With the introduction of Google Buzz this week there has been a lot of talk about how this is going to change communications. Of course, these are the same conversations people were having about Google Wave and how Wave was going to change collaboration for corporations and become the de facto enterprise software that was going to take on WebEx, Sharepoint and other collaboration software out there.

Now, it's Buzz that's for the enterprise, as announced by Google. The company is going to developing tools for the enterprise with Buzz and hopes that it will help move more people to Google Apps and the cloud, in it's continued battle with Microsoft. 

All of this, though, comes with security questions. Both Wave and Buzz allow people to share information - links, documents and more - easily with one button links and uploads. Already, there are concerns about Buzz regarding security (although more identity security than data security) with the leakage of contacts that is just put out there on people's profiles (who you chat and email with is really only your own concern). But the real issue is the ease of sharing data and documents with anyone in your network - personal or professional - and how easy it is to share the wrong information.

Last quarter, we announced how PacketSure works with Twitter and Facebook, ensuring that data is protected and preventing data loss. In the same press release, we noted that the engineers were looking at Wave and how that affects DLP; now, we will of course be looking for the enterprise version of Buzz and seeing how that works, as well as taking a look at the consumer version of Buzz.

With all these social media tools - ones that we also love and use - we are not talking about becoming Luddites (or neo-Luddites), but we do believe that any good DLP policy includes employee education. While we stop information from being accidentally leaked, the educated employee understands what should and should not be shared (due to federal regulations and compliance, and more). With the ease of Buzz and Wave, that brings it more to the forefront. And we continue to work on PacketSure to make sure that our customers are protected no matter what new services are out there.

When it comes to data loss prevention (or data leakage prevention), people think about the typical industries that deal with compliance issues - healthcare with HIPAA or education with FERPA or insurance and banking with PCI compliance.

The reality is that those are the industries that we see the most activity in for Palisade Systems, but there are many industries out there that have data loss that do not realize it is happening. Now the key issue is that most data loss does not occur out of malicious intent, but unintentional mistakes. People attach documents in email, there is not secure email in a corporation, details accidentally sent out over instant message ... those types of mistakes. Nothing purposely bad, but it happens.

Two recent events bring this to light for both law firms and public relations firms. 

From the law industry, one survey noted that 41 percent of workers who switch jobs take sensitive data. Another noted that redundancy might lead to more data leakage, but ethics are on the rise.

From the FBI, a recent report noted that public relations and law firms are both more susceptible to data leakage due to hacking; the scheme, though, is related to email through phishing attempt.s

What these examples show us is that a comprehensive data loss prevention solution can help corporations protect themselves, their employees and more importantly, their clients. With a system in place, the law firms and PR firms can catch emails that are sent out that should not be going to inappropriate contacts. A lot of secure data is passed back and forth between clients and firms - new hires, mergers & acquisitions, strategic planning - and in the wrong hands, that information can be used for market manipulation or worse. 

What this means is that companies need to be diligent. They need to make sure that they have standards in place, that the computers and servers are fully protected, and that data is not being leaked or lost. 

There are three new individual state privacy laws that are spearheading stricter privacy regulation and foreshadow the future for other states.

Get ready American Business!

California led the way in 2003 with SB1386 which requires disclosure of any breach, even at a single individual level of breach. In 2006, Illinois did the same thing with 815 ILCS 530.

Today, forty-four states require companies to notify individuals if there is a breach of their personal information. While many states require businesses to respond with notifications of data breaches, the new laws from Nevada, Connecticut and Massachusetts impose various compliance obligations to businesses to protect this information from a data security breach.
Nevada:

Nevada (Nev. Rev. Stat. § 597.970(1)), enacted on October 1, 2008, states:

“A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

Nevada’s law will expire on January 1, 2010 when a larger data security law will go into effect. This law will require all businesses storing or transmitting private data to be Payment Card Industry (PCI) DSS compliant. This is the first state to require all businesses accepting credit cards to comply with PCI DSS.

Connecticut

Connecticut enacted (Chapter 743 dd, section 42-471) a law on October 1, 2008 that goes beyond encryption as companies need to “safeguard the data computer files and documents containing the information from misuse by third parties”.  It further states to “destroy, erase or made unreadable such data, computer files and documents prior to disposal.” This law focuses on Social Security numbers in particular.

Massachusetts

Massachusetts Data Privacy Law (201 CMR 17) is to take effect January 1, 2010, and companies need to be in full compliance by then. Proof of Compliance certification will be issued by the Office of Consumer Affairs and Business Regulation.

This by far is the most thorough of the state laws and I think this one in particular will set a milestone for others to follow.

The new regulation requires that personal information about any resident in Massachusetts be encrypted when stored or transmitted (regardless of where the business is located in the US). It mandates that companies establish a data compliance program consistent to the requirements of the federal sentencing guidelines (see here).

Enforcement will be the responsibility of the attorney general.

In addition to Nevada, Connecticut, and Massachusetts, there is legislation pending in Washington and Michigan as well. As a trend, individual state government agencies are taking an increasingly active role in establishing regulations to protect resident’s private data.