government records audit faults sec’s records … · android apps may leak personal data ......

News, Trends & Analysis

In a public July 2012 letter toSen. Charles E. Grassley (R-Iowa) on behalf of a former

long-time Securities and ExchangeCommission (SEC) official, theSEC said it had violated federallaw by destroying financial recordsrelated to investigations of variousfinancial institutions from 1993 to2010. The 9,000 records in questionpertained to the initial investiga-

GOVERNMENT RECORDS

Audit Faults SEC’s Records Management Practices

6 JANUARY/FEBRUARY 2013 INFORMATIONMANAGEMENT

con-flictedwith fed-eral law re-quiring suchdocuments to be retained for 25years.

SEC spokesperson John Nestertold The Washington Post that theagency changed the policy in 2011,requiring employees to follow theagency’s records management pol-icy. He also pointed out the reten-tion requirements “pertain todocuments that meet the definitionof a record, not every documentthat comes into an agency’s posses-sion in the course of its work.”

Former SEC enforcementlawyer Darci Flynn contacted theNational Archives and Records Ad-ministration (NARA) last year.NARA responded with an audit ofthe agency’s records managementpractices.

NARA released its findings inan audit report dated September30, 2012. According to GovernmentExecutive.com, the report faultedthe SEC for unclear records man-agement policies and inadequateemployee training. The audit find-ings reportedly included 12 recom-mendations, including more visitsto offices by records managementspecialists, better internal docu-ment controls, and policy trainingin records retention. An imple-mentation plan was due before theend of 2012.

tion of institutions that reportedlyincluded Goldman Sachs, Bank ofAmerica, Morgan Stanley, andWells Fargo.

The documents were shreddedin compliance with an SEC policyin effect during that time periodthat stated that documents relatedto an inquiry that didn’t become anofficial investigation should be de-stroyed. Unfortunately, that policy

DATA SECURITY

Android Apps May Leak Personal Data

German security researchers recently determined that some An-droid applications may pose certain serious security risks.

Researchers at the Leibniz University of Hanover in Ger-many studied the potential security threats posed by some Android ap-plications that use Secure Sockets Layer and Transport Layer Security(SSL/TLS) protocols to protect data transmissions. According to thestudy report that was released in October 2012, “Why Eve and MalloryLove Android: An Analysis of Android SSL (In)Security,” researchersspecifically looked at 13,500 popular free apps in Google’s Play Marketbecause “the lack of visual security indicators for SSL/TLS usage andthe inadequate use of SSL/TLS can be exploited to launch man-in-the-middle (MITM) attacks.”

Using MalloDroid, a tool researchers built to detect po-tential vulnerability against MITM attacks, theydetermined that 8% of the apps contain code thatcould be vulnerable. No actual attacks have beenreported; however, the researchers concludedthe potential is definitely there.

According to the researchers’ report, thereare a variety of ways to minimize the prob-lem of unencrypted traffic or SSL misuse.

They can be categorized into three groups: (1)solutions integrated into the Android operating

system, (2) solutions into app markets, and (3) standalonesolutions.

The MalloDroid web app is an example of a standalonesolution that the researchers intend to make available to Androidusers.

©2013 ARMA International • www.arma.org

JANUARY/FEBRUARY 2013 INFORMATIONMANAGEMENT 7

DATA SECURITY

India to EU:Declare Us Secure

India has asked the EuropeanUnion (EU) to formally recog-nize India as a data-secure

country. The Times of India re-ported the issue came up fordiscussion in a recent meeting be-tween Commerce and IndustryMinister Anand Sharma and Algir-das Semeta, the European Com-missioner for Taxation andCustoms Union, Audit and Anti-Fraud.

The issue is an important pointof contention in the proposed Bilat-eral Investment and ProtectionAgreement (BITA), a free tradeagreement between India and theEU that has been in negotiationsince 2007.

Sharma pointed out that India’saccess to the EU market dependson it being declared data secure.The lack of such recognition pre-vents the flow of sensitive data, in-cluding patient information fortelemedicine, to India under cur-rent EU data protection laws.

“It is our clear analysis that ourexisting law does meet the requiredEU standards. We would urge thatthis issue is sorted out quickly andnecessary comfort in declaringIndia data secure in overall senseneeds to be given as almost all themajor Fortune 500 companies havetrusted India with their criticaldata,” Sharma said in an official

statement.The EU is reportedly undertak-

ing a study to determine whetherIndia’s laws do indeed meet theEU’s directive.

According to The India TimesOctober 18, 2012, article, lifting thedata flow restrictions on Indiawould significantly increase India’s$100 billion IT business processesoutsourcing industry; 30% of the in-dustry’s exports are to the Euro-pean market.

CLOUD COMPUTING

The State ofCloud Computingin Canada

The 2012 CloudLaunch con-ference held in mid-October2012 in Ottawa was gener-

ally regarded as a frank and, at

times, divisive discussion of what itwill take to advance the adoption ofcloud computing in Canada.

Andrew Fisher, executive vicepresident at Wesley Clover, wasquoted in an October 16, 2012, blogposting by expertIP editor ShaneSchick as saying the biggest barrierto adoption is a lack of interest fromorganizations, including the gov-ernment, to stimulate the purchaseof cloud computing services.

According to the blog post,Misha Nossik, chief technology offi-cer of Afore Solutions and founderof the Ottawa Cloud Council, sug-gested that government chiefinformation officers (CIO) are moreconcerned with protecting theirbudgets than embracing the cost-savings cloud computing can offer.Some feel, however, that cloud com-puting will never take off in the pri-vate sector until the governmentembraces it.

Schick contended that “adop-tion in Canada won’t get much far-ther unless CIOs and vendors canforge a new kind of trusted part-nership, one that looks a lot differ-ent in a world of ongoing servicesthan it did in the previous one ofon-premise sales.”

This will be a serious test tothose vendor relationships, Schickadded. A test they can’t afford tofail.



Agood defense isn’t enough when it comes to ensuring an organi-zation’s data security, Gartner analysts told participants at the firm’s Symposium/ITxpo 2012 held in October in Orlando. With

the speed at which technology is changing and the agility of hackers isincreasing, threats to security are growing faster than the means todefend against them. The time has come to stop just reacting and begintaking proactive measures, said Gartner analysts.

According to InformationWeek.com, Gartner Research Vice Presi-dent Greg Young stressed the need for enterprises to focus on threemain areas: protection of infrastructure (keeping the bad guys out);managing identity and access (letting the good guys in); and businesscontinuity, compliance, and risk management (policies that keep thewheels on).

Young cited several factors that have made protecting infrastruc-ture increasingly difficult, including emerging trends around software-defined networking, virtualization, cloud computing, and mobile smartdevices. Strategic infrastructure planning, he concluded, doesn’t try toaddress all threats, butrather requires aligning se-curity mechanisms with aneffective, carefully considereduser-access policy.

Gartner Vice PresidentEarl Perkins addressed theidentity and access manage-ment issue. He suggestedthat enterprises could takeadvantage of social network-ing processes to improve useraccess management. Enter-prises already manage access through permissions and entitlements;however, Perkins speculated that social media profiles could eventuallybe used in enterprise security mechanisms. This may be a decadeaway, said Perkins, but the integration of social media for effectiveuser management has already begun.

Gartner Vice President Paul Proctor echoed Young’s point that theprocesses should not try to protect against everything. The key lies inbehavior changes. Enterprises need to increase their focus on employeetraining, he said. This is especially critical with the bring-your-own-device trend.

Keeping score by reporting security incidents is another area inneed of a behavioral shift, contended Proctor. Instead of focusing onthe number of incidents, enterprises should focus on identifying pro-tection levels applicable to their needs. These needs will vary from in-dustry to industry. Some organizations (e.g., manufacturing) possessintellectual property and little personal data, while others (e.g., fi-nancial institutions) have personal data and relatively little intellec-tual property to protect. The latter are going to be more likely targetsfor hackers.

RISK MANAGEMENT

Gartner: A Good Offense Is Best Defense

FOIA

NARA, OtherFederal AgenciesLaunch FOIAOnline System

The U.S. National Archivesand Records Administra-tion (NARA), the U.S. En-

vironmental Protection Agency(EPA), and the U.S. Departmentof Commerce have developed anonline system to expand publicaccess to information requestedunder the Freedom of Informa-tion Act (FOIA).

According to NARA, FOIAonline(https://foiaonline.regulations.gov)offers the public one place to submitFOIA requests, track their pro-gress, communicate with the pro-cessing agency, search otherrequests, access previously releasedresponsive documents, and file ap-peals with participating agencies.

For federal agencies, FOIA-online provides a secure website toreceive and store requests, assignand process requests, post re-sponses, generate metrics, managerecords electronically, create man-agement reports, and electronicallygenerate the annual report theFOIA requires from each agency.

The new system leverages theinfrastructure developed for theEPA’s Regulations.gov, the federalrulemaking portal that allows peo-ple to comment on federal regula-tions and other agency regulatoryactions. This helped FOIAonlineavoid many startup costs and is ex-pected to save the government $200million over the next five years ifbroadly adopted.


GOING GREEN

Paper Still Rulesin Many U.S.Federal Agencies

The U.S. government’s digitaltransformation is wellunder way. However, a

study by Open Text and the Gov-ernment Business Council thatwas published in October revealedthat only 22% of the 150 federalmanagers surveyed gave their in-formation management systemsan “A” or “B” grade. The averagegrade given was a “C” largely be-cause of the agencies’ reliance onpaper records and even oldermedia (e.g., microfiche and micro-film).

Fortunately, 82% of the re-spondents recognize that elec-tronic information management(EIM) plays an essential or impor-tant role in agency operations. Al-most half (48%) of the respondentssee EIM as essential to operations.Unfortunately, only 28% considertheir agency’s EIM as being “ade-quate.” The majority (58%) labeledit “inefficient,” “confusing,” or “out-dated,” primarily because of theamount of redundancy and thecontinued prevalence of paperrecords, despite available tech-nologies. Nearly one-quarter (24%)said their agencies still manage

microfiche or microfilm.Even though paper still

seems to rule, 54% of theagencies reported that be-tween 34% and 80% oftheir information is cur-rently available in adigital format.

Fifty-seven percentof the managers agreedthat EIM can reducetime spent looking forrecords – time that canbe reinvested in othertasks that serve theneeds of citizens. Andin many cases, EIM canimprove the bottom line:30% of federal managers sayEIM can reduce operating costs.

Predictably, the biggest road-block to fully implementing anEIM system is the lack of re-sources, followed by the lack of aclear information managementstrategy or policy.

When asked what they neededto fully implement EIM in theiragency, two-thirds of the managersanswered “agency-wide approachto information management,” 57%cited a change in agency culture,and 56% said increased funding.

Read the full research report atwww.opentext.com/EIMreport.(Registration required.)

DATA SECURITY

SingaporePasses DataProtection Act

Singapore’s data privacyact was to take effectJanuary 1, 2013. En-

forcement, however, is notscheduled to begin until mid-2014 to give businesses enoughtime to adjust.

The new law gives individ-uals more control over theirpersonal data, requiring or-

ganizations to apprise their con-stituents of the purpose for collect-ing, using, or disclosing theirpersonal information.

The law also gives individualsthe right to seek compensation fordamages suffered directly as a re-sult of a breach of the data protec-tion rules. Organizations foundguilty of violating the rule may befined up to S$10,000 ($8,181 U.S.)per customer complaint.

A national do-not-call registryis established by the new law, as isa Personal Data Protection Com-mission (PDPC), which will be thecountry’s primary authority onmatters relating to personal dataprotection and enforcement of thenew rule. PDPC could impose apenalty of up to S$1 million($818,150 U.S.) if an organizationdoesn’t comply.

The new law applies only to or-ganizations in the private sector.The government already had itsown data protection rules in place.

An element missing from thelaw is the requirement that organ-izations notify individuals when abreach occurs. Mandatory notifica-tion is standard in European andAmerican data protection laws andwill undoubtedly be added to Sin-gapore’s in time.




CYBERCRIME

Firm Lists TopTricks Used bySpear Phishers

Early on, cybercriminals dis-covered that e-mail is agreat avenue for spam and

mass-distributed malware. It stillis, according to a recent report fromFireEye, a provider of threat pro-tection for web and e-mail.

FireEye’s “Advance Threat Re-port 1H 2012” recorded a 56% in-crease in malicious e-mails gettingpast organizations’ security de-fenses between the first and secondquarters of 2012.

nificantly higher. For example, thetop draw in the first half of 2012(“dhl”) was included in the name ofnearly 23% of attachments, whilethe most common word in the sec-ond half of 2011 (“label”) was in-cluded in the name of just 15% ofattachments.

FireEye found additional trendsbetween the second half of 2011and the first half of 2012. For ex-ample, the percentage of file namescontaining words related to ship-ping (e.g., “postal”) grew from 19%to 26%. The number of words asso-ciated with urgency grew evenmore dramatically from nearly 2%to almost 11%.

On a somewhat more positivenote, using the .EXE file extension

was much less successful in2012. Unfortunately, today’s cy-bercriminals are using .ZIP and.PDF file extensions more suc-cessfully.

To guard against thesethreats, FireEye stressed thatenterprises need to better edu-cate users on how to recognizemalware threats and employmore advanced technologies todetect and stop the advanced

threats.

CLOUD COMPUTING

EU Looks to theCloud forEconomic Relief

The European Union (EU) ishoping that cloud computingwill help its economy recover

from its four-year debt crisis andrecession. Specifically, CNBC re-ported the EU is looking to cloudcomputing to help boost the econ-omy by creating 2.5 millionnew jobs and increasing theEU’s gross domestic prod-uct by €583 billion ($760 billionU.S.) between 2015 and 2020.

International Data Corp., which

helped the EU develop its cloud com-puting strategy, is even more opti-mistic, predicting that the newpolicy could develop close to 3.8 mil-lion new jobs.

Katherine Thompson, an ana-lyst at Edison Investment Re-search, told CNBC she’s not asoptimistic. “I’m not sure I strictlyagree that it will give such a boostto the economy,” she said, “as themove to the cloud is often a shiftfrom one form of expenditure to an-other, as opposed to incrementalspend, and in many cases will bedeflationary.”

She added that she does agreewith the EU’s thinking that cloudcomputing will help create newtypes of companies and businessmodels, which she said is alreadyhappening.

“The EU wants to focus on fourkey aims to help cloud computingrealize its full potential,” reportedCNBC.com’s Matt Clinch. “Theywant users to be able to easily moveproviders, a certification for trust-worthy companies, contracts thatwould simplify regulations, andclear communication betweenproviders and the public sector sowork doesn’t drift overseas to theU.S.”

Of course, security remains aserious concern, regardless of howmany jobs are created and wherethe data centers are located. It’scritical that data security can beensured.

Cybercriminals use certain com-mon words in file names that tricklarge number of unsuspecting recip-ients to download or install files con-taining malware to their localdrives. According to FireEye’s “TopWords Used in Spear Phishing At-tacks to Successfully CompromiseEnterprise Networks and StealData,” the top five draws in the firsthalf of 2012 were “dhl,” “notifica-tion,” “delivery,” “express,” and“2012.”

Interestingly, with only a coupleof exceptions, the first half of 2012’slist of the top 20 words is completelydifferent from those deemed suc-cessful in the second half of 2011.

The percentage of attachmentscontaining those words is also sig-


filed with the court, the scam-mers sought to avoid detection

by consumers and law en-forcers by using virtual of-

fices that were, in fact,mail-forwarding fa-

cilities. The scam-mers allegedly

used 80 dif-ferent domain

names and 130 dif-ferent phone numbers.The commission has

publicly acknowledged theassistance it received from the

Australian Communications andMedia Authority, CanadianRadio-Television and Telecommu-nications Commission, and theUK’s Serious Organised Crimeagency, as well as from Microsoftand other computer companies.

The FTC cases targeted 14corporate defendants and 17 indi-


vidual defendants in the six legalfilings.

Liebowitz announced the fil-ing of the international scam casethe day after the FTC won a finaljudgment in a $163 million caseagainst an operation that usedcomputer “scareware” to trick con-sumers into thinking their sys-tems were infected with malware.

In this particular case, whichwas filed in 2008, the FTCcharged the defendants withscamming more than 1 millionconsumers using elaborate andtechnologically sophisticated In-ternet advertisements. The adsdisplayed a bogus “system scan”that detected several malicious orotherwise dangerous files on theconsumers’ computers and urgedconsumers to buy the defendants’software for $40-$60 to fix theircomputer.

CYBERCRIME

FTC TargetsComputerSupport Scams

In Octo-ber 2012,the Federal

Trade Commission(FTC) announced that ithad launched “a major in-ternational crackdown ontech support scams.” The com-mission took aim at telemarketersmasquerading as being associatedwith major tech companies to scamconsumers into believing their com-puters “are riddled with viruses,spyware, and other malware” andthen charging hundreds of dollarsto remotely access, fix, and monitorthe consumers’ computers.

A U.S. District Court judge or-dered a halt to six alleged tech sup-port scams and froze thedefendants’ assets. In announcingthe judgment, FTC Chairman JohnLiebowitz stated that the defen-dants had “taken scareware to awhole other level of virtual may-hem.”

The six operations, most ofwhich were based in India, tar-geted English-speaking consumersin the United States, Canada, Aus-tralia, Ireland, New Zealand, andthe United Kingdom (UK). Theycontacted the consumers by tele-phone and reportedly claimed theywere affiliated with legitimate com-panies, such as Microsoft, Dell,McAfee, and Norton, and told theconsumers that they had detectedmalware that posed an imminentthreat to their computers. They di-rected consumers to a utility areaof their computer and falselyclaimed it demonstrated the com-puter was infected.

According to papers the FTC

TECH TRENDS

Mobile Devices Top Gartner’s2013 Strategic Tech Trends List

Gartner’s 2013 top-10 IT trends is an evolution of items from pre-vious years, Gartner Fellow David Cearley told PCweek.com’sMichael Miller. Many of these issues have moved slower than

expected, Cearley observed, but they still have the highest potentialfor significantly affecting enterprises over the next three years.

Mobile devices, mobile apps and HTML5, cloud computing, Inter-net of Things, and big data top the list for 2013. Their placement on thelist may have changed from last year, but the only new trend is per-sonal cloud computing.

Top 10 Strategic Technology Trends for 20131. Mobile Devices Battles2. Mobile Applications and HTML53. Personal Cloud4. Internet of Things5. Hybrid IT & Cloud Computing6. Strategic Big Data7. Actionable Analytics8. Mainstream In-Memory Computing9. Integrated Ecosystems

10. Enterprise App StoresSource: Gartner



change with a hospital or clinicianthat uses a different EHR vendor.The goal is to advance interoper-ability across vendor systems.

Stage 2 also contains stan-dards and certification criteriathat were either weak or nonexist-ent in Stage 1. “Stage 2 standardsand certification criteria are morerobust, requiring certified EHRtechnology to receive, display, andtransmit considerably more typesof data – using standards,” ex-plained the BPC in a companionreport, “Accelerating Electronic In-formation Sharing to ImproveQuality and Reduce Costs inHealth Care.”

The 2014 Standards, Imple-mentation Specifications, and Cer-tification Criteria require certifiedEHR support for data-transportmethods and standards that pushdata. This is in line with clini-cians’ preferences. According tothe clinician survey, the major-ity of clinicians prefer to re-ceive information they consider“essential” to be pushed tothem; the rest they want to beable to access through a query.

BPC added that “the devel-opment, coordination, evaluationof, and effective communicationand dissemination of implementa-tion guides and specifications thatwill support the actual use of stan-dards in practice … is crucial.”

It offered several recommenda-tions:• Develop a national strategy and

long-term plans for standardsand inoperability to support abroad set of healthcare priorities.

• Provide sub-regulatory and ex-planatory guidance from the fed-eral government to supportquery access to priority informa-tion and transmission of imag-ing test results.

• Explore principles, policies, stan-

The final rules for stage 2 ofthe Medicare and MedicaidElectronic Health Record

(EHR) Incentive Programs (alsoknown as the Meaningful Use Pro-gram) go into effect in October2013 for hospitals and January 14,2014, for practitioners. Stage 2 con-tains requirements intended to fa-cilitate electronic sharing of healthinformation to support transitionsin care.

An October 2012 report on asurvey conducted by the Biparti-san Policy Center (BPC) and ana-lyzed by Doctors Helping DoctorsTransform Health Care, more than80% of clinicians surveyed “believethat the electronic exchange ofhealth information across care set-tings will have a positive impact onimproving the quality of patientcare, as well as the ability to coor-dinate care, meet the demands ofnew care models, and participatein third-party reporting and incen-tive programs.”

The report, “Clinician Perspec-tives on Electronic Health Infor-mation Sharing for Transitions ofCare,” also shows that more thanhalf (57%) of the respondents be-lieve the electronic exchange of in-formation will actually reducehealthcare costs.

There are some serious obsta-cles, however, that must first beovercome. Most of the physicians(71%) surveyed consider the lack ofinteroperability and an exchangeinfrastructure – and the cost asso-ciated with implementing andmaintaining that infrastructure –a major barrier to electronic infor-mation sharing.

Stage 2 of Meaningful Use at-tempts to address these concernsby including requirements for theelectronic transmission of a sum-mary of care record 10% of the timeand at least one successful ex-

dards, and strategies for im-proving the accuracy of match-ing using consumer-facilitatedapproaches.

• Issue comprehensive and clearguidance from the U.S. Depart-ment of Health and HumanServices on compliance withfederal privacy and securitylaws.

The clinician study and the re-sulting reports on electronic infor-mation sharing in the healthcaresector is part of BPC’s Health ITInitiative. Its goal is to identify“real-world examples and bestpractices that facilitate coordi-nated, accountable, patient-cen-tered care,” and to ensure “that

health IT efforts support deliv-ery system and payment

reforms shown to im-prove quality and reduce

costs in health care.”

HEALTH RECORDS

U.S. Doctors High on Electronic Information Sharing



PRIVACY

Data Retention vs. Privacy

Australia’s proposed data retention laws may conflict with the in-tent of the national privacy principles, according to internationallawyers James Halliday and Sylvia Li from Baker and McKenzie,

who raised the concern in an article on ITnews.com. They explained that“the data retention laws will make it mandatory for all Australian tel-

cos [telecommunications com-panies] and ISPs [Internetservice providers] to store thenon-content usage records of allindividuals for up to two yearswithout the consent of the indi-viduals involved.”

The Privacy Amendment(Enhancing Privacy Protection)Bill 2012, on the other hand,will “prohibit the use of all per-sonal information for directmarketing, unless exemptionsapply.”

Halliday and Li contend that the data retention laws do not meet thebasic community expectation of privacy provided for in the PrivacyAmendment.

WEB

FTC Still on the Google Case

The Federal Trade Commission (FTC) has moved forward inits antitrust investigation into Google, which it began in2011. This isn’t the first antitrust inquiry Google has been

involved in, but it does look like it’s one that will have a signifi-cant impact.

The FTC staff has beeninvestigating whetherGoogle unfairly ranks itssearch results to favor itsown businesses and whetherit restrains competition byengaging in exclusive agree-ments to provide searchservices to online publishers and other websites. Google has also beenaccused of charging higher advertising rates to its competitors, mak-ing it difficult for other advertisers to compete with Google and itsvarious businesses.

The European Union is looking into these allegations based oncomplaints it has received from smaller companiesThe Washington Post reported the FTC is also looking into whether

Google is using its influence in the Android market to discouragesmartphone and device makers from using rivals’ applications.



The Information GovernanceReference Model (IGRM) hasbeen updated to include pri-

vacy and security as primary func-tions and stakeholders in theeffective governance of information.

The Electronic Discovery Ref-erence Model (EDRM), which pub-lished the IGRM, announced thechange in the third quarter of 2012,stating the release of IGRM ver-sion 3.0 “reflects broad industrysupport and collaboration acrossthe expert communities of ARMAInternational and CGOC (Compli-ance, Governance and OversightCouncil).”

The IGRM provides a common,practical framework enabling or-ganizations to establish informa-tion governance programs thatmore effectively deal with the risingvolume and diversity of informationand the risks, costs, and complica-tions this presents. The model helpsfacilitate dialogue and coalesce dis-parate information stakeholdersand perspectives across legal,

records management,IT, and business or-ganizations.

“The Model helpsorganizations more ef-fectively associate theduties and value of in-formation to informa-tion assets throughpolicy integration andprocess transparencyso they can maximizeinformation of value,meet their legal obli-gations, efficientlymanage informationand defensibly disposeof it at the right time,”explained the EDRM.

Incorporating pri-vacy and security askey stakeholders re-flects the increasingimportance of privacy and securityduties and the efficiencies organi-zations can achieve when theseefforts are more holistically inte-grated with other essential gover-

nance practices and programs. As the volume and variety of

data (e.g., social media, geo-locationdata, and website tracking data)grow, so do the risks and costs asso-ciated with amassing it. Data typi-cally loses its value steadily, yet thecosts and risks of managing it in-crease over time, which inverselymeans that data without valueoften costs companies more thandata with value.

When information and data areno longer required for business,legal, or regulatory purposes, itmust be defensibly disposed. Pri-vacy regulations often requiretimely disposal of information, andprivacy-related litigation is spot-lighting weak privacy managementprocess.

“Chief privacy offers must col-laborate with their IT, business,records management, and legalcounterparts,” summarizes theEDRM. The IGRM provides an in-tegrated process and policy frame-work for that collaboration.

DATA SECURITY

New Zealand Investigates Alleged Breach

Freelance journalist Keith Ngannounced on his blog on October15, 2012, that he had accessed thousands of files on the New

Zealand Ministry of Social Development’s national accounting server.Some of the invoices stored on the server included private information.

The ministry closed down kiosks at the office through which thejournalist was able to access the files, then it engaged an independentsecurity expert to investigate the breach.

The journalist accessed four other servers, but he was not able togain private information from them. The journalist has cooperatedwith the ministry rather than release the information.

The ministy’s chief executive said the ministry does not know ifother breaches had occurred, but he confirmed that no client files wereaccessed. Once it is certain what information was accessed, the min-istry will decide accordingly whether any clients needed to be advised.

GOVERNANCE

New IGRM Version Recognizes Value of Privacy, Security



CLOUD COMPUTING

Cloud Use Can Complicate E-Discovery

As is true in most cases, peo-ple tend to get what theypay for in cloud computing.

And, those using free, consumer-grade cloud services for their cor-porate data may discover thatwhat they are paying nothing for islikely to make e-discovery muchmore difficult.

In an October 1, 2012, article,zdnet.com published the result ofits interviews with various ana-lysts and industry veterans abouthow the unchecked use of cloudcomputing is complicating e-dis-covery efforts. The focus was onthe “unruly use and management”of cloud services, exemplified byorganizations choosing cloud serv-ice providers (CSPs) that have nounderstanding of compliance re-quirements and no real plans forbackup and orderly retrieval.

Organizations that use con-sumer-grade cloud services fortheir corporate data are especiallyvulnerable to legal complications.

Additionally, when employeesstore data on these con-

sumer-grade sitesand there areno records thattrack the action,the data may be

undiscoverable if that em-ployee leaves the organization.

Analyst Barry Murphy ofthe E-Discovery Journal Groupagrees with the idea of due dili-

gence, specifying that or-ganizations must work

closely with CSPs on thee-discovery details andon defining the require-ments for defensiblecollection and preserva-

tion. ARMA International

has published a number ofresources to guide the deci-

sion-making and implemen-

tation of cloud computing into anorganization’s technology infra-structure.

For example, OutsourcingRecords Storage to the Cloud high-lights a number of factors thatshould be considered when movingrecords storage to the cloud, includ-ing suggestions for how to mitigatelegal risk. Here are a few of the keypoints excerpted from the book(which is available for purchase atwww.arma.org/bookstore):• Establish clear rules for employee

use of corporate information sys-tems that include use of systemsoutsourced to the cloud, includ-ing access to the employees’ per-sonal accounts.

• Establish ownership of data andinclude language in any cloudprovider’s service contracts thataddresses the organization’sownership.

• Establish the allocation of liabil-ity for loss or wrongful disclosureof data, preferably as part of thecontract.

• Establish a mechanism with thecloud provider for communicat-ing and implementing legalholds. Make it clear in the servicecontract what the cloudprovider’s obligation is for imple-menting and, possibly, managinglegal holds.These factors must be ad-

dressed in the service level agree-ment with the cloud provider, theguideline stresses.

The fall 2012 issue of ARMA In-ternational’s Hot Topic, “The Shiftin Information Control: E-Discov-ery of Information in the Cloudand on Mobile Devices,” specificallyaddresses the records and informa-tion management, legal, and tech-nology issues surrounding thistopic. It is available as a free PDFdownload from www.arma.org/publications/hottopic.



DATA SECURITY

Big Data Working Group Tackles Privacy and Security

Just over two months afterits launch, the Cloud Secu-rity Alliance’s (CSA) Big

Data Working Group publishedin November 2012 its initial listof the “Top Ten Big Data Secu-rity and Privacy Challenges.”After interviewing CSA mem-bers and security practitioner-oriented trade journals, theworking group determined thatthese challenges are:1. Secure computations in dis-

tributed programming frame-works

2. Security best practices for non-relational data stores

3. Secure data storage and trans-actions logs

4. End-point input validation/fil-tering

5. Real-time security/compliancemonitoring

6. Scalable and composable pri-vacy-preserving data mining

and analytics7. Cryptographically enforced ac-

cess control and secure com-munication

8. Granular access control9. Granular audits

10. Data provenanceThe working group’s report,

which is available at cloudsecurityalliance.org/research/big-data/,describes these challenges andnarrates use cases for each.

Formed in August 2012, CSA’s

Big Data Working Group is taskedwith providing specific actionableinformation and creating stan-dards for big data security and pri-vacy.

According to a Fujitsu press re-lease, the working group will focuson six themes: • Big data-scale crypto• Cloud infrastructure• Data analytics for security• Framework and taxonomy• Policy and governance• Privacy

“Everyday 2.5 quintillion bytesof data are being created resultingin a myriad number of data secu-rity and cloud-computing securityconcerns,” said Sre-eranga Rajan,director of Software Systems Inno-vation at Fujitsu Laboratories ofAmerica and a co-chair of theworking group. “By collaboratingas a global community of thoughtleaders and researchers, we arenot only looking to help the indus-try overcome these challenges butalso to leverage new opportunitiesfor the monitoring and detection ofsecurity threats enabled by bigdata.”

Along with Rajan, Neel Sun-daresan of eBay and Wilco VanGrinkel of Verizon co-chair theworking group.

Those interested in learningmore about the group’s activities orin joining the group should visitcloudsecurityalliance.org/re-search/big-data/.

LEGAL

Courts Broaden Liability for Data Theft

U.S. federal courts are widening theirdefinition of the damages caused bydata breaches, according to an October

29 article on csoonline.com. Whereas courts previously dismissedthese lawsuits unless the victims could show specific damages, judgesincreasing are now awarding them class-action status – a trend thatputs organizations at greater risk of huge payouts.

These payouts can be significant. A study conducted by the Tem-ple University Beasley School of Law and published in early 2012,“Empirical Analysis of Data Breach Litigation,” found that althoughthe mean value of settlements awarded per plaintiff was just $2,500,the mean amount paid for attorney fees was $1.2 million.

To mitigate damages, law firm Pepper Hamilton suggests thatorganizations fortify their technical and physical security, which willnot only help prevent breaches, but will demonstrate a “best prac-tices” approach that can influence the courts positively. The law firmalso advises organizations not to link information to individuals andto have an effective notification policy in place.



PRIVACY

Google’s Regulatory Woes Continue in EU, U.S.

Google has been under fire inEurope regarding privacyissues for quite some time.

In mid-October, France’s privacyrights regulator ruled thatGoogle’s new privacy policy vio-lates the European Union’s (EU)data protection rules. According toBusinessWeek.com, the problemwas that Google did not set a “limitconcerning the scope of the collec-tion and the potential uses of thepersonal data” or give users ade-quate means to opt out. The searchgiant was given three to four

sor of communications and privacyexpert at Kent State University,told eweek.com that any changesGoogle and Microsoft have tomake to meet EU requirementscould eventually be felt in theUnited States.

In the meantime, Frenchmedia petitioned the governmentto require Google and other searchengines to pay for their content.Agence France-Presse (AFP), aFrench news agency, reportedthat Google sent a letter to severalFrench ministerial officers warn-

with threats,” she said.Media association IPG criti-

cized Google’s attitude, contendingthat “the objective of discussionsshould be finding an acceptablecompromise that would recognizethe value [the media] bring tosearch engines and would help thefurther development of [the mediaand search engines],” AFP re-ported.

None of this plays well at atime when Google is under the mi-croscope in the United States andEurope for alleged anti-trust vio-lations. Privacy issues don’t typi-cally play a role in antitrustenforcement, but in Google’s casethey do.

“The issue of privacy is ab-solutely connected to antitrust andcompetition,” Nick Pickles, alawyer and director of Big BrotherWatch, a British advocacy groupfor civil liberties and privacy pro-tections, told BusinesWeek.com.He said that Google’s ability to col-lect data from multiple servicesgives it an unfair advantage incompeting for advertisers.

Microsoft apparently learnedfrom the Google experience whenit introduced its new privacy pol-icy complete with an opt-out. In-stead, the EU was scrutinizingMicrosoft for allegedly violating a2009 commitment to allow Euro-pean Windows users to have achoice of web browsers. The agree-ment struck in 2009 required thatMicrosoft offer a screen of browserchoices to European Windowsusers through 2014. Europeanregulators weren’t pleased whenMicrosoft failed to live up to itsend of the bargain. Microsoft hassince admitted that it had “acci-dentally violated” the earlieragreement and would make cor-rections. END

months to change the policy or befined.

Google maintained that it wasconfident its privacy notices “re-spect European law.”

Although this action was takenby France alone, other countriesare expected to follow suit. EU au-thorities asked the French regula-tor, CNIL, to conduct the review.BusinessWeek.com reported thatEuropean national regulators anddata protection authorities in Aus-tralia, Canada, and several Asiancountries reviewed CNIL’s find-ings before they were presented tothe EU.

Jeffrey Child, associate profes-

ing that such a move could force itto exclude French media sites fromits search results. Google addedthat requiring search media to payfor displaying links to contentwould threaten Google’s existenceand be harmful to the Internet.

Google said it “redirects fourbillion ‘clicks’ per month to Frenchmedia sites.” The media arguethat readers aren’t paying for sub-scriptions because they can get somuch content free on the Internet.

French Culture Minister Au-relie Filippetti told AFP she wassurprised by the tone of Google’sletter. “You don’t deal with a dem-ocratically elected government


government records audit faults sec’s records … · android apps may leak personal data ......

Documents