There are two issues here raised by the original story: (1) was Morgan Stanley negligent in merely password protecting rather than encrypting the private data; and (2) was a breach notification required by law.

Regarding the first issue, the original story used the words “…if Morgan Stanley had bothered…” to encrypt the data… etc. etc. You did not use quotation marks to attribute that comment to anyone else, so I am justified in assuming that was your editorial conclusion hence my comment about “…may have been cooked up by credit.com to spice up…”. Unfortunately, this is the phrase I picked up on that prompted my original blog, because with it your story fits the standard editorial slant we so often see: “Big Company ignores personal privacy…” Your story does not focus at all on the NY Tax Department and their culpability here. I mean, how could they possibly have been so lax as to lose the valuable data…? In your comment, you do not dispose of this question, and as a result you do not dispose of the impression a reader of your original story might have drawn that Morgan Stanley behaved negligently, unethically or illegally by not encrypting the data.

You also do not address why encryption was apparently not required by the NY Tax Department at the time. If they already had the mechanism in place to exchange the password, they could just as easily exchange a decryption key. Again, the impression from your story implies that Morgan Stanley cut corners. My bet is that NY Tax did not have the software available to decrypt at the time. Was this one of fifty sendings from MS to NY Tax that was password protected and went through no problem? Did NY Tax even have the ability to decrypt an encrypted file? If you had these answers you did not report them.

As to the second issue, that is not settled in your comment either. In your idt911 blog, you mention that the Tax Department said a breach notification was “required by law” and said here was a link but I could not see or click the link. I read the ISBNA and quoted the part in which a loss of data seemed not to be included as a breach notice triggering event. It is possible that Federal Law might require this and trump state law but I do not have a citation or court report. Federal law would not most likely apply to states either. Maybe you could send me the link that was hinted at in the idt911 blog post.

As for my facts not being straight, although I apparently did less digging than you did, my facts were solid. Had you said “…if Morgan Stanley had encrypted…” rather than used the word “bothered” or else attributed the “bothered” word to its origin, I might have written a different blog. And under ISBNA alone, breach notice is apparently not required in this case. If breach notice was not required, it was done only out of an abundance of caution as I stated. Given the number of people involved, the costs of breach notice and the impact on all involved parties were way less than having any sort of legal dispute.

I am not accusing you or anyone of deliberately distorting the facts. But to create the impression of negligence or fault without support is wrong and does a disservice to companies and workers who work very hard to do the right thing and to comply with often ambiguous laws and regulations.

There was no need to “cook up” any “editorial confusion” to “spice up” this story. Many companies do encrypt this data before sending it to state and federal tax agencies, even though doing so is not required. Morgan Stanley chose not to. Secondly, this incident is a data breach under ISBN precisely because the data on the CD-Roms was not encrypted. In this case, my sources tell me, notification of potential victims was required by law. There was no “sketchy access to the facts” here, unless one somehow misconstrues multiple interviews with all the parties involved as “sketchy.” And there was no advantage to be won. I simply reported this story, and then moved on to the next.

I’m afraid that in your piece, you have committed the error of which you accuse me. Had you called or emailed me, perhaps you could have gotten your facts straight before posting it.

Sincerely,
Chris Maag

You must ensure that a solid process is in place before considering a tool. It is always ill-advised to depend on a tool to provide the process.

I feel that when dealing with virus/malware threat, that the process behind handling and mitigating the threats must be in place and that the tool, in this case a virus scanner, is provided to help the process along. I think that IT Managers, in general, will typically lack in the planning of the process as a whole. Instead, they are looking for the silver bullet. As a result, they tend to rate the tools on the basis of silver bullets.

In this case, I do agree that the vendors should be provided more energy in the areas mentioned, but I also believe that the true effectiveness of any solution will depend on the planning, process, and end support.

While reading you posts regarding the Trials of a CISO it struck me that you are only discussing one side of the CISO responsibility. That of supporting the business unit. You are not addressing the fact that while salesmen are up against other salesmen and accountants are up against auditors and Federal policies and rules, the security professional is up against an adversary that has no rules, no budget, no morals nor conscience. We play in a different game than anyone except cops and soldiers. I agree that no one likes how we have to play the game but as defenders we do not get to make the rules, the attackers unfortunately make them. This is a statement totally lost on other C-level executives. They simply do not get that they have NO control over the threat, they cannot fathom that something would be so outside their sphere of influence and control. This is why they do not get “risk analysis”, because in the back of their mind they are convinced that we are “over-exaggerating” the threat. The NSA, DoD, and Intel community understand this but not many others do. I am a strong advocate for moving IT Security out of IT, they should be in the Audit department or in legal or reporting directly to the board or CEO anywhere but IT. I understand your proposal but in the end I am sorry to say that I believe it will be only marginally effective. Security, be it physical or cyber is not a priority until something goes wrong in most organizations. Strong, Bold CISO’s can and should be proactive in protecting an organizations data. Security is not a popularity contest and I have told countless college students the following; “If you have thin skin or need constant re-assurance that you are doing the right thing then this is not the career for you” no one will like you and most likely every day of your working life will be an argument about not taking the easy way. All that being said we still attract THE smartest of the bunch in security because we have so little time for nonsense I believe.

But there is a downside, I have been a very fringe player for the last few years, just now coming into the light of being a “playa”.

Much also has to do with my executive sponsor, he can decide in what sandbox I can play, with the big boys or with the nobodys in the server rooms.

What I have found difficult recently is that the present economy makes the economics of a secure organize harder to define. There is more value in short time to market solutions (albeit less secure) then delayed but secure solutions.

I loved this blog entry, as you phrased the issue better than I ever could have. Information security requires situational awareness, and you can’t achieve situational awareness without change management. Every business decision results in at least one IT change. If security isn’t aware of those changes and be in a position to influence them, we can’t prevent bad things from happening, let alone quickly detect and recover from them.

And when information security cannot prevent/detect/correct bad things (including security breaches), well, then they’re really asleep at the wheel.

You can find more information on the research in a paper I wrote for the SEI at http://bit.ly/9RMc4Z.

Gene, you’ve inspired me to write a series of blog articles describing these findings in more detail sometime in the near future… (Watch for it at http://www.tripwire.com/blog.)

Keep up the great work!

Sure. Please send email to eugeneschultz@emagined.com

Best wishes,

–Gene

http://www.naplesgov.com/Home/Privacy.aspx

http://oma.od.nih.gov/ms/privacy/faq.html

http://www.msstate.edu/dept/audit/0119.html

This one is excellent and should set an example. Notice the verbiage about use of cookies
http://www.defenselink.mil/warning/warn-dl.html

While you are connected to any web server the data you send to it is out of your hands, and is subject to storage, review, etc. This is nothing new and if you are reading this, you use a computer and likely submit data to someone’s web server on a daily basis. Second there is no evidence in the form of network traces, weblogs or virus alerts that the government is secretly putting malicious code on your system.
If that is ever the case, you can bet I’ll be among the first to protest. They did do the wiretapping, but pulling off a massive worm / virus attack would be difficult not to mention political suicide. Third, Glenn and his associate mentioned something about cookies spying on you. How ridiculous! Cookies store data about your preferences and specific session data. It is true that some cookies can be poorly written which can leave them around long past the web session they are associated with and sometimes poorly written cookies can store sensitive data like a password. But cookies are not malicious code like a worm or virus.

We do have many problems, but this one was over blown and taking away attention from more important issues (health care, middle east, economy). When a large news agency, such as Fox, makes a mistake and scares people, they should own the mistake and make amends. Hopefully Glenn has done this.