Sonicare Brushes Order Now !8!# Camera Digital Pentax Buy Now Wholesale Sprout Wiggles
hdtvs consumer reports Right Now Shop 200 hdtvs consumer reports brands. Free Shipping over $50.
Saturday, November 26, 2011
Sony Bravia LX900 3D Review Pt1
Monday, November 21, 2011
Identity Theft: Stolen Laptop Response
Encrypt, secure, prohibit or pay the price!
That's what Congress and state legislators should tell Ernst & Young, Veterans Affairs and other companies and agencies that play fast and loose with our personal data.
In the last several days, major news networks and countless online news sources reported two more incidents of lost or stolen laptops containing personal data of millions of individuals. The first theft involved a laptop stolen from a Veterans Affairs employee. Follow-up reports on that theft go from bad to worse, indicating 2.2 million active-duty personnel are now at risk for identity theft [http://www.cnn.com/2006/US/06/07/vets.data.ap/index.html]. The lost data in this case includes Social Security numbers.
The second incident involved a laptop stolen from an Ernst & Young employee. That laptop contained the personal data, including credit card information, of approximately 243,000 customers of Hotels.Com who had booked rooms between 2002 and 2004. In a way, this second incident is more egregious because losing laptops is reportedly commonplace for Ernst & Young.
Nokia staff jacked by Ernst & Young laptop loss (30 March 2006) 40,000 BP workers exposed in Ernst & Young laptop loss (23 March 2006) Lost Ernst & Young laptop exposes IBM staff (15 March 2006) Readers amazed by Ernst & Young's laptop giveaway (4 March 2006) Ernst & Young loses four more laptops (26 February 2006) Ernst & Young fails to disclose high-profile data loss (25 February 2006)
According to The Register, a British technology news site, password protection was the only security available on some of the laptops lost by Ernst & Young during a prior incident, which any avid computer user knows can be easily compromised. What about the laptops more recently lost by Ernst & Young employees? Was the data contained in those laptops encrypted? Are there any company policies limiting the extent of personal data that may leave the office where presumably network security standards and firewall protection are in place? Are there any company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there aren't. If any such measures were in place, Ernst & Youngs public relations people would have plastered that all over the media to reassure clients and the public in an attempt to save the firms corporate derriere.
Ernst & Young and the VA are not the only entities that have lost laptops with personal data, and most of these entities have developed a typical response straight from the Corporate Playbook. Ernst & Young has agreed to offer Hotel.Com customers a year's free credit monitoring. Thats no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone whos been in the tenuous position of having to prove they do not owe a debt they do not owe will tell you that. If Ernst & Young created a task force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they offered to pay legal fees for anyone having to clear resulting bad credit histories, or pay state fines for prosecution of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best move of all.
Employees of the auditing companies dont seem to care what happens to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just see how that might happen. Theyre in Miami at yet another conference. The conference is at a downtown hotel theyve been to a couple times. Theyre familiar with the hotel and the area so already they feel some sense of false security. Someones been talking for hours about converting more sales, pushing certain investments, or their companys new data recovery center that will help clients feel more secure. Anyway, the speaker stops to take a breath and everyone realizes its a good time to break for lunch. Theyre coming back to the room so, hey, why lug around those heavy laptops? Arent they coming back to the room for the second half of the conference? Do they even ask if the conference room will be locked during lunch? Of course not. Theyre company laptops. Whats a few lost laptops to a big corporation like Ernst & Young.
Maybe these irresponsible employees need a little incentive to show better judgment. Suspending reality for just a moment, wouldnt it be interesting if, any time one of these employees acted that irresponsibly, his or her Social Security number were posted on StupidIrresponsibleJerks.Com? That way they could sweat it out with the rest of us who have personal data floating out there and possibly in the wrong hands. While were at it, lets also expose the personal data of policymakers at these auditing companies who are too shortsighted to better secure your data and the companys reputation. Let them sweat it out too. At a minimum, how about if these employees immediately lost their jobs, were required to be individually named in negligence lawsuits filed by victims of identity theft, or at a minimum SIMPLY HAD TO PAY FOR THE LOST LAPTOPS? I bet wed see a decrease in stolen laptops then. Seriously people, some of these employees were so careless you can almost imagine them extending their arms and presenting the laptop to Joe Thief. Here, take it. Id give you my Windows password too, but you wont need it. I didnt bother to log off before going to lunch check out my Paris Hilton screen saver.
Most of these companies who have lost laptops with sensitive data try to pacify the public by saying the thieves are just after the hardware. Sure. Thats like telling a home burglary victim the burglar just wants your jewelry box. Hes not really interested in the ,000 tear-drop diamond earrings you had inside. Bull. When a thief steals, every part of the stolen item has value. Everything. Even a computer illiterate thief knows there will be programs on a laptop and, if he knows whats loaded, he can better evaluate the asking price when he fences it.
Ernst & Youngs web site praises the companys network security measures in their section titled "Security and Technology Solutions." These measures may well be admirable. However, too often individuals, companies, and the public in general are so focused on stuff going over the Internet that they forget about stuff sitting in hard drives. A truly secure network focuses on data stream (information being transferred) and on data storage (information waiting to be used). In my dreams, my personal data is properly stored in a secure location, in a building with armed guards, vicious dogs, and an unfriendly receptionist. Well, I can hope. I can also hope that some of that data might also be encrypted. I realize my personal data with one institution may be stored in more than one location; for example, Building A (their main offices) and Building B (a branch office or, better still, a data recovery center). But, not in my wildest imagining would I expect that any business storing my personal data would allow it to be downloaded and stored on a laptop that an employee can take home where he does his online shopping. I know I also dont expect that the laptop with my personal data is being left unattended in a hotel conference room, a bar counter or someones car. I dont care how many financial or online banking agreements I sign. Im never consenting to anyone downloading my personal information to a laptop. No one consents to the mishandling of their personal data.
I have yet to read any banking or credit agreement that expressly states the information will be downloaded to a laptop or in any way made available to anyone outside the secured network of the financial institution. There is a vague all-encompassing comment about information sharing, but the appearance given by these institutions is that the information will be handled and shared in a secure method over an encrypted Internet connection. Everything they say about their security has to do with their firewalled and encrypted data streams. To me that means that anyone working from home and needing access to my personal data is doing that using one of the many encrypted remote access programs that are out there: for example, Windows Remote Desktop or GoToMyPC or some other Citrix product. These programs are by no means impenetrable, but they are simply a better option, utterly available and far more secure. Thats just not the case with data downloaded to laptops without encryption or adequate password protected (though passwords are simply not enough). Over the years, I have used a number of remote access programs to log into my office and work on client files. Ive even used a laptop to work downstairs on files stored on my main computer in an upstairs bedroom. The remote desktop creates a window that shows me the programs and data files on the main workstation or network server that is hosting my connection and contains what I need to see. I am NEVER required to download any data to the laptop to work remotely on it. Thats the whole point of the remote access software.
By compelling employees to log in, do the work and immediately exit the remote access program, Ernst & Young, the VA and any other entity that stores personal data minimizes the window of opportunity for your personal data to fall into the wrong hands while remaining behind an encrypted and presumably firewalled connection during the entire time that your personal data may need to be accessed. During remote access sessions, the company retains control of your information and there is oversight of the employees use of your information. Best of all, if your personal data is not needed during that particular remote access session, it never even becomes part of the encrypted data stream traveling over the Internet. This would expose even fewer people from the threat of identity theft. Think about it. Can any Ernst & Young employee work on the data of 243,000 Hotel.Com customers during one remote access session? Can one VA employee work on the accounts of 2.2 million active-duty personnel during one online remote access session? And yet, both these individuals collectively had the personal data of nearly 2.5 million people stored on their laptops and immediately available to anyone using their laptops. Why?
There ought to be a law, right? Oh, absolutely. Congress should immediately implement its own measures, including possibly levying fines against any entity that acts irresponsibly with your personal data, and should impose broader guidelines regarding access to your personal data. In 1996 Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) regulating the use of and access to personal health information and related identifying personal data, like medical record numbers and Social Security numbers contained in patient medical records. Though HIPAA caused a lot of headaches in the medical and legal communities, it validated concerns over privacy. HIPAA was still a step in the right direction even if, like most legislation, it needs to evolve to better reflect the legislative intent. Similar, legislation needs to be considered with respect to the personal data maintained by businesses and financial institutions. A person shouldnt have to get sick to protect his or her personal data, though the apparent lack of security is sure to make you sick.
Although HIPAA addressed privacy concerns, the issue of protecting personal data isnt a question of privacy; its a question of security. Protecting personal data could easily fall within the purview of Homeland Security. Personal data needs to remain secure because the casual criminal is not the only one making use of it. Whether its to raise fear or awareness, consistently our government tells us about the manner in which terrorists make use of other peoples personal data to create phoney IDs, buy cell phones, or book plane tickets. Its not a leap of logic to suggest that protecting personal data thwarts terrorist activity. A bold politician might even say failure to do so is a breach of national security. But thats going a bit too far, dont you think? Certainly, though, its conceivable that personal data has the potential of falling into the hands of someone desiring more than just an overpriced pair of shoes, hair extensions or HDTV.
Other measures offer consumers far more protection than weve been seeing. There are currently legislative initiatives in certain states that would allow their residents to place a security freeze on their credit files prohibiting any new credit or loan application to go through without the consumers authorized PIN number. The freeze would allow consumers to lock their credit and temporarily unlock it when they know they will be applying for a loan or need to make some other type of major purchase. For more on security freezes, read the June 8, 2006, Home Watch article on WomensWebWatch.Com. A link to that site is provided in the author's bio below.
Ernst & Young is not a small operation. It is a successful business with, I imagine, an exceptional track record and the ability to provide solid services or it would not be retained by so many reputable businesses. However, the best company can show poor judgment and in this case it has. To be fair, I surmise that, like all companies, Ernst & Young has careless employees and most certainly careful ones. The company as a whole may be undeserving of the resulting bad reputation its getting. On the other hand, it has not shown its done enough to curb the loss of personal data. Frankly, even the most careful employee can be overwhelmed during a crime, or overly fatigued, and become dispossessed of his or her laptop. There is little compelling reason for those laptops to contain personal data. Every entity that handles personal data needs to implement a zero-download policy and issue essentially dumb terminals to their employees (laptops just for remote access).
Too many times, these institutions forego implementing some security measures because, they argue, no measure is 100% foolproof. They claim it would not be cost-effective for them to implement measures that can be breached. Well, every one of them has already implemented security measures which are not impenetrable. Most of these places already use encrypted Internet security connections for their data streams because failure to do so in this day and age is unthinkable, right? Ive even heard that some of these places lock their doors at night so someone cant walk in and steal the CEOs favorite coffee cup. Adopting a company policy prohibiting the download of personal data to laptops is as expensive as sending around a memo about the upcoming company picnic. There is no need to download the data. Workers can still remote access the encrypted data using adequate alphanumeric passwords through a secure Internet connection behind firewalls on both sides, on the host computer and remote desktop. No, its not 100% foolproof. Thats true. My front door can be broken down, but I still lock it at night. Allowing downloads of sensitive data to laptops is the same as leaving the front door wide open.
Monday, November 14, 2011
Learn About HDTV.flv
Lifetime Basketball System Best Quality !8!# Promotions Kitchenaid Mixers Cheap Great Deals Roc Face Creams