Blog Banner

Tag Archives: Privacy

Securing your SharePoint Content & Infrastructure

A few weeks ago, we participated in a webinar with Axceler on securing content and infrastructure within SharePoint. I thought I’d point out some of the pertinent points raised during the presentation.

What is a Privacy Policy and Why Do You Need One?

A privacy policy is a statement that discloses the various ways your organization gathers, uses, discloses, and manages client data.  This data, also known as Personally Identifiable Information (PII), involves anything that can be used to identify someone as an individual, including his or her name, contact information, financial and medical records, credit report, and many other things.

Michael Rasmussen on the “Big Data” Compliance Challenge

This is a topic many businesses are wrestling with without the full understanding of how “big data” is affecting compliance.

Is your SharePoint Platform Content-Aware?

We know Microsoft SharePoint makes it easy to create and collaborate on content. And we also know that this results in an explosion of unstructured content, ranging from email to documents to blogs; all with the intention of having a collaborative conversation. SharePoint has also become core to operations with businesses increasingly making it their enterprise content management (ECM) system of choice.

FTC Privacy Judgments: Are you doing enough to protect consumers?

Over the last few years, we’ve seen FTC privacy judgements against the ‘Big Three’ web companies Google, Facebook and Twitter. In all these cases, the ‘Big Three’ were not protecting the interest of the American consumer.

How to Prevent SharePoint Mistakes

Reading Mathew J. Schwartz’s article in Information Week, ‘10 SharePoint Security Mistakes You Probably Make,’ there were a few items of particular interest.

  1. The first was on the discovery that in the case of Bradley Manning leaking 250,000 U.S. State Department cables, the forensic expert “discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.” (Source: Wired, Forensic Expert: Manning’s Computer Had 10K Cables, Downloading Scripts)

Massachusetts Data Security Regulations: 1 Month to Deadline

The final phase of the Massachusetts data security regulation law officially entitled, 201 CMR 17.00, comes into effect on the 1 March 2011. With a month to go, businesses need to have procedures in place if they or their third party contractors handle any Massachusetts’ residents’ data, whether or not the company is located in the State.

Essentially, if any contractor, supplier, technology provider and other third party holds data on Massachusetts residents, a contract needs to be signed that says they comply with the new regulation. While the company doesn’t need to audit the third party, the signed contract should reserve the right to audit these companies.

So what does this mean for data captured or stored online by a third party? Well firstly, let’s identify a few examples of the third parties this could include:

  • A marketing company with a database of Massachusetts residents that will send materials on behalf of a company
  • A contractor with addresses of customers they need to supply services to, on behalf of a company
  • A web developer that hosts a company’s website and requires login details
  • A third party that hosts on behalf of a hospital health records or financial information

All of these instances will need to have appropriate measures in place to protect Massachusetts’ residents’ information; even if they only have a few MA residents within their data. These third parties need to assure company’s they are protecting data or face losing their client/customer.

The regulation purpose is stated as

This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

As a MA resident, I think the regulation has the right purpose. As part of the online privacy community, I also think it’s a good reminder of the importance of protecting a business. The benefits of protecting customers’ privacy are far greater to a business than the alternative. Privacy helps to:

  • Protect your organization’s reputation internally and externally by assuring that your website properties are trustworthy and safe
  • Immediately identify issues for correction before problems can arise
  • Monitor for content or programming issues that could affect privacy requirements during website development
  • Ensure that information collected from site visitors can be audited for compliance
  • Create custom reports for internal website compliance management
  • Earn customer confidence by providing a trusted environment of Internet confidentiality

For any company using the web to store private MA residents’ information, remember this is both internally and externally. You need automated privacy tools in place and that’s not just to enforce it, but to monitor against any breaches as it will only help to improve your data protection and help differentiate yourself against other businesses as you can show specific reporting examples, on demand, for your corporate customer or clients.

 

 

 

Olympic Security Dossier Left on Train: Could SharePoint have prevented?

The Sun reported earlier this week that a secret dossier detailing plans for policing this summer’s London Olympics were left on a train. Included in the dossier were names and mobile phone numbers of constables, sergeants and inspectors as well as details of pre-Olympics rehearsals, emergency “lock-down” procedures and plans to avoid traffic congestion.

The Guardian wrote an interesting post criticizing the Sun because of its dramatic reference that the file “contained details that would have helped al-Qaida terrorists mount a devastating attack on the Games in London this summer.” Before I get too involved with The Sun verses The Guardian newspaper, my point is that we should ensure the possibility doesn’t happen that an al-Qaida operative is on the same train at the same time as a police officer leaving a security dossier.

On this note, I couldn’t help wonder if SharePoint could have prevented this situation in the first place? Lost documents are nothing new so why does it still happen? Secure documents do not need to be left in places because they shouldn’t be printed in the first instance. It makes more sense for organizations to use SharePoint with a specific automated rules engine to define the parameters that people can access information.

In this instance, if the document was available to the constables, sergeants and inspectors mentioned in the dossier, they should only be able to access it from a computer using a secure SharePoint connection. Then, they should only be able to read it on screen or comment in a secure Team Site on the platform. No printing of the material should ever been allowed. Not only would this mean no loss of documents, but it would also help the Met monitor who was reviewing the information and how the readers felt about the plan (using the Team Site) to make improvements such as the radio comments that appeared in the dossier. Lastly, the Met could see if there was any person wanting to print the materials or access it inappropriately.

SharePoint could lend itself to a useful collaboration tool for the Met. If used with appropriate, automated compliance and security solutions, SharePoint could ensure that instances like this would be a thing of the past.

To help discover the range of issues driving organizations toward stronger content security and policy enforcement, and learn how the most forward-thinking organizations are managing content compliance, download a privacy whitepaper.

 

Is this what the ICO is expecting we do?

I recently visited the Information Commissioner’s Office (ICO), Web site to read some relevant news and was interested to see how the Office has initiated handling the cookie directive. First upon visiting any webpage at www.ico.gov.uk you’ll see the below notice:

What’s interesting here is you can only opt to accept cookies from this site. There is no option to decline cookies. However, if you click on the privacy notice, you’ll get more details on how the ICO uses cookies.

Within the privacy notice, the ICO has also published a grid of cookies on the website and how each one is used. This is very clearly explained to the visitor.

Of particular interest, one cookie, the Content Management System Cookie has the following statement:

This is a problem many organisations are going to face. It is likely that many organisations know some of the cookies on their website, but it is also highly likely that many organisations are unaware of all the cookies on their website.

If this is how the ICO expects all organisations in the UK to handle the cookie directive then this clear grid will need to be easily produced, updated and maintained; perhaps a challenging feat for many. At a minimum, a cookie audit is the first step in meeting the directive requirements.

This week I’ve attended IAPP Europe Data Protection Congress in Paris. Many of the 300 attendees were from law firms seeking more information on how to handle privacy regulations and particularly the cookie directive. I’ve highlighted on this blog previously that it is very unclear what organisations need to do to adhere to the directive, but once again it’s important to reinforce that pleading ignorance is not an option. You’ll be on the hook for any cookies known or unknown on your website.

The ICO is expected to publish a report pre-Christmas to help UK organisations with compliance. However it is highly likely that following how www.ico.gov.uk is currently handling cookies, will be the way forward for UK organisations. So as a starting point, audit your website for cookies. For more info on how to do this, please get in touch via comments below or through our Twitter feed @HiSoftware_EU.

On the rumour mill I’ve also heard that the ICO has lost a lot of traffic to the website something that is of grave concern to many marketers. Sites like Google Analytics will need to find another way of monitoring traffic particularly if sites, similar to the ICO, include the below details:

 

This cookie directive means we face a sea change in how the web serves its users and consumers. Convincing people to opt-in is a major challenge along with all the back-end issues, but also the geographical rules. Where does the cookie directive start and end? If a US company has a website based in the States, that also serves the EMEA market, what jurisdiction will this fall under?

The questions are currently endless. At least we have a starting point – audit your cookies.

North Somerset Council and Worcestershire County Council fined by ICO

Two councils have been fined by the Information Commissioner’s Office (ICO) after staff at both authorities sent highly sensitive personal information to the wrong recipients.

The ICO has served a monetary penalty of £80,000 to Worcestershire County Council for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

Powered by WordPress