Your business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely.

On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. (“ASUS”) agreed to a 20-year consent order, resolving claims that it engaged in unfair and deceptive practices in connection with routers it sold to U.S. consumers. According to the FTC’s complaint, ASUS failed to take reasonable steps to secure the software for its routers, which it offered to consumers specifically for protecting their local networks and accessing their sensitive personal information. The FTC alleged that ASUS’s router firmware and admin console were susceptible to a number of “well-known and reasonably foreseeable vulnerabilities”; that its cloud applications included multiple vulnerabilities that would allow cyber attackers to gain easy, unauthorized access to consumers’ files and router login credentials; and that the application encouraged consumers to choose weak login credentials. By failing to take reasonable actions to remedy these issues, ASUS subjected its customers to a significant risk that their sensitive personal information and local networks would be subject to unauthorized access.
Continue Reading FTC v. ASUS – In the Internet age, being a foreign-based company is no defense

All encryption tools are not created equal. Just ask the folks at Microsoft, who have recently demonstrated that encrypted Electronic Medical Record databases can leak information. Turns out that CryptDB, a SQL database add-on developed at MIT that allows searching of encrypted data, allows search queries to be combined with information in the public domain to hack the database. More on this in a minute. In the meantime, let’s consider the assumption that encryption is inviolate/ infrangible/ impervious to hacks. As I mentioned in an earlier post, encryption algorithms are too complex for most laypersons to understand, but we should at least wrap our heads around the concept that encryption is not a “set it and forget it” technology, nor is it foolproof.
Continue Reading Why encryption is less secure than you think

For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.
Continue Reading I’m making a list, securing it twice…

 will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.

It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”
Continue Reading 90% of information governance is half contracting

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.
Continue Reading We’re ALL in the information business

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.
Continue Reading IG perspective: adding social media to workplace websites

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.
Continue Reading Information governance in perspective

Some old problems never seem to go away. Email retention remains an obstinate dilemma for far too many organizations. Volumes continue to mount, with business email totaling 109 billion messages every day, and forecasted growth of 7 percent each year. Email archives and cloud email solutions address the symptom of overburdened servers, but these strategies do nothing to tackle the core problem, which is too much email, kept too long. And the cost of email retention outstrips the cost of email storage, in large part due to e-discovery expense in future litigation.

The cold, hard truth is that the persistent problem of email volume will not be solved with technology alone. What’s needed, and frankly overdue, is a bit more organizational discipline and direction on email retention. 
Continue Reading How long must we keep our email?