disclosure of client secrets can lead an attorney to disciplinary action and disbarment.  For physicians and other health care providers, federal laws on the privacy of patient information put providers at risk for substantial fines for inappropriately disclosing patient health information (or otherwise not complying with HIPAA’s privacy and security rules).  Using the cloud for applications that might have such confidential information adds a layer of uncertainty for the practitioner.

On the other hand, cloud computing is coming to a practice near you whether you like it or not.  For example, an increasing number of attorney practice management systems are cloud-based, such as Clio.  Legal research tools like FastCase, LexisNexis, Westlaw and Google Scholar are all cloud-based systems (in the sense that the information being searched is not stored on your local network but in internet-based database repositories that you access through your web browser).  And a growing number of email providers, including Google Apps for Business, Mailstreet.com, and others have been providing cloud-based email solutions for custom domain names.

State bar ethics groups and the ABA have been working on ethics opinions about these cloud-based systems.  North Carolina’s Bar had initially proposed a restrictive rule on the use of cloud computing systems by attorneys in the state.  The NC Bar had suggested that the use of web-based systems like directlaw.com (which allows clients to complete a questionnaire online for specific legal documents which are reviewed by an attorney before becoming final) represented a violation of the state’s ethics rules.  However, the NC Bar later revised its opinion and indicated that cloud computing solutions can be acceptable, so long as the attorney takes reasonable steps to minimize the inadvertent disclosure of confidential information.  “Reasonable,” a favorite word of attorneys for generations, has the virtue and vice of being subject to interpretation.  However, given the pace of change of technology, a bright line rule that favors one system over another faces prompt obsolescence.

In the context of the NC Bar 2011 Formal Opinion 6, for software as a service providers, ethics considerations include: (a) what’s in the contract between the vendor and the lawyer as to confidentiality, (b) how the attorney will be able to retrieve data from the provider should it go out of business or the parties terminate the SAAS contract, (c) an understanding of the security policy and practices of the vendor, (d) the steps the vendor takes to protect its network, such as firewalls, antivirus software, encryption and intrusion detection, and (e) the SAAS vendor’s backup and recovery plan.

Can you penetrate past the marketing of a vendor to truly understand its security practices?  For example, Google does not even disclose the total number of physical servers it uses to provide you those instant search results (though you can learn where its data centers are – there is even one in Finland as of the writing of this article – here).  And, in spite of Google’s security vigilance, Google and the applications it provides have periodic outages and hack attacks, such as the Aurora attack on gmail that became known in 2010.  Other data centers and service providers may be less transparent concerning these security issues.  In some cases, the opacity is a security strategy.  Just as the garrison of a castle wouldn’t advertise its weak spots, cloud providers aren’t likely to admit to security problems until either after the breach is plugged, or the breach is irreparable.

What’s your alternative?  For you Luddites, perhaps paper and pencil can’t be hacked, but good luck if you have a fire, or a disgruntled employee dumps your files in a local dumpster for all to see one weekend.  For those of you that want computer system in your practice, can you maintain these systems in-house in a cost-effective manner?  Do you have the resources to keep up with the software and hardware upgrades, service contracts, backup & recovery tests, and security features to reasonably protect your data?  How does that stack with professional-grade data centers?  Are you SAS-70 or SAS-16 compliant?  Do you know how data you access is encrypted?  In functional terms, do you really exercise more effective control over your security risks if you have IT people as employees rather than a data center under a reasonable commercial contract?

There are a lot of considerations.  And the best part?  They keep changing!

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in HIPAA, Information Security, Technology | No Comments »

Spam Spam Spam Spam Spam Spam Baked Beans and Spam

December 13th, 2011

“18″ year old virgins have recently found online resellers of non-prescription viagra for Magic Jack users that want cheap ski vacations that need health insurance, iPads and Dyson vacuum cleaners at rock bottom, knock off prices!  And all of these thousands of emails have been sent to my account online so that I can help a gentleman from Nigeria move $55 million in money from an African bank account into the U.S. and I can charge a humble $5 million fee to help.  I just need to send my social security number, credit card numbers, street address, and a sample of my signature to a person I’ve never met by email, deposit the bogus cashier’s check in my trust account, and then immediately write a check off the account the next day, well before the bogus check is returned by the collecting bank.

I feel as though I have ended up in the 21st century Monty Python skit about the restaurant that only seems to have “spam” on the menu.  I hear this problem continues, with more than 70% of all email amounting to spam, according to a 2011 article from Symantec (though there was a time that more than 90% of email was spam, so there has been some improvement since those dark days in 2009).  Progress has been made with some service providers that have waged a counter war against spam.  Gmail, for example, group-sources and marks messages as spam based on all messages identified by users as spam across the gmail platform.  This is a surprisingly effective strategy.  My experience has been that there are few false positives.

Previously, email systems were implemented that would check if a message was sent from a known, blacklisted IP address based on a series of independently maintained blacklist databases on the internet.  There have also been other improvements in the background, including the use of special DNS entries, and email gateways that pre-filter messages before reaching the mail server (Symantec had a product it had acquired from Brightmail; Google Apps includes a single-domain license for Postini, which is also generally effective at cutting down spam).  Spam messages often include phishing links, virus-laden email attachments, and other nefarious attacks on users.  Reducing spam makes sense for service providers that are paying, ultimately, for the bandwidth and storage space to process and deliver this junk to users.  We clearly have a way to go to reduce this problem for users.  Until then, if you need male enhancement medicine, are missing out on a $1,000 transfer to your bank account, want to help a political refugee move his family fortune to the U.S., need a usurious student loan, or want to work from home – I’m your guy!

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, News, Technology | No Comments »

Estate Planning in the Digital Age

December 7th, 2011

One event remains certain for all of us, our inevitable end.  Planning for this eventuality is generally a good idea because you can help ensure that the people that survive you will be able to keep on keeping on.  This is why people have, for generations, written wills, powers of attorney, health care agent appointments, living wills or advance directives, and other legal documents.  All of these documents help to explain who is supposed to get what, and how your affairs should be closed out after your death.  The 21st century, however, has created a new set of problems with the rise of technology and the information age.  What happens to your online life when you die?  And how will your heirs access all of these things?

First off, computer security people have drilled into all of us to not share our passwords with others.  Besides having to change these passwords all of the time, users of most commercial information systems are used to having a password personal to them, which sometimes acts as a digital signature authorizing the commercial vendor to do certain things (for example, to trade stocks, post information, or to pay bills from a bank account).  In addition, security experts have also drilled that we should not write down our passwords, or attach them as post-it notes underneath our keyboards.  Furthermore, we have been taught to have different passwords for different services (so that, in the event of a password loss, the damage that might result would be limited to one or a few systems).  As a result, we probably keep a lot of passwords to a substantial number of systems, but we usually don’t tell anyone what these passwords are.  So what happens when we die?

For myself, I am just thinking about the computer passwords that I use on a regular basis: (a) one for my laptop, (b) one each for online banking at several different banks, (c) a passcode for my iPhone, (d) a passcode for my iPad, (e) passwords for blogs that I maintain online, (f) passwords for my web server, (g) passwords for online web sites that I use like amazon.com, ebay.com, iTunes.  I mean, I even had to create an account in order to update the software that programs my remote control for the T.V. at home!  I’m sure that if I sat down and thought about it, I would be able to write an even longer list.  Without help, I doubt my wife or any of my relatives would be able to access much, if any, of this.  Moreover, if I simply wrote out the whole list, I would have to periodically update my passwords for those systems that require that I regularly update (a growing percentage of my online accounts).

There do appear to be some subscription-based services available online today to help address this conundrum.  Dead Man’s Switch is one such service.  Another is called Death Switch.  There may be other services available.  Obviously, you would want to give some thought to what you are providing to the service, and what security is employed by the service that you sign up to use, given that you may end up leaving with it sensitive information to forward to people that you have designated.  I have not used either of these services.  If you are a user, please feel free to post comments to this post on your experience to date.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, Technology | No Comments »

Stolen Personal Information

April 27th, 2011

Hackers continue to steal data from companies the world over, with a recent victim in Sony.  In that case, Sony apparently delayed reporting the loss to the 77 million users whose data was compromised, including dates of birth and possibly credit card numbers.

In late March, Epsilon reported that hackers had stolen the names and email addresses of individuals who receive business newsletters from Epsilon’s clients, which include a number of well known companies such as Best Buy and Robert Half International.  Considering that Epsilon delivers over 40 billion emails a year for its clients, the chances have gone up of improved, targeted phishing attacks as a result of this breach, particularly for banking customers of banks that have used Epsilon for email marketing.

There should be no surprise that the regulatory penalties for data breaches continues to escalate.  Security breach notification procedures were codified into the 2009 ARRA legislation for health care providers.  ARRA Health Tech Initiatives Section 13402 of the ARRA legislation (on page 17 of the linked pdf file) puts the responsibility on a covered entity to notify its customers of a data breach where unauthorized access is gained to “unsecured” protected health information.  In laymen’s terms, “unsecured” PHI is data that is not encrypted.  So, for example, a typical relational database stores its data in physical files on a computer hard drive or array.  Some database systems encrypt these files so that you could not just open up the file in notepad and read its contents.  If a hacker were to gain physical access to the server where these files were located, he or she might not be able to read them without further access (for example, with an administrator-level username and password to directly query the database).  Notification to patients would not likely be required in this circumstance if you could show the hacker gained physical access but not database-level access.

Does your database encrypt its stored data files?  Not all database software, and not all versions of specific database software, provide for native encryption.  For example, the data files of your Microsoft Access database are not likely to be encrypted.  For performance reasons, data files for MS SQL Server databases may also not be encrypted.  But, even if your database file is encrypted, if the administrator password to the database itself is blank or easy to guess (like “admin”), you may still have trouble brewing back at the server room.

Here is a list published by HHS of data breaches reported to it under ARRA’s notification requirements.  Do you see your physician on this list?  If things continue, you may sooner rather than later!

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, News, Technology | No Comments »

Disaster Recovery and the Japanese Tsunami

March 29th, 2011

The art of disaster recovery is to plan for what may be the unthinkable while balancing mitigations that are both feasible and reasonable for your organization’s resources and circumstances.  On March 11, Japan was struck by a massive earth quake and tsunami that caused enormous destruction, estimated at a total loss of $310 billion.  Over the last several weeks, one of the major failures has been at the nuclear power complex in Fukushima, home to six nuclear power plants.  This disaster continues, as of the writing of this post, as at least two of the plants continue to be in a critical state because of a failure of the complex’s power and backup power systems that helped to control the temperature of the nuclear fuel rods used to generate power at the plants.

As an unfortunate consequence, many people have been exposed to more radiation than normal, food grown in the area of the plant has shown higher levels of radioactive materials than normal, radioactive isotopes in higher-than-normal concentrations have been detected in the ocean near the plants, and numerous nuclear technicians have been exposed to significant radiation, resulting in injuries and hospitalizations.  As far as disasters go, the loss of life and resources has been severe.  And like other major environmental and natural disasters, the effects of the earthquake and tsunami will be felt for years by many people.

Natural disasters like this one cannot be prevented.  We lack the technology today to effectively predict or control for these kinds of events.  And while these larger scale disasters are relatively rare, planners still need to assess the relative likelihood of such events, and develop reasonable mitigation plans to help an entity recover should such a disaster occur.  Computerized health records present an opportunity to permit recovery in that the data housed by these systems can be cost-effectively backed up and retained at other secure locations, permitting system recovery and the ability to continue operations.  In contrast to digital files, paper records are far less likely to be recovered were a tsunami or other similar natural disaster to occur and wash the records away.

Even the best recovery plan, however, will be severely tested should a major disaster be realized.  Japan was hardly unprepared for a major earthquake, and still is struggling to bring its nuclear facilities under control nearly three weeks later.  However, having a plan and testing it regularly will increase the odds of recovery.  My thoughts are with the Japanese during these difficult times.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in HIPAA, Information Security, Security Regulations, Technology | No Comments »

Great Firewall Maybe Not So Great

December 15th, 2009

Australia has announced plans to implement mandatory content filtering by its internet service providers for certain kinds of web content, essentially attempting to block all Australian internet users from these categories of sites.  (See Yahoo article here)  China had attempted this sort of thing earlier in 2009, but placed its plans on hold.  These plans had apparently included requiring computer makers that sold computers in China to install filtering software on the computer that would limit user access to certain “objectionable” web sites.

I suspect that one day, the older internet users among us will look back with nostalgia at the days when we could freely look at bestiality, hardcore violence, and sites on freeing Tibet from Chinese rule.  Sadly, today’s debate in Australia seems to be framed as a conflict between the mainstream, ordinary folk against the scum of the earth that produce child porn and other nastiness.  And why would anybody want child porn sites to be available to anyone?  The problem is always in how we define the things to be filtered.  In Australia’s plan, the non-government entity responsible for doing the filtering would receive complaints from the public about a site, and then the entity would filter the site for all.  So, I could claim that yahoo.com is actually a child pornography site and file a complaint.  Hopefully, the entity that reviews these complaints would have a reasonable process to filter the wheat from the chaff, and not automatically add whatever site is complained of to the filter list.

I would also hope there would be some process to be unlisted from the filter with some due process protections if you get an adverse decision by the filtering entity.  But, as you can imagine, this only increases the overall cost of the filtering system, which is passed on to Australian taxpayers, who could probably avoid going to such dirty sites by not clicking on them in the first place, hence saving all a significant amount of time and cost to civil liberties.

I’m not a fatalist in saying, from the start, that this plan is doomed to failure.  Enough talented people put into a room can come up with a workable and effective solution to this problem.  Instead, I think this internet filter concept was created by a group of people with a solution looking for a problem to solve that, so far, does not exist but in the minds of some easily offended by the internet.  In my opinion, public monies would be better spent stopping phishing attacks and similar malicious web sites, and enforcing the existing laws that criminalize the wholesale theft of identity and credit card information that occurs today on the internet.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, News, Technology | No Comments »

Seeing Red

October 23rd, 2009

The Federal Trade Commission (FTC) promulgated regulations to help reduce consumer identity theft back in 2007, with implementation of these rules for “creditors” and national banks to begin in 2008 (and then 2009, now November 1, 2009 for certain kinds of creditors).  (See the Red Flags Rule here)

Identity theft is a real problem for people of all sorts (approximately 10 million people fall victim to this kind of fraud at a loss of around $50 billion each year).  As a result, the FTC has interpreted the term “creditor” more broadly than the kinds of businesses we tend to think of, like credit card companies.  (See FTC FAQ)  According to the FTC, a creditor includes anyone that provides a service now and accepts payment later.  Lawyers routinely do that, as do health care providers, department stores with lay-away plans, and other service professionals (except maybe your mechanic who won’t give you your car until you pay for the service).  Because of the broad application of the rule by the FTC, the lawyers decided to sue the FTC to force an interpretation of the Red Flags Rule to exclude, you guessed it, lawyers.  (See the ABA Release here)

As a practical matter, federal courts generally will defer to administrative agency interpretations of their own regulations under the Chevron doctrine.  Every so often, courts will overturn an administrative agency’s interpretation, but the odds are low.  (See Massachusetts v. E.P.A., 549 U.S. 497 (2007)).  The ABA’s odds of getting a decision in their favor are probably about average, but in any case, won’t help other kinds of professionals that accept payments from customers over time.  And for lawyers, as no decision is expected before the latest compliance deadline of November 1, 2009, we find ourselves all in the same boat of needing to comply with the Rules.

Section 681.2 requires that covered organizations (a) identify accounts periodically that may be covered accounts within the rules, (b) develop a program for identifying accounts that “is designed to detect, prevent, and mitigate identify theft,” and (c) administer the program by seeking Board approval of the policy, training staff, and monitoring the program over time to ensure that it is overseen properly.   16 C.F.R. § 681.2(c)-(e).  The program must be in writing, and must be reasonable in relation to the size of the organization implementing it.

The Appendix to section 681 provides some guidelines for covered organizations in formulating their Red Flags Program.

The Red Flag Rules also require that creditors establish a written policy that outlines how the organization will comply with the rules.  For health care providers looking for a sample policy for compliance, the AMA has published one on its web site here.  The FTC has also published a document for creditors who are probably at low risk for identity theft here, which may likely include many solo and small law firms.

Once you have appropriately assessed your risks and written a plan, the plan must be approved by the ownership of your organization.  For solo and small firm attorneys who are already chief cook and bottle washer, that means you.  Larger corporations that have a board of directors will need to take board action to approve and be involved in the organization’s compliance with its program.

The guidelines emphasize that a creditor should exercise reasonable care to protect its covered consumer accounts from theft or unauthorized access.  Implicitly, this means that a covered organization should have appropriate data security systems in place that protect the organization’s data from loss, unauthorized access, or theft.  Health care providers should already by compliant as they have been required to comply with the HIPAA security regulations since 2003.  These regulations require regular technical risk assessments, mitigation plans, access control mechanisms, and data backup plans (among other requirements in the rules – See 45 C.F.R. § 164 et seq.).

Lawyers, however, may not have had the pleasure of complying with these rules (unless of course you are a business associate to a covered entity and are now, under the ARRA, required to fully comply with the HIPAA security regulations next year that already apply to covered entities).  For example, if an attorney accepts payments for services through a web site, the attorney should evaluate the risk of identity theft from the site and take appropriate steps to mitigate those risks, such as ensuring she is using a current SSL certificate to encrypt communications with the client, not storing credit card numbers in a database that can be accessed from the internet, and appropriately maintaining the server that houses the web site to ensure it is patched for known security risks and has appropriate anti-virus software.

From there, staff will need to be trained on identifying that a consumer’s identity has been stolen, and to take appropriate actions to protect the consumer from further loss.  The FTC form also indicates that outside agencies such as a billing agency may also need to be trained (or you need to verify that that organization has its own acceptable policy for complying with the rules).  After that, the program requires an internal annual report on activities, and updating the program to address evolving threats to consumer identities.  Now that wasn’t so bad, was it?

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, Technology | No Comments »

Facebook and Twitter: Implications for Your Business?

October 21st, 2009

Technology presents us with new opportunities and challenges on a regular basis.  Social networks and other “web 2.0” applications are starting to make inroads into the mainstream of the internet (ask how many of your iPhone-using friends have apps for one or both of these to measure the reality of the hype).  As a result, staff at your business are bringing their internet usage habits into the workplace.  Prospective customers are looking for you through these tools.  And business owners may want to consider the implications for their organizations.

IT departments at most organizations have struggled with having an effective internet usage policy for staff with internet access.  The difficulty has been in balancing the security of the network from viruses and other security threats against the need of users to access internet resources for business purposes.  The rise of google as a synonym for searching the web has increased the overall utilization of the internet as a business research tool.  Trying to keep inappropriate content from appearing in search results poses a real challenge for IT departments.

In addition, with the advent of more sophisticated attacks from web sites, IT departments have struggled to block phishing and other infectious sites and patch their organization’s computers to be resistant to attacks from the internet.  Facebook and twitter have both been used by malicious users to launch attacks on users of these sites (either by writing malicious applications and publishing them on facebook, or by posting malicious links in twitter postings).  The unfortunate knee-jerk reaction of most IT departments is to simply block these sites at the corporate firewall, preventing staff from having any access to these internet resources.

The typical rationale has been that these are not work-related sites, and staff are just wasting time using them on the clock, therefore, shutting down access to them at work is perfectly reasonable.  But, that rationale may no longer work as the web 2.0 world begins to take shape.  For one thing, more businesses are establishing fan pages on facebook in order to advertise their services and provide information to their customers.  Innovative businesses also may develop applications for facebook that are both popular and help to advertise the services offered by the organization.  Businesses also use twitter to keep customers in the loop on activities and events of the company, or monitor twitter to evaluate how its own advertising campaign may be progressing in reaching certain demographics.

Web 2.0 technologies are becoming more pervasive on the internet, which also increases the minimum skill sets of staff working for organizations that use web technologies to reach customers.  Blocking these technologies from the corporate network may result in a less-skilled workforce.  And, ultimately, according to Gartner, such efforts are futile and bound to fail because of the pervasive nature of these technologies.  (See CNET article)

It would seem that liberalization of internet use policies at companies, then, is an inevitable result.  And with that increased access comes new responsibilities for staff and businesses.   A landlord sued a former tenant for defamation earlier this year as a result of some tweets by the tenant about mold in her apartment.  (See article here)  Twitter itself is a rather informal medium for posting information online – similar to having an instant message chat in the chat rooms of yesteryear (which seem so quaint today).  And because it streams posts real time, you may say something that you later regret.  Imagine, for example, that your business allows access to twitter, and one of your employees angrily posts a series of defamatory tweets about a competitor or vendor.  Your organization may be slapped with a lawsuit if that competitor is monitoring twitter for tweets mentioning it by name.

Facebook represents similar challenges for organizations, especially where employees may blur the line between their social lives and work lives by forming, for example, groups on facebook of other employees.  Suppose a group of employees creates a group for only certain kinds of employees from your organization, and intentionally excludes others (perhaps on the basis of gender or age).  Is your organization discriminating against the excluded group?  Does your organization have liability for the acts of your employees in forming the exclusive group?

The web can also present a trade secret leak for those of you that have proprietary information or processes that are used by your business to generate revenue.  Social media also present challenges for protecting intellectual property, and avoiding infringement claims by others (tarnishment of famous marks on twitter – I’m sure a case is brewing as I type this story).

These questions are unanswered.  And I don’t offer these hypotheticals to scare your organization into shutting down the internet connection at the office.  My point is to encourage your organization to think about your policies related to internet usage and what constitutes acceptable use of the internet during normal work hours.  Establishing an effective policy, and consistently enforcing that policy with your staff goes a long way to managing your exposure to a law suit.  Controlling the internet at the organization’s firewall is unlikely to be a sufficient risk management tool.

There are a number of good starting points for a good internet usage policy for organizations.  Here are some principles to consider when drafting yours:

  1. Empower staff to be responsible for their internet usage.
  2. Disrespectful communication is not acceptable, whatever the medium of communication.
  3. Do not download and install software from the internet that is not approved by your IT staff.
  4. Use the internet for professional reasons.
  5. Be mindful that staff representations online reflect on the reputation of their employer.
  6. There are real-world consequences for staff that abuse access to the internet.

If your organization uses facebook or twitter today to market itself, re-enforce with your staff that organizational posts should be approved prior to posting on the web.  The immediacy of these services should be resisted by staff in order to ensure a consistent and accurate message is communicated to the outside world.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, Intellectual Property, Technology | No Comments »

Lost Data in the Cloud: How Sad

October 11th, 2009

The headlines are ablaze because somebody over at the company, Danger, upgraded a storage array without making a backup, and voila – bye bye T-Mobile contact data.  (See the article on The Washington Post here)  Nik Cubrilovic’s point in his article is that data has a natural lifecycle, and you should be able to survive without your contacts on your phone.  But he also makes the point that all sysadmins have memories of not being able to recover some data at some point, and sweating out bullets as a result.  His commentary is: this stuff is hardly as reliable as we expect it to be.  ”Cloud” computers are no different, except that they are generally managed by professionals that increase the odds of successful recovery as compared to the basement enthusiasts.

Having a backup plan is important.  Testing your backups periodically is important.  But generally, the rule is that the most important data gets the most attention.  If you have to make a choice between backing up your T-Mobile contacts and your patient’s health records, the latter probably will get more attention.  That’s in part because there are laws that require more attention to the latter.  But it is also because you probably won’t die if you can’t call your aunt Susan without first emailing your mom for her number.  You can die if your doctor unknowingly prescribes you a medication that interacts with something not in your chart because of data loss.

But the bottom line with this: data loss is inevitable.  There is a tremendous amount of data being stored today by individuals and businesses.  Even the very largest and most sophisticated technology businesses on Earth have had recent data losses that made the headlines.  But the odds of data loss by doing nothing about backups are still higher than if you at use a cloud service.  Oh, and if you use an iPhone with MobileMe, it synchs your contacts between your iPhone and your computer and Apple’s www.me.com, so you actually have three copies of your contacts floating around, not just a copy on the “cloud.”  Maybe you T-Mobile people aren’t better off by “sticking together.”

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in EHR, Information Security, Management, Technology | No Comments »

Big Dilemmas for Web Security

October 11th, 2009

The federal government is getting into the fray over internet security in a national crisis.  (See Yahoo Article here)  A Senate committee considered and then promptly dropped language in a cybercrime bill that would have authorized the President to shut down internet traffic to compromised web sites.  This comes in the larger context of trying to set policy on technical security for the nation, in light of our increasing dependency on the framework created by the internet.  Assuming that the shutdown of a web site was technically feasible, a war-time President would likely have the authority to do so, whether Congress passed a law about it or not.  See U.S. Const. Art. II Sect. 2 cl. 1.  As a practical matter, if the President could allow for the rounding up of U.S. citizens during World War II solely because of their race, I think the President can safely assume that shutting down a web site would be constitutional.  See Korematsu.

The difficulty today, however, is that following 9/11, President Bush asserted that we are constantly at war with terrorists.  Unlike a more traditional notion of war which has a relatively clear start and end, defining war in this manner means that the President is constantly acting within his war powers.  I don’t think the founders of our nation intended for us to have a king, or contemplated that we would be in a constant state of war.  And the danger is that the President would exercise the power to shut down certain web sites deemed a security risk, without much recourse for the web site owner.  So sites that might have an infection could be shut down, but so could those that disagreed with Presidential policies.

The risk to our internet infrastructure is real.  The authors of computer viruses today have come a long way from the kids of the 1990′s that were trying to annoy you.  Major web sites like yahoo.com and malicious ads on Google’s AdWords have been infected with viruses that would then attack users of that web site, potentially infecting many millions of computers.  Our ability to effectively respond to such problems is directly related to how well we prepare for their realization.  Perhaps instead of delegating such broad authority to the President, we should instead work on delegating power to act under more specific circumstances which would better balance the free speech rights of web site operators against the technical security needs of the nation.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Information Security, News | No Comments »

« Older Entries