Wednesday, December 26, 2007

...and a Merry Christmas to all Class Action lawyers!

http://www.pogowasright.org/article.php?story=20071225091744873

Facebook alarms privacy advocates again

Tuesday, December 25 2007 @ 09:17 AM EST Contributed by: PrivacyNews News Section: Internet & Computers

Six weeks after Facebook launched a controversial advertising program that tracked its members around the Internet, the Palo Alto company is quietly testing a new system that slips links to its mobile software onto smart-phones on the T-Mobile USA network without the permission of the devices' owners.

BlackBerry owners can hide the blue-and-white Facebook icon, but they can not delete it.

Brandee Barker, director of corporate communications for Facebook, said users still must choose to use the mobile application and that no personal information will be at risk. She said Facebook will not share its members' data with T-Mobile or Research in Motion, which makes BlackBerry devices. In addition, she said, neither T-Mobile nor Research in Motion is sharing the information they gather about a person's location or the contacts stored on his or her BlackBerry with Facebook.

Source - SiliconValley.com



Unfortunately, a logical (perhaps not ethical) conclusion.

http://www.eweek.com/article2/0,1895,2240150,00.asp

Where Does TJX Lie on the Naughty-Nice Line?

December 24, 2007 By Evan Schuman

As the TJX case all but winds itself to a close, it's not a bad time to look at everything we've learned and try and answer the holiday-themed IT security question: Does TJX deserve a lump of coal for the worst data breach in credit card history, affecting some 100 million credit cards?

Regular readers of this column know that I have had a wide range of less-than-flattering things to say about the security setup of The TJX Companies, but there's a broader question here. TJX is a business. A $16-billion-a-year massive retail chain kind of business. As a publicly held company, it has a fiduciary obligation to do things in a certain way. [Not so. HOW they achieve goals is completely open. Bob]

If we move away from the question, "Did TJX do everything possible to try and protect consumer data?" (which merits a "What planet are you on? Of course it didn't,") and focus on, "Did TJX do what was reasonable and appropriate at the time it did it?" things look a lot different.

The latest news was utterly predictable. TJX's deal with Visa, in which TJX would give money to certain banks in exchange for promises to not sue, was approved overwhelmingly on Dec. 20. Two days earlier, TJX also worked out similar settlements with most of the banks suing it. In short, only one bank is left suing TJX and that litigation will happen in Alabama state court. The consumer class action lawsuit is essentially settled as well. (The final approval will come from a federal judge who has already said he will approve it.)

The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn't anything on the books in any state or the federal government that requires that. Some industry efforts—most notably the PCI DSS (Payment Card Industry's Data Security Standard)—seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment.

But the persuasive power of any threat is in direct proportion to the likelihood that said threat would ever be carried out. The card brands might exclude some tiny store to make a point, but the amount of lost revenue from excluding a Wal-Mart, a Target or a TJX would make that threat rather non-frightening.

One of TJX's defenses has been that its security wasn't materially worse than any other retailer of similar size. Sadly, it's a true point and one which we made in this column many months before TJX made it.

But that's not TJX making excuses. When the chief financial officer and CIO of any retailer evaluate technology investments, they look at the issues of return on investment (a big-time Achilles heel for security), risk avoidance (the savior for security) and keeping up with the Joneses. Expenditures will seem prudent as long as the company's security measures are not dramatically different from those of other similarly sized retailers.

Let's take a quick look at the lawsuits, because they become relevant here.

Myth #1: TJX was sued because it was breached. Reality: Tons of retailers are breached every week. TJX was sued because word of this breach was announced and—much more importantly—because TJX has deep pockets. Without sounding like a corporate titan apologist, the suggestion that TJX was sued because it has money is really not that far off.

Myth #2: TJX was sued because its security was pathetic. Reality: this myth is a lot closer to the truth, but again, tons of retailers have pathetic security. To honestly evaluate TJX's decisions requires a lot of context. Had TJX invested a lot more money in beefing up its security, would this breach have necessarily been prevented? How about future breaches? Had the TJX CFO asked that question a few years ago, I think the question would have been, "There's no way to make any system completely secure, sir, no. We could spend all this money and theoretically still get breached."

TJX was spending millions on security and its security systems—although weak—do not appear to be that much worse than others in that space.

The lawsuit issue is an interesting one. What if TJX had approved all of those security upgrades and still gotten breached? Even better, what if it had spent an extra $100 million and made its systems quite secure—much more so than similarly sized rivals—and avoided a breach? Now what if its profits plunged? Could not stockholders have sued the company for having spent money recklessly and needlessly? How many advertising campaigns and CRM (customer relationship management) programs and Web site upgrades would have been delayed because that money had been put into security? [Most unlikely. However, it would have been useful to have someone look at activity logs – they could have detected the hackers setting up new passwords. Bob]

I'm not saying that TJX was blameless. (I'm still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions.

A small window into the thinking of TJX came out in court filings that quoted TJX CIO Paul Butka's e-mails. They revealed a thoughtful internal debate about wireless security upgrades, in which cost was indeed a consideration, as it needed to be, and there was an intent to eventually make the upgrades.

That said, 'tis time to make that Santa Coal recommendation.

I'd say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I'd give it a pass.

TJX theorized—correctly—that any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.


Well, this should solve everything!

http://www.pogowasright.org/article.php?story=20071225091459514

TJX creates executive jobs to deal with privacy issues

Tuesday, December 25 2007 @ 09:14 AM EST Contributed by: PrivacyNews News Section: Breaches

TJX Cos. is getting on the privacy bandwagon.

The Framingham parent of stores including TJ Maxx and Marshalls - and the target of a record-setting data breach discovered at the end of last year - has given the title of "chief privacy officer" to one of its senior executives and is looking to fill the position of "privacy director," according to a memo circulated by its search firm, Heidrick & Struggles.

.... TJX spokeswoman Sherry Lang declined to provide more details yesterday except to note that senior executive vice president for administration and business development Jeffrey Naylor also gained the title of chief privacy officer within the past year. "In today's world, privacy issues are increasingly challenging and are an area of ongoing focus for many large companies, including TJX," Lang wrote in an e-mail.

Source - Boston Globe



Interesting analysis. Makes me wonder if we (managers) made any real effort to understand computers until a few years ago. (see: The Dynamo and the Computer, Paul A. David)

http://www.news.com/Eight-business-technology-trends-to-watch/2030-1069_3-6223397.html?part=rss&tag=2547-1_3-0-5&subj=news

Eight business technology trends to watch

From the McKinsey Quarterly Special to CNET News.com December 26, 2007 4:00 AM PST

Technology alone is rarely the key to unlocking economic value: companies create real wealth when they combine technology with new ways of doing business.



See what happens when you elect Sonny Bono pharaoh?

http://www.int.iol.co.za/index.php?set_id=1&click_id=68&art_id=nw20071225181150885C328825

Egypt to copyright pyramids

December 25 2007 at 06:17PM

Cairo - In a potential blow to themed resorts from Vegas to Tokyo, Egypt is to pass a law requiring payment of royalties whenever its ancient monuments, from the pyramids to the sphinx, are reproduced.

Zahi Hawass, the charismatic and controversial head of Egypt's Supreme Council of Antiquities, told AFP on Tuesday that the move was necessary to pay for the upkeep of the country's thousands of pharaonic sites.

"The new law will completely prohibit the duplication of historic Egyptian monuments which the Supreme Council of Antiquities considers 100-percent copies," he said.

"If the law is passed then it will be applied in all countries of the world so that we can protect our interests," Hawass said.



For some of us, this is amusing.

http://www.bespacific.com/mt/archives/016930.html

December 25, 2007

1950-1955, The Intelligence Community

Press release: "The Office of the Historian, Bureau of Public Affairs, U.S. Department of State, released...a retrospective intelligence volume in the Foreign Relations of the United States series, documenting the development and consolidation of the intelligence community. This volume, The Intelligence Community, 1950–1955 (867 pages, PDF), is the sequel to The Emergence of the Intelligence Establishment, 1945–1950, published in 1996. This new volume, which is organized chronologically from January 1950 to December 1955, documents the institutional growth of the intelligence community during its heyday under Directors Walter Bedell Smith and Allen W. Dulles, and demonstrates how Smith, through his prestige, ability to obtain national security directives from a supportive President Truman, and bureaucratic acumen, truly transformed the Central Intelligence Agency (CIA). It closes with a collection of relevant National Security Council Intelligence Directives (NSCIDs) issued during the years 1950–1955 as approved by the National Security Council and the President, as well as revisions to earlier NSCIDs published in the Emergence of the Intelligence Establishment, 1945–1950."

No comments: