Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off.

Newly reported incidents in the U.K. and Ireland:

  • In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. The unencrypted data were on two discs that went missing after being sent to the agency’s headquarters in Swansea. This was the second incident involving the DVLA in a month.
  • The Leeds Building Society has warned its staff of 1,000 to be vigilant after admitting to losing their personal details including bank and salary details when the company’s human resources department was moved during a refurbishment of its head office.
  • In the UK: government officials mistakenly sent confidential personal details consisting of names, dates of birth and criminal histories of dozens of inmates set to be released; the data were sent to a private business. The personal details also reveal the addresses the prisoners will move to after leaving jail.
  • Hundreds of people have had personal pension details sent to the wrong addresses after an error by a Herts County Council contractor, Serco. Serco sent 1,400 statements for staff, former staff and councillors to the wrong destinations because of an “administrative error”. The statements included the person’s name, date of birth, national insurance number, and pensionable pay. So far, only 400 of the statements have been returned to the county council leaving 1,000 still missing.
  • A laptop with the names, addresses, phone numbers and dates of birth of 950 diabetes patients of NHS patients was stolen from the St Julian’s GP surgery. Data on the stolen laptop also include a link to a picture of patients’ retinas — already they have a problem with the security of biometric data before they have implemented any ID system, it seems — Dissent.
  • Sefton Primary Care Trust has accidentally sent about 1800 of its staff’s records to four organisations it is refusing to name. Staff details including dates of birth, national insurance numbers, pensions and salary details. The four companies were bidding for work with the trust. The Trust is reportedly not revealing the names of the four companies because of “commercial confidentiality”. They seem to take “commercial confidentiality” more seriously than employee confidentiality — Dissent.

In related news, BoingBoing covered a petition for mandatory disclosure in the UK. It’s for British citizens and residents only. If you’re in the UK, or a citizen, in an overseas territory or Crown dependency, you may and should sign.

Transparency lessons from the NFL

I think the NFL’s handling of spying by the New England Patriots is poor. Of course, I expect retrograde, authoritarian, clumsy behavior from the NFL, and I haven’t been disappointed in the few decades I’ve been paying attention.
The New York Times covered this issue (the spying, not the decades). In their December 16 article, they quoted crisis management experts. Thinking about some of the big information exposure incidents we’ve seen, consider how applicable these observations might be.

The strategy is profoundly bad, I don’t know why they would destroy [taped evidence]. That’s astounding. There’s no criminality here, but it sure doesn’t pass the smell test.

Al Tortorella, managing director of crisis management, Ogilvy Public Relations Worldwide

They’re rolling the dice that the whole thing is just going to go away. And here’s the thing — a lot of this could be avoided.

Greg Wilson, crisis counselor and senior vice president, Levick Strategic Communications

Wilson sees a crisis that requires managing, a “clear-cut case of all the parties needing to rip off the Band-Aid as soon as possible.” The goal of managing any crisis, he said, is to acknowledge the black eye and compress the time it lasts.
Wilson says the American public generally wants to hear what he calls the Big Three of crisis management: I am sorry. I take responsibility. And I will fix it.

NYT, 12/16/2007

The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there.

Many of the founding fathers’ letters have been transcribed and made available over the years, and the original documents can increasingly be found online. But it is the painstaking annotation of these thousands of documents — their detailed explanation — that takes so long. Scholars check and double-check each reference and then try to explain each one and put it in context. A page of the massive annotated tomes can contain a snippet of a document and then a long footnote of explanation.

It seems to me that, while useful, footnotes and explanations inevitably reflect the time in which they’re written. The writings of those brilliant men usually speak for themselves. There’s certainly context and explanation that adds to it, but for heaven’s sake, get the originals out there. They’re far more important than the footnotes.

Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:”

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

Most of the reporting is on that 85% number. I think the second number is far more interesting — 63% have experiences more than 5 breaches–that shocks me. I’m way behind on Ponemon Institute research, and I hope to say more shortly.

[Update: see the comments for some excellent analysis.]

Clark Kent Ervin on TSA Security

Normally, it’s not news when someone takes aim at TSA policies like this:

If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems to think that as long as it is seen as doing something, and so long as another terror attack does not occur, the public will at least feel secure enough not to insist that it do whatever needs to be done actually to make us secure.

It’s a bit more unusual when that someone is the former inspector general of the Department of Homeland Security. Go read what Ervin has to say in “Screening Dreams.” is not asking "Will Privacy Sell"

There’s a bunch of press around’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “ Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the wrong question to ask, and is going to lead to bad thinking for a long time, because what is selling is not privacy, and it’s not a complete product. I’ll explain what it is, why it’s not privacy, and why it’s not going to sell.

The idea is that if you use AskEraser, Ask will not log what you’re doing. Sounds good, right? No AOL embarrassing disclosures! What could possibly go wrong?

the information typed by users of AskEraser into will not disappear completely. relies on Google to deliver many of the ads that appear next to its search results. Under an agreement between the two companies, will continue to pass query information on to Google. Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but said it would greatly increase privacy protections for users who want them, as Google is contractually constrained in what it can do with that information.

So the user doesn’t really get privacy. They get privacy with regards to, but not with respect to Google. That’s not compelling. So I agree with Larry Ponemon, this isn’t going to be competitive advantage, but he’s wrong when he says “Privacy only becomes important to the average consumer when something blows up.” Privacy is important to people, and they pay for it on a very regular basis, under two conditions:

  • First, they understand the threat.
  • Second, they understand the product being sold, and how it will protect them.

If you meet both of those conditions, and have an otherwise good product, you’re golden. Ask fails on both. Curtains, mailboxes, and single family detached houses are all sold on the basis of privacy. People understand others looking in their windows, and they understand curtains protect them. People don’t deeply get search engine record retention, and if they do, those who dig into AskEraser discover that Google can still keep its records.

So, what is doing is offering a half-baked product. So if the question is “will half-baked products sell,” then I think we all know they won’t.

It’s too bad that this is going to be seen as a nail in privacy’s coffin. Nice move, Slashdot.

(This post draws heavily on my talk at the 2nd
Annual Workshop on Economics and Information Security
, where I presented
on Paying for Privacy: Consumers and
(or PDF or PPT) in
which I look at consumer’s willingness to pay for privacy.)

Image: Google Street View looks through a window.

So when's the Chicago gig, gents?

'Good Times Bad Times'
'Ramble On'
'Black Dog'
'In My Time Of Dying' (full version)
'For Your Life'
'Trampled Under Foot'
'Nobody's Fault But Mine'
'No Quarter'
'Since I've Been Loving You'
'Dazed And Confused'
'Stairway To Heaven'
'The Song Remains The Same'
'Misty Mountain Hop'
'Whole Lotta Love'
'Rock And Roll'

Playlist via:

Apparently, it was a righteous show…
Updated: Links to video added.