Scottish council caught out by tracked changes

It’s that old classic: sending out a Word document with information you really, really don’t want to reveal left in tracked changes.

This time the metadata culprit is Aberdeenshire County Council, which managed to send out a report on waste management, containing incriminating details of problems in tracked changes that hadn’t made it into the final report.

Even worse than the information revealed is the inference that the council had covered up the information it didn’t like on the problems – and the press has certainly taken this line.

That Jeremy Clarkson story

I know I’m coming a little late to this story and there’s been a lot of debate about it. In case you’ve not read about this: the UK TV presenter Jeremy Clarkson published his bank details in a newspaper column, in which he claimed the furore about lost personal details from the HRMC was a fuss about nothing. Of course, a kind soul promptly used the details to set up a direct debit payment from Clarkson’s account to a charity.

On reflection, you could argue that in fact the system works – the UK’s direct debit scheme provides safeguards to protect the consumer, and to refund any disputed money. In this kind of situation, no doubt Clarkson is covered financially.

But you could imagine a consumer being less than happy if, say, the money taken out of their account meant they went overdrawn, other payments bounced, and they then had to sort out the unholy mess.

And Clarkson himself says he only discovers the loss when he read his bank statement – how many people do that every month? And would they notice the loss if it was £50 not £500?

For me, it does highlight two important issues: firstly, the context in which personal data is used is important. As many commentators have said, Clarkson only divulged information that we give to anyone whenever we give them a cheque. But, he did so in a highly public way. “Security by obscurity” has long been a facet of protecting data, and shouldn’t be forgotten when risk is being assessed.

The second key point is that it’s much, much easier to not leak data in the first place, than to deal with the consequences even if there is no nominal financial risk. As I mentioned, the UK’s banks guarantee to refund any money that a consumer loses due to a mistake with a direct debit. In practice, I imagine it’s still a difficult process to go through, and can cause much inconvenience. It’s the same with any company’s data – you might theoretically not have any negative consequences of a leak, but managing the process when information goes missing can be time-consuming and costly.

Frank Abagnale tells the inside story on IT security

You might know him best from the Spielberg film “Catch Me If You Can”, but former fraudster Frank Abagnale has spent the last 30 years working with the FBI on improving security, and more recently this has included a big element of IT security.

There’s a good Q&A with him at ComputerWorld that’s worth reading, as he makes some interesting points about IT and financial security – not least that the internal threat to companies is more significant than external hackers.

Two good articles on security: user behaviour and balancing risk

Happy New Year! This seems a good opportunity to mention two good articles I read last year, but didn’t blog on at the time.

Firstly, Network World ran an article by Michael Osterman in June based on a survey of user behaviour. It’s short and to the point, but contains useful gems like the fact that 71% of users check work-related email from home on their own computer. Certainly confirms for me that we’re on the right lines to put our ILP protection on the email server, not on the desktop – if you’ve got server-based protection, you’re covered regardless of which PC is used.

Then this article in APC magazine contains some interesting views from Microsoft on why the security threat is often “overblown”, and how you need to balance the cost of a security measure against the perceived risk and the cost of any security problems that may arise. It’s common sense really, but worth remembering, and I’d add the point that you need to think about how long a solution may take before it’s up and running effectively; sometimes the simple and fast solutions are the best.

US legal position on metadata still unclear

As far as I can work out, the position in the US on the legal status of metadata is still being sorted out. Have a look at this good review of recent “ethics opinions” in The New York Law Journal – there still seems to be plenty of conflicting views.

The article concludes with good advice: check your local rules and case law, and use metadata scrubbing tools to remove metadata from documents you send (where this is permissible).

One day we’ll have clarity, no doubt.

PR agencies leaking data as much as the rest of us

Love or hate them, PR agencies are part of today’s business world. They do have a riskier position than most in the looking foolish stakes, though, as they are in frequent contact with journalists who will generally grab any opportunity they can to wind up their PR colleagues.

The latest one is a delightful example on Valleywag, the Silicon Valley gossip site – just look at all those tracked changes that were left in the email to the journalist from the PR.

But wait: it gets better. The PR sent an email threatening legal action if her original email wasn’t removed. Guess what? Valleywag ran that email too.

Another day, another data breach

Amazing how many of these stories are coming out now in the UK about public sector data breaches, as public attention is so focussed on it at the moment.

This week, a healthcare trust managed to email a spreadsheet containing personal financial details of 1,800 employees to four medical organisations. Surely they’ve got ILP tools to stop them doing this? Maybe not…

The gory details are in the BBC’s report here.