CSO

The recent outage and potential irretrievable data loss in Microsoft’s Sidekick services highlights one of the fundamental flaws in much of what today is known as cloud computing. That is, not only is there the possibility of one’s data being inaccessible due to a service outage, but there is the very real possibility that data may be lost forever because of a failure of the service provider to adequately backup its systems. Ordinarily, these types of risks are easily mitigated by the inclusion of strict protections in your contract with the service provider ensuring data will be available when needed and backed-up to protect against catastrophic failures.

California recently joined approximately thirty other states in deciding to amend its Code of Civil Procedure to more directly address electronic evidence.

Following up on my last posting regarding the new identity theft Red Flag Rules, the FTC announced today that enforcement will be delayed until November 1. The announcement can be found at: http://www.ftc.gov/opa/2009/07/redflag.shtm. This gives businesses a few more months to bring their operations into compliance.

August marks the month for businesses to implement identity theft programs to comply with the Fair & Accurate Credit Transactions Act of 2003. Specifically, Title 16 of the Code of Federal Regulations (CFR) Part 681 requires all financial institutions and creditors to establish a written program to detect, prevent and mitigate identity theft. “Identity theft” is defined as a fraud committed or attempted using the identifying information of another person without authority (see 16 CFR 603.2(a)). The FTC has advised that high risk entities should have more elaborate programs, while low risk entities could have streamlined and less complex programs. In creating their programs, all entities are encouraged to give due regard to specific guidelines provided in an appendix to Part 681.

Most businesses who handle highly sensitive information are now sensitized to ensure their vendor and business partner agreements have appropriate protections for confidentiality and security. In particular, given the lax privacy, security, and other laws in many jurisdictions abroad, businesses generally include contractual prohibitions on sending their most sensitive data outside the United States without their prior written authorization. This is to ensure they know where their data is at all times and, if appropriate, can conduct additional due diligence regarding the facilities and countries to which the data may be sent.

In these tough economic times, more and more businesses are turning to layoffs and using temporary workers to improve their bottom lines. The transition of workers both out of and into the workplace raises a number of security risks that should not be overlooked. One means of mitigating those risks is to create ingress and egress checklists. That is, checklists of specific steps that must be completed during the process of transitioning an employee out of the business and transitioning a temporary or new employee into the business. While most companies have these “steps” identified in various forms in various places, taking the time to bring them together into one omnibus checklist is well worth the effort. Doing so will greatly reduce the possibility of overlooking a key step.

If the latest statistics are correct, the use of pirated software remains high. This is of particular concern to businesses who likely have employees installing illegal software on their systems. The most obvious problem is the high potential for viruses and other harmful code to be propagated from pirated software to the business’ systems. Just recently, pirated copies of Microsoft’s new version of Office to be released later this year have been circulating on the Internet. There are also reports that some copies contain malicious code.

If you are in the business of securing Personal Health Information (“PHI”) for a healthcare provider, you have no doubt read in detail the Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009 (the “Act”). As part of the Act, the Department of Health and Human Services (“HHS”) was tasked with defining the term “unsecured PHI” within 60 days of enactment of the HITECH Act. As result, on April 17, HHS recently issues the Guidance Specifying the Technologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (the “Guidance”).

The April issue of Technology Review magazine ran a fascinating story about the work of Marc Stevens, a PhD student at a school in the Netherlands. Using nothing more than a laptop and his PlayStation 3, Marc was able to force the MD5 (Message-Digest algorithm 5) digital fingerprint for an unrelated file to match that of a target file. He did this by appending junk data to the unrelated file. While this kind of “collision” is theoretically possible using almost any hash function, the possibility of intentionally forcing collision by such modest computing means is disturbing. Other flaws have been identified since MD5 was first released in 1991 by Ron Rivest, including the potential to fake SSL certificate validity. This points out the continuing (and expected) trend that as our knowledge of cryptography increases and computing power becomes less expensive, previously secure algorithms and technologies are being compromised at an ever more rapid rate.