Information security analytics

Ten years behind bars and a fine of $250,000 – that was the penalty for a hospital worker who tried to sell the private medical records of an FBI agent. Texas resident Liz Arlene Ramirez, 36, was found guilty of selling the confidential medical records of an FBI agent to a person she thought was working for a drug trafficker.

One U.S. state body sends out 64,000 letters containing private data to the wrong addresses, another 7 million people fill in online registration forms with their personal details in order to win non-existent iPods and video-game consoles: According to experts at InfoWatch, naivety and negligence are the two components of the notorious “human factor" that can never be cured.

A recent survey by the Business Roundtable shows that almost all of those polled are sure that their expenses on the Sarbanes-Oxley Act will not increase in 2006. According to experts at InfoWatch, this demonstrates that large businesses have, for the first time in many years, learnt to manage their regulatory spending and risks.

A laptop computer with the private details of almost 200,000 HP employees has been lost by the company Fidelity Investments. The data appears to have been unprotected leaving those affected open to identity theft. It is the third incident involving a stolen laptop (Ernst &Young, and Vermont State College) that InfoWatch has reported on this week. The laptop computer with information on nearly 200,000 former and current HP employees was stolen last week, Silicon.com reports.

Thousands of Vermont State College staff and students have been informed that their social security and credit card numbers were on a laptop computer stolen from the car of a college employee. It is just the latest in a series of laptop thefts and one of three such incidents reported by InfoWatch this week.

The Recent Wave of Security Breaches Hardly a week passes without a news story about the theft of personal data from a computer database of a major company or organization. In 2005 alone, the personal information of at least nine million people was compromised by database breaches at companies that keep such information.

Will external SOX audits reflect kinder, gentler control assessments? Recent SEC guidance stresses "reasonable" vigilance. But the PCAOB response to last years' audits might leave companies toeing a harder line. Too much or not enough? The message sent by the Public Company Accounting Oversight Board (PCAOB) in its latest round of inspection reports—including criticism of auditing work by each of the Big Four accounting firms—seems in contrast to an overall tone lately suggesting that firms need to back off on the level of detail they are examining.

Will a special “passport" issued to victims of identity theft help protect them from charges leveled by the police and credit organizations? No doubt it will, but, as InfoWatch points out, preventing the root cause of identity theft is a far more effective method of combating the crime. Legislators in the U.S. state of Iowa have suggested creating a special “passport" to help demonstrate the innocence of those affected by identity theft.

Yet more victims have been named in connection with the loss of confidential data by Ernst & Young. This time 40,000 U.S. workers of the oil giant BP were notified that a laptop containing their names and social security numbers ended up in the hands of criminals. InfoWatch has recently reported that Sun Microsystems, Cisco and IBM have also been affected by a spate of laptop thefts at the auditing firm.

Yet another company that failed to maintain its corporate archive properly has been exposed. Merrill Lynch has been fined $2.5 million for violating regulations governing the storage of e-mails. The U.S. Securities Exchange Commission (SEC) fined the brokerage firm Merrill Lynch $2.5 million for failing to store it electronic correspondence correctly.