tag:blogger.com,1999:blog-26072530045581429332024-02-08T02:46:38.946+00:00The 3BView PointThis blog talks about 3BView the company, the technology, what's going on in our markets of metadata removal, data leak prevention and document transformation.Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.comBlogger52125tag:blogger.com,1999:blog-2607253004558142933.post-50746628589558561422010-04-21T10:06:00.005+01:002010-04-21T13:27:20.573+01:00Minnesota Ethics - Opinion 22 adoptedAt the meeting of the Minnesota Lawyers Professional Responsibility Board at the end of last month <a href="http://www.mncourts.gov/lprb/Opinion22.pdf">Opinion No 22</a> was adopted.<br /><br />This Opinion, originally drafted in January this year, addresses lawyers' ethical obligations regarding document metadata.<br /><br />Minnesota joins many other Professional responsibility committees at several bar associations in other states in the US in adopting such an opinion. A summary table of most of the Ethics Opinions in place can be found at the <a href="http://www.abanet.org/tech/ltrc/fyidocs/metadatachart.html">ABA Technology Legal Resource Centre</a>. Taking the ABA's table headings, the summary of the Minnesota Ethics opinion is:<br /><br /><br /><span style="font-weight: bold;">What is the Sender's Duty When Transmitting Metadata?</span><br />"...a lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents."<br /><span style="font-weight: bold;">May the Recipient Review or "Mine" Metadata</span>?<br />"Opinion 22 is not meant to suggest there is an ethical obligation on a receiving lawyer to look or not to look for metadata in an electronic document. Whether and when a lawyer may be advised to look or not to look for such metadata is a fact specific question beyond the scope of this Opinion."<br /><span style="font-weight: bold;">Must the Recipient Notify Sender is Metadata is Found?</span><strong style="font-weight: bold;"></strong><br />Yes - "If a lawyer receives a document which the lawyer knows or reasonably should know inadvertently contains confidential or privileged metadata, the lawyer shall promptly notify the document’s sender as required by Rule 4.4(b), MRPC."<br /><br />The full Minnesota opinion can be found at <a href="http://www.mncourts.gov/lprb/Opinion22.pdf">www.mncourts.gov/lprb/Opinion22.pdf</a><br /><br /><strong><br /><br /></strong><br /><br /><span style="font-family:Tahoma;"><span style="color: rgb(204, 0, 0);font-family:Tahoma;font-size:130%;" ></span></span>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-62298479967661417522010-02-26T18:02:00.001+00:002010-02-26T18:01:40.968+00:00Opinions on document metadata in 2009Finishing off a presentation for a screen-cast next week and wanted to check I had a date right (well it is Friday) and found the post below in draft. So, despite it being the end of the second month of 2010, a couple of ethics opinions released in 2009 and some links to resources on other ethics opinions:<br /><br />In June 2009 West Virginia Lawyer Disciplinary Board released its <a href="http://www.scribd.com/doc/16476421/What-is-Metadata-and-Why-Should-Lawyers-be-Cautious-WVa-Legal-Ethics-Opinion-200901">ethics opinion on document metadata</a> finding that there is a burden on an attorney to take reasonable steps to protect metadata in transmitted documents.<br /><br />As <a href="http://www.legalethics.com/?p=467">reported </a>in October 2009, this was followed by the Vermont Bar Association issuing an opinion on metadata.<br /><br />The ABA has a <a href="http://www.abanet.org/tech/ltrc/fyidocs/metadatachart.html">table </a>of the opinions that it maintains (last updated Sept 2009 at the time of writing). The <a href="http://www.legalethics.com/?cat=2">LegalEthics website</a> is another good source.Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-6807511153621903062010-02-11T11:15:00.008+00:002010-02-12T17:05:19.858+00:00Peer-to-Peer articles: access to documents from iPhoneThere was a great response to the survey we ran in October with 236 legal professionals providing us with information on what mobile devices they and their firms use and the functions/applications they use the mobile device for, with particular focus on documents and email.<br /><br />What with my analysis of these responses, writing the <a href="http://3bview.com/download/3BView%20Survey%20Results%202009.pdf">report</a> on the results of the survey, in parallel writing an article on the ‘The Often Overlooked Mobile Security Gap’ for ILTA’s December edition of <a href="http://www.mygazines.com/issue/4983">Peer-to-Peer</a> (it is the lead article – see page 8 or <a href="http://3bview.com/download/ILTA%20Mobile%20Security%20Gap.pdf">download a copy</a>), followed by a white paper <a href="http://3bview.com/download/Mobile%20Security%20Gap%20White%20paper.pdf">‘Document Metadata: The Mobile Security Gap’</a> that comments more in depth on the results of the survey pulling in results of other surveys around mobile usage that were undertaken in the latter part of 2009, not to mention a week's vacation with the family, the Christmas holidays, a week in Chicago followed by a week in New York for LegalTech, it's been a while since I last posted a blog entry!<br /><br />There are numerous numbers of items worthy of comment from the intervening months. The reprint by <a href="http://www.technolawyer.com/technofeature.asp">TechnoLawyer</a> this week of one of the other articles in December’s Peer-to-Peer magazine provides me with a good start point. <span style=""> </span>The article is by Christopher Lewis of Sonnenschein Nath & Rosenthal LLP and looks at the iPhone as a business tool and how it enhances the productivity of the attorneys at Sonnenschein when they are mobile.<br /><br />One of the items that caught my eye when I re-read the article in TechnoLawyer was the success story quoted where a Sonnenschein attorney was onsite with a client who didn’t have the documents needed. The attorney accessed the Sonnenschein content and collaboration portal using his iPhone, downloaded the documents and forwarded them to the client.<br /><br />56% of the respondents to the 3BView survey said that they had access to centrally stored documents from their mobile device, ie they have the same capability as the Sonnenschein attorneys.<br /><br />I hope (and suspect) that this figure will increase within 2010. Why? Take a couple of other statistics from the 3BView survey alone:<br /><ul><li>39% of respondents store business documents on their mobile device. With my past experience in document management and also in DLP systems this makes alarm bells ring. I am sure the same bells are ringing for risk/security managers within law firms or for those with responsibility for corporate legal departments; </li></ul><ul><li>The majority of those who have access to centrally stored documents reported that they attach a document to an email they send from their mobile device at least once a month. A quarter of all respondents attach do so at least weekly.</li></ul><br />The last thing on the attorneys mind in a situation such as the one that the Sonnenschein attorney found themself in will be the fact that they are bypassing any desktop based tools including any that scrub document metadata. <br /><br />As I’ve been stating in articles/papers to date, and will keep on saying throughout this year and beyond, increasing productivity of the legal professional even when they are mobile makes sound business sense. However, the management, control and security measures in place for in office equipment must be extended to mobile devices. This includes document security aspects such as scrubbing metadata.Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-18750899993193020942009-10-29T19:53:00.004+00:002009-10-29T20:08:10.644+00:00SWISS red-faced over metadata information left in press release<meta equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CCathy%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="country-region"></o:smarttagtype><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"></o:smarttagtype><!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> </w:Compatibility> <w:browserlevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" latentstylecount="156"> </w:LatentStyles> </xml><![endif]--><!--[if !mso]><object classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id="ieooui"></object> <style> st1\:*{behavior:url(#ieooui) } </style> <![endif]--><style> <!-- /* Font Definitions */ @font-face {font-family:"Arial Narrow"; panose-1:2 11 6 6 2 2 2 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:647 2048 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} Whatev</style> Whatever your view on where we are on the economic road to recovery (or not) no business can afford any tarnish to its external image. As reported in the <a href="http://www.guardian.co.uk/business/andrew-clark-on-america/2009/oct/27/swiss-air-canada-press-release">Guardian</a> this week Swiss International Air Lines Ltd has a red face and a tarnish to its image in Canada at least due to an inadvertent link of metadata.
<br />
<br />SWISS, as they refer to themselves in the press release, included review comments in the document that they sent out. Although the press release might be 'boring,' as reported by the <a href="http://www.guardian.co.uk/business/andrew-clark-on-america/2009/oct/27/swiss-air-canada-press-release">Guardian</a>, it provides a salutary lesson on how features that are useful in the review stage of a document can be a danger if they are not managed correctly when completing the final version that will be sent out.
<br />
<br />The file, comments and all, can be found on the <a href="http://image.guardian.co.uk/sys-files/Business/pdf/2009/10/27/Swiss.pdf">Guardian website</a>.
<br />
<br />Companies need to remember that converting a document to PDF alone does not protect them from leakage of confidential or embarrassing information via metadata. Although I was not personally sent the press release, and it is not obvious from the posting on the Guardian site, I would say that the release was sent in PDF. Take a look at the other metadata in the PDF file and see what you think (PDF Producer: produced on a Mac, author: initials in this instance, and so on).
<br />
<br />This is the perfect example of why it is so important to ensure you have a system in place to automatically remove the metadata information within a document. While the data contained in this file wasn’t damaging to the company, it was definitely embarrassing. Had the data been company private, this could have been a very different situation for them. Make sure your company and your data is protected.<span style=";font-family:";font-size:11pt;" ><span style="font-family:arial;"></span><o:p></o:p></span> Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-20542861131645058692009-10-16T15:30:00.002+01:002009-10-16T15:59:21.551+01:00Only a week left for the Survey on Mobile Device Usage<span style="text-decoration: underline;"><span style="font-weight: bold;"></span></span><p class="MsoNormal"><span style="font-family:Arial;font-size:85%;color:navy;"><span style="font-size: 10pt; font-family: Arial; color: navy;">We are delighted with the number of participants who have already completed the 3BView Survey on Mobile Device Usage and Document Security over the last two weeks. The results are already looking very interesting.<br /><br />With just one week left until this survey closes (end of day EDT 23rd October), if you have not yet contributed then your participation would be very welcome. Please access at <a href="http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C" target="_blank" title="blocked::http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C">http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C </a><br /></span></span></p><p class="MsoNormal"><span style="font-family:Arial;font-size:85%;color:navy;"><span style="font-size: 10pt; font-family: Arial; color: navy;">The survey focuses on access to, and usage of, business applications from mobile devices, with particular focus on the risks associated with information contained within document metadata when using these applications.<br /></span></span><span style="font-family:Arial;font-size:85%;color:navy;"><span style="font-size: 10pt; font-family: Arial; color: navy;"></span></span></p><p class="MsoNormal"><span style="font-family:Arial;font-size:85%;color:navy;"><span style="font-size: 10pt; font-family: Arial; color: navy;">We will be publishing summary results on our website, with full results available to survey participants, who will also will be entered into a draw to win an upgraded phone of their choice – either a <b><span style="font-weight: bold;">Blackberry Storm 9530</span></b> or an <b><span style="font-weight: bold;">iPhone 3GS 32GB</span></b>.</span></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-38406726078042845732009-10-02T12:16:00.003+01:002009-10-02T15:57:18.338+01:003BView Surveys the Legal Market on Mobile Device Usage and Document SecurityFollowing on from my post last week, we at 3BView are conducting a survey on the usage of mobile devices in the day-to-day practice by legal practictioners around the world. The survey focuses on access to, and usage of, business applications from mobile devices in particular access to documents and risks associated with information contained within document metadata via such applications.<br /><br />We will be publishing summary results on our website, with full results available to survey partcipants. Survey participants also will be entered into a drawing to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.<br /><br />Access the survey at <a href="http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C" target="_blank">http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C </a> from now until Otober 23, 2009.<br /><br />More details can be found <a href="http://3bview.com/index.php?option=com_content&view=article&id=90:mobile-sevice-survey&catid=10:press-releases">here</a>.Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-3480339640383707642009-09-25T13:01:00.006+01:002009-09-25T19:48:13.361+01:00The Risks and Benefits of Mobile Computing<p class="MsoNormal"><span style=";font-family:Arial Narrow;font-size:100%;" ><span style=";font-family:";" >More and more solo and small firm practitioners are making the most of the advancement in technology to practice law using mobile devices and remote applications. The launch over the last few months of the latest iPhone and Blackberry Storm has been another leap forward in enabling technology.</span></span></p><p class="MsoNormal"><span style=";font-family:Arial Narrow;font-size:100%;" ><span style=";font-family:";" >Not only does mobile technology assist attorneys in managing their client base, it also helps in lowering their business overhead. Mobile devices enable attorneys to work from anywhere. The term ‘Mobile Attorney,’ while meaning a specialization in the past, now relates to the practice of using mobile technology to conduct business. <o:p></o:p></span></span></p> <p class="MsoNormal"><span style=";font-family:Arial Narrow;font-size:100%;" ><span style=";font-family:";" >One of the key aspects of the Mobile Attorney is that they no longer just have a laptop running Microsoft Windows. They are now accessing their email, documents and other business applications via webmail, mobile enabled Document Management Systems (DMS) and a broad array of devices such as Blackberry, iPhone, PDAs, NetBooks and Apple Macs.</span></span></p><span style=";font-family:Arial Narrow;font-size:100%;" ><span style=";font-family:";" >But, this brings up an interesting fact. While being a Mobile Attorney has many significant benefits, it does introduce new security risks, especially where the firm's security tools, such as their metadata removal application, is limited to a desktop tool. The Mobile Attorney using the web, DMS or mobile device does not have access to these tools and so fall foul of what I refer to as 'the mobile security gap'. If you are a Mobile Attorney – are you aware of these risks and are you doing anything to make sure you and your data is protected?</span></span>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-47108185976057479302009-02-28T16:55:00.004+00:002009-03-03T13:18:58.369+00:00PDF documents and metadata - some examplesBefore I do a deeper dive into what metadata a PDF document contains, let's take a look at what must have been the main headline hitting example in 2008 of sensitive information being discovered within PDF metadata.<br /><br />I am referring to the situation Google found themselves in with a submission they made, supposedly anonymously, to the Australian <style> Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]-->Competition and Consumer Commission regarding eBay and their proposal to force their users to use PayPal. After speculation on many blogs about the author of the anonymous submission one Dave Bromage took a look at the metadata in the PDF document and let the world know who it was. Despite the submission being replaced with a new version without the revealing metadata the word was out. I won’t comment on the reasons why this was at least embarrassing to Google (<a href="http://www.theage.com.au/news/biztech/google-exposed-as-anonymous-ebay-critic/2008/05/30/1211654272331.html?page=fullpage">this is one report</a> that gives the details as well as showing the metadata contents), but will add that there was an additional chuckle in the techie community that the metadata also showed that the document had not been created using Google’s own word processing app, one being <a href="http://www.theregister.co.uk/2008/05/30/metadata_ruins_google_accc_filing/print.html">The Register</a>. My main comment is that this unintentional leakage of information involved a regulator as well as embarrassment at the very least to the originator (author and company).<br /><p class="MsoNormal" style="margin-left: 3pt;"><br />The submission also had masked what would have been visible text about the submitter within the document. However the PDF did not have any security applied to it so it was very easy to copy that area of the document and paste it into another text processor to see the underlying information. <a href="http://www.techcrunch.com/2009/02/11/the-ap-reveals-details-of-facebookconnectu-settlement-with-best-hack-ever/">Facebook/ConnectU</a> have just this month fallen foul for the same reason. Numerous other examples in this area, <a href="http://www.law.com/jsp/PubArticle.jsp?id=1202422146596">GE</a> and the <a href="http://blog.wired.com/27bstroke6/files/igcaleafinal.pdf">US Justice Department</a> being a couple of examples from 2008. If you want to mask visible text at the very least add security settings to the PDFs that you generate to disallow copying and pasting of text. Also look at redacting software which fully removes and masks text whilst retaining the layout in the PDF document.</p> <p class="MsoNormal" style="margin-left: 3pt;"><o:p> </o:p></p> <p class="MsoNormal" style="margin-left: 3pt;">I am sure it is pure coincidence that one of the other headlines in 2008 around information garnered from PDF metadata also involved Google, but from the other side of the fence. <a href="http://news.cnet.com/8301-13578_3-9965555-38.html">As reported here</a> metadata in a PDF version of a lobbying letter from the Corn Farmers to Congress linked, albeit tentatively, the author back to some of Google’s political adversaries.</p><p class="MsoNormal" style="margin-left: 3pt;">The lesson from these examples is that you should <span style="font-weight: bold;">not </span>assume that converting and sending/publishing a PDF removes metadata that could contain sensitive information.</p><p class="MsoNormal" style="margin-left: 3pt;"><br /></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-72283685010990432782008-10-31T11:10:00.004+00:002008-10-31T11:21:50.526+00:00It might have been quiet on this blog for a while but elsewhere...I know, I know, it has been a long while since I last posted to this blog! Thank you to all of you who have been checking in regularly.<br /><br />It has been a busy six months both in terms of data loss instances and also for 3BView. In the case of the latter we have gained great new customers and partners in the intervening time ... you'll be able to find out more about some of them on our website - a new improved version of which is going live next week.<br /><br />On the former: well watch this space. Many things to blog about, and I will be doing just that over the coming weeks.Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-77622619223396033262008-03-18T13:50:00.002+00:002008-03-18T14:37:28.443+00:00Good eWeek article on DLP<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">EWeek has <a href="http://www.eweek.com/c/a/Security/DLP-DAM-Share-Common-Data-Security-Objectives/">an interesting article</a> comparing Database Activity Monitoring (DAM) with Data Leak Prevention (DLP).<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">In the article, Paul Proctor, a Gartner analyst who’s tracked this area for a while, says: “"Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly.” Yep, I’d agree with that.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB"><o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com1tag:blogger.com,1999:blog-2607253004558142933.post-82521991937086990232008-02-28T17:46:00.000+00:002008-02-28T17:47:53.009+00:00California Bar Journal reviews legal metadata position<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">The California Bar Journal, in <a href="http://calbar.ca.gov/state/calbar/calbar_cbj.jsp?sCategoryPath=/Home/Attorney%20Resources/California%20Bar%20Journal/February2008&MONTH=February&YEAR=2008&sCatHtmlTitle=MCLE%20Self-Study&sJournalCategory=YES">this article</a>, presents an excellent round-up of the problems for lawyers, including the myth that PDF documents are safe from metadata leaks, and the latest legal position in the <st1:country-region st="on"><st1:place st="on">US</st1:place></st1:country-region>. Worth reading.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-63119194869125063312008-02-18T10:45:00.000+00:002008-02-18T10:46:58.165+00:00Eli Lilly’s lawyers accidentally emails confidential info to New York Times<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">We’ve been here before, but this is a <a href="http://www.portfolio.com/news-markets/top-5/2008/02/05/Eli-Lilly-E-Mail-to-New-York-Times">corker</a>. All the pieces of a classic ILP mistake: the $1bn lawsuit, the external law firm accidentally emailing confidential information to the wrong person, and the fact that the wrong person happened to be a New York Times reporter. Oops.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Law firms, get yourself some ILP tools now, before it’s you!<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com2tag:blogger.com,1999:blog-2607253004558142933.post-56587953038207617472008-01-30T11:19:00.000+00:002008-01-30T11:23:03.260+00:00Scottish council caught out by tracked changes<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">It’s that old classic: sending out a Word document with information you really, really don’t want to reveal left in tracked changes. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">This time the metadata culprit is Aberdeenshire County Council, which managed to send out a report on waste management, containing incriminating details of problems in tracked changes that hadn’t made it into the final report.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Even worse than the information revealed is the inference that the council had covered up the information it didn’t like on the problems – and <a href="http://www.rwminfo.com/page.cfm/action=Archive/ArchiveID=10/EntryID=3795">the press</a> has certainly taken this line.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-39641860383314287182008-01-19T08:45:00.000+00:002008-01-19T08:53:32.066+00:00That Jeremy Clarkson story<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">I know I’m coming a little late to <a href="http://www.theregister.co.uk/2008/01/07/clarkson_bank_prank_backfires/">this story</a> and there’s been a lot of debate about it. In case you’ve not read about this: the UK TV presenter Jeremy Clarkson published his bank details in a newspaper column, in which he claimed the furore about lost personal details from the HRMC was a fuss about nothing. Of course, a kind soul promptly used the details to set up a direct debit payment from Clarkson’s account to a charity.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">On reflection, you could argue that in fact the system works – the <st1:country-region st="on"><st1:place st="on">UK</st1:place></st1:country-region>’s direct debit scheme provides safeguards to protect the consumer, and to refund any disputed money. In this kind of situation, no doubt Clarkson is covered financially. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">But you could imagine a consumer being less than happy if, say, the money taken out of their account meant they went overdrawn, other payments bounced, and they then had to sort out the unholy mess.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">And Clarkson himself says he only discovers the loss when he read his bank statement – how many people do that every month? And would they notice the loss if it was £50 not £500?<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">For me, it does highlight two important issues: firstly, the context in which personal data is used is important. As many commentators have said, Clarkson only divulged information that we give to anyone whenever we give them a cheque. But, he did so in a highly public way. “Security by obscurity” has long been a facet of protecting data, and shouldn’t be forgotten when risk is being assessed.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">The second key point is that it’s much, much easier to not leak data in the first place, than to deal with the consequences even if there is no nominal financial risk. As I mentioned, the <st1:country-region st="on"><st1:place st="on">UK</st1:place></st1:country-region>’s banks guarantee to refund any money that a consumer loses due to a mistake with a direct debit. In practice, I imagine it’s still a difficult process to go through, and can cause much inconvenience. It’s the same with any company’s data – you might theoretically not have any negative consequences of a leak, but managing the process when information goes missing can be time-consuming and costly.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-5635600735976584732008-01-11T09:13:00.000+00:002008-01-11T09:15:09.159+00:00Frank Abagnale tells the inside story on IT security<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">You might know him best from the Spielberg film “<a href="http://www.imdb.com/title/tt0264464/">Catch Me If You Can</a>”, but former fraudster Frank Abagnale has spent the last 30 years working with the FBI on improving security, and more recently this has included a big element of IT security.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">There’s a good <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043254">Q&A</a> with him at ComputerWorld that’s worth reading, as he makes some interesting points about IT and financial security – not least that the internal threat to companies is more significant than external hackers.<b style=""><o:p></o:p></b></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-77374390727991812612008-01-07T18:32:00.000+00:002008-01-07T18:35:47.028+00:00Two good articles on security: user behaviour and balancing risk<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Happy New Year! This seems a good opportunity to mention two good articles I read last year, but didn’t blog on at the time.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Firstly, <a href="http://www.networkworld.com/newsletters/gwm/2007/0618msg2.html">Network World</a> ran an article by Michael Osterman in June based on a survey of user behaviour. It’s short and to the point, but contains useful gems like the fact that 71% of users check work-related email from home on their own computer. Certainly confirms for me that we’re on the right lines to put our ILP protection on the email server, not on the desktop – if you’ve got server-based protection, you’re covered regardless of which PC is used.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Then <a href="http://apcmag.com/6895/war_on_terror_overblown_microsoft">this article in APC magazine</a> contains some interesting views from Microsoft on why the security threat is often “overblown”, and how you need to balance the cost of a security measure against the perceived risk and the cost of any security problems that may arise. It’s common sense really, but worth remembering, and I’d add the point that you need to think about how long a solution may take before it’s up and running effectively; sometimes the simple and fast solutions are the best.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-27738366393391833922007-12-27T18:11:00.000+00:002007-12-27T18:12:27.083+00:00US legal position on metadata still unclear<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">As far as I can work out, the position in the <st1:country-region st="on"><st1:place st="on">US</st1:place></st1:country-region> on the legal status of metadata is still being sorted out. Have a look at this <a href="http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1197496450250">good review</a> of recent “ethics opinions” in The New York Law Journal – there still seems to be plenty of conflicting views.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">The article concludes with good advice: check your local rules and case law, and use metadata scrubbing tools to remove metadata from documents you send (where this is permissible).<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">One day we’ll have clarity, no doubt.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-3095670289127072662007-12-15T17:06:00.000+00:002007-12-15T17:08:53.479+00:00PR agencies leaking data as much as the rest of us<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Love or hate them, PR agencies are part of today’s business world. They do have a riskier position than most in the looking foolish stakes, though, as they are in frequent contact with journalists who will generally grab any opportunity they can to wind up their PR colleagues.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB"><a href="http://valleywag.com/tech/great-moments-in-pr/dear-pr-flack-dont-send-this-draft-327029.php">The latest one is a delightful example</a> on Valleywag, the <st1:place st="on">Silicon Valley</st1:place> gossip site – just look at all those tracked changes that were left in the email to the journalist from the PR.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">But wait: it gets better. The PR sent <a href="http://valleywag.com/tech/great-moments-in-pr/dear-pr-flack-dont-make-us-laugh-328095.php">an email </a>threatening legal action if her original email wasn’t removed. Guess what? Valleywag ran that email too.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-16994269447512549032007-12-13T20:26:00.000+00:002007-12-13T20:28:44.554+00:00Another day, another data breach<p class="MsoNormal"><span lang="EN-GB" style="font-family:Arial;">Amazing how many of these stories are coming out now in the UK about public sector data breaches, as public attention is so focussed on it at the moment.<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" style="font-family:Arial;">This week, a healthcare trust managed to email a spreadsheet containing personal financial details of 1,800 employees to four medical organisations. Surely they’ve got ILP tools to stop them doing this? Maybe not…<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" style="font-family:Arial;">The gory details are in the <a href="http://news.bbc.co.uk/1/hi/england/merseyside/7138426.stm">BBC’s report here</a>.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-88314736644596744822007-12-10T15:03:00.000+00:002007-12-10T15:09:02.033+00:00New Scientist covers ILP<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Well, nice to get some recognition for our area of technology in <a href="http://technology.newscientist.com/channel/tech/mg19626325.800-monitoring-email-could-spot-insider-threats.html">this article</a> in New Scientist (subscription required, but you can read the first couple of paragraphs for free anyway).<o:p></o:p></span></p> <span style="font-size: 11pt; line-height: 115%; font-family: Arial;" lang="EN-GB">To summarise the key points anyway: researchers at the Air Force Institute of Technology, Ohio are developing software to analyse the text of outgoing emails in companies, and flag the senders as “alienated” or “having clandestine, sensitive interests”. Sounds like what we’re doing at 3BView but it’s interesting stuff… there’s more <a href="http://www.eurekalert.org/pub_releases/2007-11/ns-utn112807.php">here </a>(New Scientist’s press release about their article).</span>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-20793498461711305792007-12-04T09:16:00.000+00:002007-12-04T09:26:23.613+00:00Scottish politician in donations row due to metadata<p class="MsoPlainText" style="font-family:arial;"><span style="">UK readers will be familiar with the row about dodgy political donations that’s currently surrounding the Labour party. It was perhaps only a matter of time before metadata gave someone’s secrets away – as it has a habit of doing in political rows. <o:p></o:p></span></p> <p class="MsoPlainText" style="font-family:arial;"><span style=""><o:p></o:p>Well, it happened this weekend – the <a href="http://www.sundayherald.com/news/heraldnews/display.var.1874620.0.the_lies.php"><i>Sunday Herald</i></a> newspaper printed allegations that Scottish Labour chief Wendy Alexander was aware of the potentially dodgy nature of a donation weeks before she had claimed to be. The smoking gun? Metadata in a Word document showed the date it had been saved (November 5<sup>th</sup>) and that the username was her husband’s.<o:p></o:p></span></p><p class="MsoPlainText" style="font-family:arial;"><span style=""><o:p></o:p></span><span style="">The row is all over the press now, and Alexander may end up having to resign, or even being prosecuted under the UK’s election finance laws. It’s becoming almost commonplace to see these metadata leaks pop up in political rows, and I’m sure the more clued-up journalists check the properties and tracked changes on every Word document they get hold of! Remember PDF documents aren’t normally safe either unless you’ve taken the right steps to make them secure.</span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com1tag:blogger.com,1999:blog-2607253004558142933.post-22925678853332219312007-11-29T09:36:00.000+00:002007-11-29T09:39:44.920+00:00Former DuPont scientist jailed for information theft<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Gary Min, a former DuPont scientist, has <a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=202804057">just been jailed</a> for 18 months for stealing confidential information. He downloaded 22,000 abstracts and 16,000 full-text documents over a five-month period before leaving the company. He subsequently uploaded 180 of these DuPont documents onto a corporate laptop from his new employer, Victrex, a competitor of DuPont. The information was valued at over $400million.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Apparently most of these documents were unrelated to his job at DuPont. You have to wonder why it took DuPont so long to spot this pattern and report him to the FBI, and why he had access to so much information.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">It’s not quite on the scale of the <st1:country-region st="on"><st1:place st="on">UK</st1:place></st1:country-region>’s HMRC fiasco, but it raises a similar question: why do employees get access to such a large quantity of information that’s not related to their jobs?<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-75075705062905287512007-11-21T17:40:00.000+00:002007-11-21T20:26:23.343+00:00You can’t steal what isn’t there<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">Yesterday’s story on the loss of 25 million child benefit records reminded me about the loss of more than 45 million customer records stolen from TJX, the parent company of retailer T.J. Maxx. The article, a while back, in <a href="http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171">Information Week</a> describes it as the “largest breach of customer data”.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">An interesting article, but the key point is right at the end: “With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.”</span></p><p class="MsoNormal"> </p><p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">But governments have to store sensitive data -- they really do need to get things sorted, or the trust of the public will be lost forever.<o:p></o:p></span></p> <p class="MsoNormal"><br /><span style="font-family: Arial;" lang="EN-GB"><o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-49363651387622220102007-11-20T16:25:00.000+00:002007-11-20T16:41:32.135+00:00The HMRC leak – unbelievable<p class="MsoPlainText" style="margin-left: 36pt; text-align: left;">Really, words fail me. I’ve just <a href="http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm">watched on TV</a> the UK chancellor Alistair Darling tell the House of Commons that this massive data leak (25 million people’s bank details etc) is due to HMRC staff not following procedures. Pardon me? Apparently it was sent via unrecorded post on unencrypted CDs.<o:p><br /></o:p></p> <p class="MsoPlainText" style="margin-left: 36pt;">Liberal Democrat acting leader Vince Cable asked why the data was posted on CDs and why HMRC didn’t have an electronic means of sending the information securely. He’s got a point.<o:p></o:p><br /></p><p class="MsoPlainText" style="margin-left: 36pt;">I’m sure we’ll learn more soon.</p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0tag:blogger.com,1999:blog-2607253004558142933.post-15773590785737138142007-11-20T12:43:00.000+00:002007-11-20T12:54:14.873+00:00AT&T lawsuits rumbling on<p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">AT&T is one of the highest profile companies that’s been publicly identified as having committed an ILP faux pas – letting the cat out of the bag about alleged collusion with the US government in alleged illegal wiretapping (the lawsuits are still going on – so I’m going to use the word ‘alleged’ as often as I can just in case).<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-family: Arial;" lang="EN-GB">They must be regretting this a <st1:place st="on">LOT</st1:place>! There’s <a href="http://www.guardian.co.uk/worldlatest/story/0,,-7068964,00.html">an interesting article in the Guardian</a> about this case and the general topic of privacy and how it’s changing in the electronic world.<o:p></o:p></span></p>Cathy Brodehttp://www.blogger.com/profile/06597687600616242842noreply@blogger.com0