Month: May 2005

CIOs have a new name to know: Zubulake. And if they don’t, they could be heading for trouble. Zubulake is shorthand for the case of Zubulake v. UBS Warburg LLC, which was heard recently in a federal court in New York. The court’s decisions in that case established new standards for retaining electronic data.

“The courts are increasingly depending on companies and their lawyers to produce electronic evidence and to make sure it’s not destroyed,” says Adam Rosman, a lawyer at Zuckerman Spader LLP in Washington. “It was an obligation that didn’t previously exist.”

CIOs have had to contend with hackers, worms and viruses for years. And they’re getting a handle on new federal regulations that set additional security requirements. But even veteran IT executives may be ignorant of some crucial aspects of security law, like the requirements coming out of the Zubulake case, lawyers say.

These security measures, while important legally, fail to attract adequate attention because they’re evolving standards, they’re mixed in with responsibilities traditionally handled by other executives, or they’re simply downplayed by the executive suite.

“There is some important work to be done to bring the CIO and the security officers up to speed,” says J. Beckwith Burr, a partner at Wilmer Cutler Pickering Hale and Dorr LLP, which has headquarters in Boston and Washington.

1 A threat of legal or regulatory action against your company should spur you to adopt more-conservative data-retention procedures. This is just as important as abiding by the rules for data storage that have emerged from the Zubulake case and better-known mandates, such as the Sarbanes-Oxley Act. “When you get wind that someone might be thinking of suing you, you have to immediately change your document destruction procedures so you don’t destroy anything that might be evidence,” says Stuart Meyer, a partner at Fenwick & West LLP in Mountain View, Calif.

2 Security threats from employees represent another often-overlooked risk that could land CIOs and companies in legal trouble. Companies have an obligation to secure their information, even from their own employees, says Robert M. Weiss, a partner at Neal, Gerber & Eisenberg LLP in Chicago. For example, if an unauthorized employee accessed another employee’s personnel file, officers and the company itself could be sued.

3 Corporate relationships with third-party service providers also present potential legal problems, lawyers say. For example, most contracts today limit the liability of outsourced providers to the cost of the contract. “So if there is a security meltdown, contractually the vendor isn’t responsible,” Burr says.

4 Changes in best practices have come quickly with new laws, regulatory requirements and court decisions, and the implications could go well beyond initial expectations. Take, for example, federal laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. Most CIOs know that security standards are changing, and many use audits to find holes in their companies’ policies and procedures.

5 Double-edged audits. “If you have knowledge of a security gap and you don’t correct it and something happens, it’s hard to escape liability,” says David MacDonald, a New York-based partner at Kirkland & Ellis LLP. On the other hand, companies that fail to make reasonable efforts to find security gaps may also be liable.

http://www.computerworld.com/securitytopics/security/story/0,10801,101552,00.html

The security-advisories service is designed to alert customers to new security-flaw information in a more timely manner. When gray-hat hackers and private research outfits publish new security-related information, Microsoft will use the service to let customers know.

http://www.microsoft-watch.com/article2/0,1995,1813518,00.asp?kc=MWRSS02129TX1K0000535

Security vendor VeriSign found 66 percent would choose to give up their passwords for a Starbucks coffee, during an informal on-the-street survey conducted Thursday in San Francisco. Only 41 of those quizzed (or 15 per cent) on San Francisco[s Market Street refused to hand over the goodies. Two out three three people (180 of 272) were approached. 51 provided a clue about their password in exchange for a $3 Starbucks gift voucher. 57 per cent reported having four or more passwords, and 79 per cent reported using the same password for multiple websites or applications. The survey also found that some people continue to store passwords on Post-it notes. Other popular locations for passwords include the contacts folder of email applications, on PDAs and in the notes function of a mobile phone.

“A lot of people are still unaware of how this information can be used across the network and don’t understand the implications,” said Mark Griffiths, VeriSign marketing director for authentication services. “We’re trying to educate the average user.”

Survey participants, for example, said they felt comfortable revealing their passwords, because they were not asked to share their user name or logon. And while other people were not willing to release their password, they were agreeable to giving out hints–such as their mother’s maiden name or the name of their dog, which are also frequently used as a second source of identification by Web sites.

Those that revealed their password or gave hints received a $3 gift card for Starbucks–the price of a latte. my name is joe and my password is … How do you know I gave you the right password?

http://news.com.com/2061-10789_3-5697143.html?part=rss&tag=5697143&subj=news
http://www.securityfocus.com/news/11101?ref=rss