jump to navigation

Privacy, Social Media, and Legislation September 29, 2012

Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , ,
add a comment

This week marks the opening of a new chapter in the rocky marriage of privacy and social media.  California has passed two laws related to the protection of privacy on social media platform.

In SB1349, the state prohibits public or private post-secondary educational institutions from requiring students to provide the organization with access to the student (or student groups) social media sites.  Nor can the student or group be forced to divulge information contained on those sites.

AB 1844 is similar in nature, but applies to employers.  Specifically, the bill “would prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media. This bill would also prohibit an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions.”

These bills are interesting in that they address a core concern around privacy and labor laws as they relate to social media.  Employers (and potential lenders) are prohibited from making decisions based upon race, gender, religion, politics, sexual orientation.  Most of this information, though, is available on individuals’ private social media profiles.  Amid increasing reports of employers requiring prospective employees to turn over credentials or access their sites in view of the employer, privacy advocates were becoming increasingly, and rightly, concerned that the rights of individuals to protect their personal lives from employers were being diluted.  These actions on the part of California serve to protect those rights.  Frankly, these actions can also protect employers and schools from being accused of discriminatory behavior by not providing them access to this information, which would otherwise be unavailable to them.

It will be interesting to see how quickly other states follow the lead that California has set.  Recall that California was the first state to pass a breach notification law and we now have 46 such laws nationwide.  So the question, to me, is when, not if, we are going to see the trend take shape.

 

 

 

“A Rose by Any Other Name…” – Selecting the Right InfoSec Professional August 22, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , ,
add a comment

Last week I had an experience that left me chuckling and shaking my head at the same time. I had been approached by a company that had some infosec needs.  According to the person with whom I spoke, they had found me on LinkedIn and wanted to talk.   This company had recently settled with some regulators over some privacy and other regulatory practices and were looking to beef up their security and compliance.   I spoke to one person for about an hour and a half and was asked to send more info.  Later that week I received a call from the person with whom I had spoken an was informed that the company was looking for someone with INFORMATION SECURITY experience.  I (likely not so politely) asked what they thought I did for a living?  His response was that the company was looking for someone with a computer science degree.  It was curious that they did not say an information assurance degree, or cybersecurity degree…or…list an certifications or skills…simply computer science.  Well then…there you have it.  Apparently, this company feels the only real qualification for ‘infosec’ is a computer science degree.   Considering their previous issues, you would think they would have a better handle on info sec and their needs.

When looking for an infosec professional understand that there are technical skills which are certainly important (encryption, configuring firewalls, devices, systems, app layer security etc., etc., etc.)  There are other aspects which are important, as well.  Understanding the compliance mandates as well as the various regulatory requirements and regimes is critical in today’s world.  While not specifically defined as ‘infosec’, an understanding of privacy issues (how data is used) is also important.  While understanding technology is critical, being a skilled infosec professional is about more than simply understanding technology and about more than computer science.  While I may not have been right for that particular engagement for other reasons, the company’s laser focus on a ‘computer science’ degree at the exclusion of the other aspects suggests this company may be focused on the wrong areas.  Maybe they should question why they had issues to begin with.

“Viva La Revolucion!”- Social Media; The New Yellow Journalism? May 3, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management.
Tags: , , , ,
add a comment

In the late 19th Century, a phenomenon known as ‘yellow journalism’ took hold as newspapers battled for marketshare.  More specifically, it was the battle between Joseph Pulitzer and William Randolph Hearst which fostered the coining of the phrase.  At a high level, Yellow Journalism is defined as: “…a type of journalism that presents little or no legitimate well-researched news and instead uses eye-catching headlines to sell more newspapers.[1] Techniques may include exaggerations of news events, scandal-mongering, or sensationalism.”  In fact, Yellow journalism was blamed for the start of the Spanish American War.  In response, responsible journalists founded organizations such as the Society of Professional Journalists (founded 1909) and developed codes of ethics and responsible reporting.  Today, responsible, professional journalists adhere to a code of ethics or canons which dictate that they will report the truth accurately.  As stated in the SPJ: “Seek Truth and Report It”.   While some bend the rules, most reporters are accurate and professional.

With the rise of “bloggers”(this author included) and other social media ‘experts’ could it be that we are seeing the rise of a new wave of ‘Yellow Journalism’?  (more…)

Guest Post: “Of Payments, Privacy, and Social Networks” April 15, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , ,
add a comment

As I have been out of town at a charity event and had little time to blog, I am publishing a blog from the incomperable Dr. Heather Mark 😉  Please enjoy…

“By now, many of you have probably heard about the smartphone app creatively and aptly named “Girls Around Me.” For those that have not heard, it is essentially an application that aggregates the “check in” location data of women using Facebook, foursquare, and other social, location based services.  It then displays for the user the locations and names of “girls around” him (or her, I don’t think the app discriminates).  The app promises to “turn your town into a dating paradise.”  For privacy professionals, the app sparks an interesting debate.  Is privacy infringed if the person in question volunteers the information.  On one side of the argument are those that would say “no – if the user has volunteered information then privacy is not compromised by the application.”  The converse of that argument, however, is one that centers on a definition of privacy that hinges on the appropriate use of information.  If the user did not volunteer the information in an effort to join this “dating paradise” then privacy is certainly infringed.  Certainly, one can see that the application in the wrong hands has the potential for misuse.  But, what if we use the information for good, rather than evil?”  read more here! 

Social Media – Dangerously Anonymous & Plausibly Deniable March 19, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.
Tags: , , , , , ,
add a comment

Today on Foxnews was a story about a person who claimed to be an occupy Wall Street protester who tweated a threat to kill a police officer.  A user with the name “Smackema1” tweeted: “We won’t make a difference if we don’t kill a cop or 2,”  What is interesting about this is that the person had never attended any Occupy protests and was actually in Florida when he sent the tweet.  The author, who police are trying to identify, clarified his remarks to a Florida newspaper when he said: “It’s not like I meant anything of it. Who takes anything like that seriously? I’m in Florida, what am I going to do?”   (more…)

%d bloggers like this: