This is an interesting case where FDA whistleblowers allege that their emails were monitored once they told Congress the agency was approving medical devices that were risky to patients.  First, the usual disclaimer: I am not a lawyer--don't take this as legal advice.

FDA employees (and former employees) are alleging that the FDA initiated email monitoring after these complaints, and that in doing so, it violated their Constitutional rights.  They call the monitoring an unlawful search and seizure, and a violation of their rights to free speech and association.  The FDA, on the other hand, indicated that when logging onto the network, employees are warned they may be monitored and should not have an expectation of privacy.  Now, the article quotes the agency, but does not get specific as to what this warning looks like.  If it is like many places, it is a click through banner where the employee must accept the warning before proceeding. 

Further, the article indicated that the FDA began "surveillance of the employee's personal email accounts, which they accessed from Government computers".  So the question is--does the click through banner indicating no expectation of privacy should be held by the employee extend to their personal email accounts when they access them from work?  This will be a very interesting case to follow, given some of the rulings we've seen around similar issues. 

In Ontario v. Quon, the Supreme Court ruled that employers have the right to read text messages—including personal ones—when they own the equipment (phone) that it was sent/received from, and when they have reason to believe that workplace rules are being broken.  In that ruling, Justice Scalia asserts “…that government searches to retrieve work-related materials or to investigate violations of workplace rules—searches of the sort that are regarded as reasonable and normal in the private-employer context—do not violate the …(Fourth) Amendment.” 

Now, that ruling addressed cell phone texting on a work-owned phone, and not personal email accounts accessed through a work computer, but the most important point seems to be that because the search was motivated by a legitimate work-related purpose, it was lawful. 

In Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court ruled in a case where an employee sent emails to/from her attorney via her personal Yahoo email account, but using a company laptop.  When she left the company and filed suit against them, the employer had a forensic analysis done on the laptop.  It obtained copies of some of the emails from the internet cache folders, and even though the emails contained language about privilege and how the emails were intended only for the recipient, the employer asserted they were fair game.  The court ruled that just because Stengart was using her employer provided laptop, that doesn’t dispel her expectation of privacy when accessing her personal email account.  According to the New Jersey Supreme Court, “a policy that provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal password-protected email account using the company’s computer system, would not be enforceable.”

The FDA case seems to fall somewhere in between these two rulings.  While the monitoring may be justifiable as a legitimate work-related investigation (not knowing the details, I can only assume), which would make the communications on the company’s email systems subject to monitoring should be within the realm of not violating their Fourth Amendment rights.  However, when it extends to their personal email accounts, even if they are not attorney-client communications, it becomes possible that a line was crossed. 

The take home for companies should be to make sure their Acceptable Use policies are clear, and that their systems have those click through banners that users must acknowledge that monitoring is a possibility on company owned systems—that is the basic beginning for dispelling that expectation of privacy. However, if during the course of an investigation, private communications are intercepted, the company should be guided by their Legal Counsel on how to proceed.

The outcome of the FDA case will hopefully provide further clarity in this somewhat murky issue.

First, there have been a significant number of data breach incidents coming to light from prior years.  Here is the new breakdown of incidents per year.

With the new data, there are now more than 5,500 incidents, and new breaches seem to occur on a daily basis.  As you can see, 2011 already has 871 incidents, and if you are familiar with the previous two Leaking Vault reports, you will notice significant increases in both 2007 and 2008's totals. 

Even with a total of 944 incidents for 2010, however, it still remains the lowest year since the study began for known records disclosed.   Although 2007 and 2008 grew the most in terms of additional incidents being disclosed, 2008 showed the highest number of additional records, with almost 95 million.  Though 2011 is not the highest in terms of incidents, it is now the leader for records disclosed thus far. 

All told, the database shows 1.29 billion records disclosed over the past 7 years, and this total will only grow as more incidents for 2011 come in.  As pointed out in the reports, these records lost figures are an under estimation due to the fact that 36% of the incidents do not list a finite number of records disclosed for the data breach.   One partial explanation for 2010's low records disclosed number is the potential for large breaches to be concealed within the 37% "unknown" value for the records disclosed--only 1% higher than average.  However, it may simply be that there were no really large incidents during that year.  In contrast, 2009 had a 46% unreported figure for records disclosed, and it did not show a large decrease. 

I will be performing the usual analysis when I freeze the database, and releasing The Leaking Vault 2012 some time in the third quarter.  In the meantime, I'm looking at gathering some new metrics and revisiting the existing records. 

The first was from Disney Destinations, and here is the text:

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system.  We use our email service providers to
help us manage the large number of email communications with our
guests.  Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you.  We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information.  As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

The second was from Tivo, and here is the text:

	TiVo® Service Announcement
	Dear TiVo Customer, Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us. We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure. Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place. Sincerely, The TiVo Team

The data items breached were first name and email, and the company warns that more spam may be in my future because of this, and to urge me not to go clicking on those enticing links or opening any attachments--always good advice.  They also warn that they won't be asking me to confirm any personal information or credit card data unless I'm on their site. 

I've posted the breach incident to the datalossdb.org database.  I haven't seen anything in the media, and don't know how big this breach was.  It is clear it was third party partner facilitated by the text of their email. 

The post described how to go into your settings and disable that "feature" so that you will not have Facebook storing your login and password to Paypal.  I specifically went in to verify that my credentials were not in there, but later after making a purchase from an application (and declining their prompt to link the application to my Paypal account as I do each time), I noticed that it had been populated in my profile regardless.  I removed it, and Paypal sent me an email confirming the relationship had been severed.  I had opted out.

Today, after making another purchase, I got a bit of a shock.  After my last purchase, I again declined to link the account to this application.  Today's purchase went through without my being redirected to the Paypal site or prompting me for login or password.  I checked my settings, and sure enough, the account detail had again been populated without my consent.  I deleted the credential again from my Facebook profile. 

Then I did a quick test.  I made a purchase through the same application for the least dollar amount possible.  I was prompted for the credentials since I'd removed them from my profile.  At no time was I told that Facebook would be keeping my login and password to this site, nor was I given the option to opt out.  I went back to my account settings, and it was populated again.  The next purchase used those credentials to login and authorize the purchase without my entering a password.

I understand that that Facebook is marketing this as a convenience for their users, but I object to having my credentials to a financial site automatically stored without my consent--and in fact after opting out multiple times, the behavior is clearly a standard practice for this site.  This is an unacceptable breach of privacy--I chose not to share the credentials and the site effectively stole them.  I would not consider it a convenience to find that a compromise of my social networking account had also caused a compromise of a financial account that I did not consent to share.

I did a study on the problem, turned in a paper with the results (I think I had just over 1,000 incidents) and got an A.  I had been bitten by the bug--it was too late.  I kept up the study, looking for new insights to be found in the data.  I added incidents over time, and found new sources as well.  Eventually, I had a database with 2,807 incidents over the span of 5 years. 

I wanted to publish the study so that the widest possible audience could benefit from the information.  I'm happy to announce the publications of The Leaking Vault - Five Years of Data Breaches.  I hope you find the contents useful.

Contingency planning for a data breach event should be viewed as a subset of the organization’s Incident Response Plan.  This plan is for a specific set of circumstances that will not occur during every incident—every event will not result in the discovery of a data breach.  When it does happen, however, preparation can make all the difference in the way a company handles the events that follow.

Like an Incident Response Plan, a team should be identified to handle the event.  Members of the team should be representatives of the company’s technical and business units, including Information Security, Public Relations, Legal, and any other group that may be needed, depending on the type of data disclosed.  For instance, publicly traded companies may want to include representatives from Investor Relations in addition to those listed above. 

Once the members of the team have been identified, a plan should be put together that addresses the questions in the first paragraph of this article—the plan may change somewhat based on the type of data disclosed and the function of the organization.  Each data type should be included if the response will be different.  The representative from Legal should be able to provide an overview of the laws that apply to each instance, as well as the breach laws for all the locations the company has customers.  Keep in mind this may include both domestic and international laws, based on the locations of the customers, not the company.  This matrix of relevant laws will be very useful in an actual incident as a quick reference. 

If services (such as credit monitoring) are to be offered, the time to investigate which service provider to engage is before a breach occurs.  This way, terms of service can be negotiated when urgency is not a factor.  The plan should document the terms once they are finalized, along with any contact information required to activate the use of the service.  A contact number should be established ahead of time for those who are notified to call should they have questions (this is included in the notification letter), and a script prepared in advance (as a sample, to be populated with relevant details if it is needed) for those who will be answering the phones.  (The group that will be answering these calls should also have a representative on the team to ensure that they can provide any planned services.)  Similarly, sample notification letters can be drafted as part of the plan.  This will save time during an incident when notification is necessary, and provide a consistent framework for notification over time.

On the topic of notification—the plan should include the organizations that need to be notified as well.  In some cases, depending on the data type, this may include the credit card brands (Visa, MasterCard, etc), the company’s bank, law enforcement or government agencies.  Some cases may include the need to notify the press, so sample press releases should be drafted.   

The final step with any of these types of plans is to conduct a trial run—a test of the plan’s completeness and correctness.  Annual testing will ensure that the plan is kept up to date with changes in the law, and with the members of the team.  It will also allow the organization the opportunity to make changes that are identified during the test to make the plan stronger and more useful. 

While no organization wants to believe that they will experience a data breach event, there are examples in the press of these events occurring regularly.  With planning and preparation, the response to such an event can be handled without panic, minimizing the impact of the breach event to the organization.

If you are interested, please consider getting involved with the organization.  We have a number of research projects, including establishing a Common Body of Knowledge for digital forensics, and building a Testimony Archive of court cases where digital forensics testimony was presented.  More information can be found on our website at www.digitalforensicsassociation.org. 

This is an excellent way to give back to those who have helped you along your career path, as well as to meet some amazing local practitioners and develop professional contacts in this area.  We are also soliciting companies and organizaitons that can provide internship (paid or unpaid) for those who have obtained training in digital forensics and now need to build that all-important initial experience. 

I hope to see you at a local chapter meeting soon!

If you have not already implemented a Security Awareness program in your company, you might think of putting something out soon about laptop theft. During the holidays, employees frequently go Christmas shopping after work, and in many cases, leave their laptops in their vehicles. In this uncertain economy in particular, it does not pay to leave valuables in plain sight in vehicles. Awareness programs should stress the following points:

• If possible, don’t bring the laptop.
• If they must bring it, put it in the trunk before leaving work not after arrival at the store.
• Putting the laptop in the trunk at the store is like raising a red “Here is stuff worth stealing” flag to any watching thief.
• If you bring it home, don’t leave it in your vehicle overnight—bring it in the house.

Thieves see an easily fenced (or gifted) electronic item. Their goal is probably not the data on the hard drive, but the company may find itself having to report a data breach. Ideally, the contents of the laptop will be encrypted and the laptop backed up on a regular basis to minimize the damage the loss of the equipment causes.