Wikileaks: Pandora’s Box Opened?
Most of us do not know very much about a Web site named “Wikileaks.org,” but recent events virtually guarantee that many if not most of us will at least learn considerably more about sites of this nature—whistleblower sites. Recently a disgruntled ex-employee of Swiss bank Julius Baer posted sensitive customer account information on Wikileaks. Last month the bank pressed for and was successful in getting the US District Court in San Francisco to issue an injunction that forced the site’s operators to take it offline. Activist organizations such as the Electronic Frontier Foundation (EFF), one of a number organizations that filed briefs on the case, and the American Civil Liberties Union as well as The Associated Press and the ACLU were unhappy with this ruling and pressed for its reversal. The ruling, they said, violated the First Amendment right to free speech and it also could have simply required that the account information be removed rather than requiring that the site be shut down altogether.
Last week, only approximately two weeks from the original ruling, US District Court Judge White reversed his decision at a follow-up court hearing by allowing the site to go back online. White said he had serious misgivings about whether the legal measures that the bank desired were constitutional and also about whether they “constituted prior restraint by the government.”
Wikileaks is actually only one of many Internet sites at which sensitive information is posted. If you know where to look, you’ll find an amazing amount of personal information, including information about people’s habits, preferences (including sexual preference), dating history, religious beliefs, home addresses, and more on various sites. On other sites disgruntled employees bare their kimonos concerning detested co-workers, working conditions that they deem deplorable, and the like. What is different about these sites is that few individuals whose names and information appear therein are aware of the type and amount of information about them is being posted, so few people care. In contrast, Wikileaks contains deliberately leaked corporate and government documents. Given that Swiss banks attract many of their customers on the basis of individuals and organizations being able to deposit money there anonymously, imagine the strong reaction that executives of Julius Baer Bank must have had when they were informed that the identities of their account holders were publicly available on the Internet.
Just yesterday Julious Baer dropped its complaint, saying that it will use other methods to try to get Wikileaks to remove the posted documents. As a representative of the EFF said, once information is posted on the Internet, ruling that it be retracted is moot.
The Wikileaks case provides some valuable lessons learned. First, organizations that have experienced data leakages such as the one Julius Baer Bank had are not likely to find legal action to be a suitable remedy—once the damage is done, it is done. Additionally, this case illustrates just how difficult controlling against data leakage really is. Disgruntled as well as not disgruntled employees get access to sensitive information as part of their job duties. Many studies show that disgruntled employees constitute a much higher than average risk when it comes to perpetrating insider attacks. Few organizations, however, try to systematically identify disgruntled employees and provide mitigating measures such as employee counseling. Finally, I worry that very few of those charged with data protection truly understand just how many data compromise vectors potentially exist. Unfortunately, in many cases it will almost certainly take a rude wake-up call in the form of a major data security breach to substantially increase this understanding.