From My Perspective
  Data Security Survey Stats
  Protecting Data from Breach
  Enterprise Rights Management
  Agencies Face SSN Scrubdown
  About AccuImage, LLC
  Contact Us
  How to Subscribe or Unsubscribe

by C. Roy Payne

"For organizations that do it really well, security becomes integral. It's not, how can we fix a vulnerability, but how can we embed security into our business processes and functions?"

So says one security expert. At AccuImage, we couldn't agree more. Fortunately, there are a plethora of tools available on the market today that embed security into processes, functions and other technologies. Many of these tools interact with document and content management applications. Enterprise rights management technologies can work hand-in-hand with information management applications for securing content at the document and user levels.

At AccuImage, we also subscribe to the belief that the need to be vigilant about protecting data is a lesson best learned before disaster strikes. I'm sure all of our subscribers would agree that making headlines for data breaches is not an event to celebrate … nor are jeopardizing customer relationships, exposing intellectual property to competitors, and dealing with lawsuits and huge fines. The time to act is now. Information security is a very real threat today, affecting businesses and government agencies of all sizes, in all verticals, in all areas of the world.

We have dedicated this issue of The AccuView to protecting your valuable data, with the goal of educating our subscriber base about such hot topics as …
  • The prevalence of data security concerns today (no, you're not alone); learn why executives fear security breaches in "Data Security Survey Stats."
  • How the Federal Trade Commission is encouraging companies to start "Protecting Data from Breach" - and why we should all take notice.
  • How "Enterprise Rights Management" technologies can (and should) be used in tandem with content management applications to secure various types of data.
  • The Office of Management and Budget's recent demands for agencies to scrub their systems of SSNs; learn more in "Agencies Face SSN Scrubdown."


Although the last article focuses on federal agencies, all businesses have something to gain by taking a similar approach to scrubbing unnecessary Social Security numbers from their systems. The use of SSNs is prevalent not only in government, but also in industries like financial services and health care. Agencies and businesses use SSNs for various purposes, and there was a time where that practice seemed to make sense. Unfortunately, today, it just doesn't.

Please feel welcome to contact us with any questions. Our team can be reached at 615.242.7226.

Best regards,
C. Roy Payne
roy.payne@accuimagellc.com
The following charts represent statistics from recent surveys conducted by InformationWeek and Federal Computer Week.







The legal community has long been aware that the FTC is empowered to prosecute breaches of published online privacy policies by businesses as unfair trade practices under Section 5(a) of the Federal Trade Commission Act, 15 USC 45(a). At the end of 2005, however, the FTC indicated a new direction with regard to the security of consumer information when it prosecuted BJ's Wholesale Club, Inc. for failure to appropriately protect consumer personal information, given that BJ's did not even maintain a posted privacy policy.

The Prosecution of Tomorrow

In a line of cases beginning with BJ's, the FTC insisted that the failure to employ "reasonable and appropriate security measures," including encryption of credit card or similar information, is itself an unfair trade practice. The FTC's reasoning for this was that these bad practices "caused substantial consumer injury that was not reasonably avoidable [by the consumer] and was not outweighed by countervailing benefits to consumers or competition." As a result of BJ's settlement and the cases that followed, companies of every size who collect and maintain consumer personal information are required to have an appropriate security program to protect that information.

Kim Verska, who leads the privacy and data security practice at FSB Corporate Counsel, explains, "The FTC has made clear that the information security system may be tailored to suit the size and complexity of a company's operations as well as the sensitivity of the personal information being maintained." Even so, there is a minimum standard that all companies must meet, regardless of size, as demonstrated by the FTC settlement with Guidance Software. In that case, Guidance was sanctioned for failing to implement "simple, inexpensive and readily available security measures" to protect personal data, such as not storing credit card numbers and passwords in clear, readable text on a computer network.

Ms. Verska states that "probably a majority of companies are unaware of their new vulnerability to FTC prosecution for this kind of charge." Further, given the pervasiveness with which consumer personal information is being collected today, she also recognizes that "it is likely to be an unwelcome surprise to many."

Protecting Your Consumer Data

The FTC summarizes the compliance obligations into five steps:
  • Take Stock. Know what information you have in files and on computers.
  • Scale Down. Keep only what you need for business.
  • Lock It. Protect the information you keep.
  • Pitch It. Properly dispose of what you no longer need.
  • Plan Ahead. Create a plan to respond to security incidents.


[Source: DOCUMENT, June 2007]
The widespread adoption of digital technology across various verticals in the industry has posed a challenge for organizations and their C-suites, as digitized content is still vulnerable to electronic thefts and piracy. The advantages of information being exchanged through the electronic medium cannot be denied, but at the same time, it has raised a key question regarding whether such transactions are taking place in a secure environment. Today, enterprises are no longer limited by geographic boundaries to conduct business and are, in fact, thriving on platforms and applications that enable the sharing of information, irrespective of location. Such convergence of technologies has not only minimized the impact of boundaries but has also given the flexibility to employees and customers for data exchange beyond the perimeters of an organization.

Assigning Enterprise Rights

Corporate executives have little control over how the data sent across various levels in the company is going to be used. In fact, there is now a greater danger for unprotected copies of sensitive information to circulate, exposing such content to great risk. Such information leaks cost an organization a lot of money. If intellectual property of an organization lands in the wrong hands, it cannot only have an impact on the brand/company image but also pose a threat from competitors. For example, sending an e-mail with confidential information to the wrong recipient could eventually result in mass distribution of content, thus, leading to outflow of data. Similarly, the ability to take printouts or make a copy of documents with sensitive data by an employee with dubious intentions could result in information leaks and, thus, the need for a solution that renders protection to content throughout its lifecycle. This very loss of sensitive data by enterprises has led to the birth of enterprise rights management (ERM) solutions.

ERM can be defined as solutions that render persistent protection to content in a business environment. This approach refers to software-based solutions that work to control access and usage of intellectual property by enveloping the content with a security wrapper and establishing rules as well as defining the rights of the user. These systems can protect content, which includes, but is not limited to, e-mails, documents, spreadsheets, etc. Essentially, ERM solutions establish policies within an organization as to who can use the content or information and how they can use it. Such policies allow or restrict the user to copy, print, forward, edit and share the content and associated functions depending on usage rights that have been established by the content owner.

ERM architecture is comprised of several components that complete the cycle of information protection. The process generally entails that the content creator be recognized as a trusted entity by the ERM server. Using an application that works in tandem with the ERM application, the user creates content and assigns rights of usage, such as allowing the recipient to read but not print the document. The document is encrypted by the ERM application along with the license associated with it and remains protected through the delivery process. When the recipient receives the information and tries to access it, a request goes to the ERM server to authenticate the identity. The server then issues a license specifying rights defined by the content owner and is enforced.

An offshoot of digital rights management (DRM) technology, ERM solutions have finally been able to pave their way into the business environment. Though the technology has been around for several years, lack of appropriate knowledge about the existence of these solutions has slowed the demand for ERM solutions in the past. However, the reduction in prices and the integration of ERM with content management applications has boosted the demand for rights management solutions as a tool for protecting content - from the phase of creation to distribution to consumption.

The Growth of the ERM Approach

A key factor in the growing implementation of ERM solutions as a tool to secure critical data is the need to comply with regulations such as HIPAA, the Gramm-Leach-Bliley Act and Sarbanes-Oxley. Often, companies consider regulations to be a burden and a hindrance to their ability to make money. However, as the C-suite becomes increasingly aware of the need for security beyond the firewalls of its organization, systems built on technologies like DRM and abiding by the legal code defined by these regulations will become even more important. The growth of a business today essentially depends on the trust established with the consumer and other business partners. Information protection laws may sound cosmetically bad to executives, but they ensure that the information pertaining to the consumer or the internal data of an organization is secure and private, thus, protecting the information and, in turn, the C-suite.

Outsourcing and offshore manufacturing and services are also big factors driving the need for ERM systems. Information that has crossed economic borders is even more vulnerable to getting compromised, due to either a different control mechanism or the lack of it. In addition, with a number of people working from home or traveling with very powerful mobile devices that have sensitive information stored on them, such sharing of data among a number of people on a number of networks and devices increases the probability of exposing the content to an individual whose intentions may not be in the favor of that enterprise. With the proliferation of mobile devices, it's easy to put information on a notebook PC and eventually store it on a home network or server, resulting in a greater opportunity for the content to get into the wrong hands. However, information that leaves a secure environment by way of notebooks, USB drives, compact discs and other media can be reasonably controlled by rights management systems.

The Evolving Need of ERM Solutions

Since information residing within the periphery of an enterprise not only includes employee records but also financial statements, customer details and other business-related statistics, there is a great need for a solution that not only defines the usage rights of such data but also provides persistent protection to critical information as it passes through various levels within the organization by allowing only authorized users to access it. In fact, by implementing these solutions, organizations can revoke the rights of a user by providing access to content only for a limited time period. Further, several products exist in the market today that render security to content when it resides both in online and offline modes.

ERM has clearly moved from the nascent stage and is geared to foresee tremendous growth, due to the perennial need for security across all levels in an organization. ERM solutions - unlike firewalls and network proxies that prohibit an authorized user to enter the network - render protection to individual documents, and establish control over how the document will be used and who will be able to open it. In addition, enterprises can also integrate such ERM solutions with their existing applications. This amalgamation of technology platforms not only ensures creation of content but also secures delivery of the same information.

The Road to Rights Management

A key factor that needs to be taken into consideration by the CIO, its IT staff, and the rest of the C-suite of an enterprise is to educate the employees about the need, purpose and advantages of ERM solutions. Depending on the size of the organization and its security goals, oftentimes such solutions are bundled and ported to the server, resulting in the rights management component not effectively being used, either due to being low priority or to a lack of information. Therefore, the need to implement ERM will depend on what the organization wants to achieve out of it.

In today's connected environment, where security breaches in an organization are common, the role of top management will be quite critical in assessing the security needs of an enterprise and implementing a solution based on it. Companies incur financial losses due to sensitive and confidential information that lands in the hands of unauthorized users. Hence, it is essential to execute mechanisms that not only protect but also prevent data leakage. Those executives within the C-suite who choose vendors in the market providing feature-rich products will find a return on their investment in these ERM solutions while achieving an additional layer of security to establish that information is being shared between trusted entities.

[Source: DOCUMENT, June 2007]

Agencies face a daunting task to find and eliminate unnecessary Social Security numbers from their information systems, a chore that the Office of Management and Budget has asked agencies to complete by April 2009. Agencies frequently expose SSNs when they experience losses or unauthorized disclosures of personal information.

OMB has directed agencies to safeguard against further breaches by collecting and storing the least amount of personal information necessary. As part of a new policy, agencies must develop a plan for eliminating the unnecessary use of SSNs within 18 months after they establish a plan.

Complying with that policy to enhance data security will be difficult, said Dave Combs, chief information officer at the Agriculture Department. SSNs are embedded in countless government records as unique identifiers. In its most recent Federal Information Security Act report, OMB said federal agencies have identified 10,595 systems that need to be searched, and possibly scrubbed of personal information, including SSNs, to minimize the risk of exposure.

"Every personnel folder in the federal government is chock full of SSNs," Combs said. "There are lots of systems, and you can't just snap your fingers and change it overnight. This is a combination of discover and fix, an iterative process of looking at every piece of paper, every report, every system and every file, and discovering all places where we use Social Security numbers, in particular, and other private information," Combs said.

OMB has directed agencies to create alternative personal identifiers and participate in government-wide efforts to create unique identifiers for federal employees and federal programs. Agencies must also formulate a breach notification policy, to include OMB's requirements for incident reporting and external breach notification. OMB has also asked agencies to develop policies that define the responsibilities of individuals authorized to access personally identifiable information.

OMB's leadership in protecting personal information is welcome, said David Marin, a spokesman for Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee. Davis said he was pleased that administration officials recognize that information security must be a government-wide priority, Marin said.

[Source: Federal Computer Week, June 4, 2007]

AccuImage, LLC is a systems integrator that empowers their customers with solutions designed to gain the maximum value from their information at every point in the information lifecycle. Founded in 1996 and headquartered in Nashville, Tennessee, AccuImage specializes in the design, installation and support of document and content management systems, forms processing solutions, and electronic workflow systems. The company offers hardware and software from leading companies - AnyDoc Software, Böwe Bell+Howell, Canon, Captaris, Captovation, EMC Documentum, Fujitsu, Hewlett-Packard, IBM, Kodak, Kofax, Panasonic, Plasmon and Verity - as well as consulting, document conversion and professional services.