The ways in which you protect your corporate data can be the difference between keeping your job and going to jail. Take it from HP.
By now you've heard about the HP imbroglio in which its chairwoman Patricia Dunn was forced to step down when it became public that HP used pretexting—obtaining phone records under false pretenses—to identify who leaked confidential information to reporters.
This corporate tale teaches security professionals a valuable lesson: The intersection of compliance, insider threats and data privacy laws conspires to pressure a security professional to walk the line—and perhaps cross it—in an effort to protect sensitive information from leaving a corporation.
Technology makes it easy to get such information, whether through pretexting, Trojans, email tracers or some other means. The question is how far will companies (or you) go to protect or seek information under the guise of regulations?
The motivation behind Sarbanes-Oxley was to create checks and balances to ensure that another "Enron" would not occur. Ironically, in the case of HP, it created a rationalization for the company to do something that has been deemed illegal.
Under Sarbanes-Oxley, publicly traded companies have the legal responsibility to respect one's privacy—but they also have the legal and fiduciary responsibility to protect confidential information and investigate leaks. In HP's case, the company crossed the line:
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
An executive got Social Security numbers from HP's records and passed them on to an investigator to commit fraud. But other cases in corporate boardrooms may not be so clear.
Add privacy to the mix and it gets even murkier. Looking at company phone records and emails is fairly common and generally accepted. Different countries and different cultures have different thresholds and expectations when it comes to privacy.
The problem is that there are sometimes subtle distinctions between legal and illegal and ethical and unethical. Is it illegal to be dishonest? Do the means justify the ends?
In the HP case, an employee knowingly passed on privileged information. In other cases, an employee unwittingly passes on sensitive information to an outsider.
The insider threat problem is a scenario that keeps CISOs up at night. As our Security 7 winner Craig Shumard recently put it: "We've only looked at the tip of the iceberg." In fact, our recent research on priorities for 2007 shows that insider threats are a top concern among security professionals. But how a CISO approaches or solves the problem can be the difference between you keeping your job and getting fired.
The HP scandal sounds eerily familiar. The methods that HP used are really nothing other than Kevin Mitnick's social engineering approach. Mitnick served five years in jail for his tactics. Should Dunn and her cohorts face a similar fate?
This was first published in November 2006