Accenture, the giant consulting company at the center of the controversy over a stolen computer tape containing confidential information on Connecticut taxpayers and government agencies, was involved in three other high-profile data breaches last year.
The Bermuda-based corporation last week became the target of a civil lawsuit filed by Attorney General Richard Blumenthal, who accused Accenture of negligence, unauthorized use of state property, and breach of its contract to implement the state's problem-plagued $124 million financial management system known as CORE-CT.
That system has been regularly and sharply criticized by the state auditors, who along with Blumenthal have launched a "whistleblower" investigation of how the Connecticut data ended up on the backup tape hefted from the car of a college intern. The intern, who was fired after he refused to resign and has complained that he was scapegoated, had worked on an accounting and payroll system Accenture installed for the Ohio state government. But Accenture also has come under intense criticism in connection with similar security breaches involving the U.S.
Department of Homeland Security's Transportation Security Administration; the Texas Department of Aging and Disability Services; and a Canadian provincial corporation, the British Columbia utility BC Hydro and Power Authority.
To Continue Reading: Click Here
---------------------------------------
Source: journalinquirer.com
Friday, September 28, 2007
Women in eDiscovery Panel to Speak at ‘The Masters Conference’
The Masters Conference, an educational conference staffed with well-respected and knowledgeable experts in the legal profession, announced today that Women in eDiscovery will hold a panel discussion titled, “Litigation Readiness: Reining in Your eDiscovery Costs (How to Save Millions).” A roster of female eDiscovery thought-leaders will come together for a discussion on how to strategically and tactually address cost containment through the development of a proactive approach to eDiscovery. For more information on The Masters Conference: E-Landscape and the FRCP Fallout, scheduled October 25-26, 2007, at Ronald Reagan Building, 1300 Pennsylvania Avenue, NW, Washington DC, visit http://www.themastersconference.com/.
Women in eDiscovery is a newly formed global organization with a mission to bring together businesswomen interested in technology related to the legal industry and to provide opportunities for them to help themselves and other businesswomen grow personally and professionally through leadership, education, networking support, and national recognition.
The Women in eDiscovery panel will be moderated by Monica Bay, editor-in-chief of Law Technology News, and author of the popular blog, The Common Scold. Other speakers on the Women in eDiscovery panel include:
• Catherine Muir – Senior Counsel with Sprint Nextel for nine years, overseeing the company’s records compliance and electronic discovery records.
• Amy Scearcy – Part of the corporate legal department at US Bank, Amy acts as a link between legal and IT recommending best practices for e-discovery as well as working on the electronic components of litigation. She has 10 years of experience in the litigation technology industry.
• Bonnie Courtland - eDiscovery Paralegal with Supervalu Inc. She is the co-founder and board member of the Minnesota eDiscovery Corporate Forum and is a frequent presenter on the topic of eDiscovery at the Minnesota Paralegal Institute.
• Carmen Oveissi Field – managing director with Daylight. She is a domain expert on electronic discovery and a frequent expert speaker on the topic.
• Shawnna Childress – Discovery Solutions Consultant with Encore Legal Solutions and co-founder of Women in eDiscovery. She is a 15-year veteran of the legal industry.
During last year’s “Masters Conference: E-Practice in the Electronic Age”, more than 200 attendees learned from industry experts as to what might happen once the new rules took effect.
To Continue Reading: Click Here
---------------------------------------
Source: theopenpress.com
Women in eDiscovery is a newly formed global organization with a mission to bring together businesswomen interested in technology related to the legal industry and to provide opportunities for them to help themselves and other businesswomen grow personally and professionally through leadership, education, networking support, and national recognition.
The Women in eDiscovery panel will be moderated by Monica Bay, editor-in-chief of Law Technology News, and author of the popular blog, The Common Scold. Other speakers on the Women in eDiscovery panel include:
• Catherine Muir – Senior Counsel with Sprint Nextel for nine years, overseeing the company’s records compliance and electronic discovery records.
• Amy Scearcy – Part of the corporate legal department at US Bank, Amy acts as a link between legal and IT recommending best practices for e-discovery as well as working on the electronic components of litigation. She has 10 years of experience in the litigation technology industry.
• Bonnie Courtland - eDiscovery Paralegal with Supervalu Inc. She is the co-founder and board member of the Minnesota eDiscovery Corporate Forum and is a frequent presenter on the topic of eDiscovery at the Minnesota Paralegal Institute.
• Carmen Oveissi Field – managing director with Daylight. She is a domain expert on electronic discovery and a frequent expert speaker on the topic.
• Shawnna Childress – Discovery Solutions Consultant with Encore Legal Solutions and co-founder of Women in eDiscovery. She is a 15-year veteran of the legal industry.
During last year’s “Masters Conference: E-Practice in the Electronic Age”, more than 200 attendees learned from industry experts as to what might happen once the new rules took effect.
To Continue Reading: Click Here
---------------------------------------
Source: theopenpress.com
HP tries archiving again
Making no bones about bugs in the previous version of the product, HP has re-named, reworked and widened the scope of its RISS archiving system in an effort to catch a market wave long enjoyed by other suppliers.
The RISS has been HP's flagship email archiving product since 2003. Based on technology originally developed by start-up Persist Technologies, it is a CAS or content-addressed storage system and as such competes with systems such as EMC's Centera disk archive.
Unlike the Centera, the RISS included its own email archiving software. Also unlike the Centera, the RISS has never been a hot seller. One source close to HP has said that bugs in the RISS box threw up a sales roadblock that prevented anything but limited sales.
Yesterday HP came clean. "Two years or eighteen months ago, maybe even only a year ago, there were challenges with the quality of the system," admitted HP's chief marketing officer Jonathan Martin.
"But we've got a new focus at HP and we've dealt with those problems," Martin. The device is now under the control of an HP business unit set up to take responsibility for archiving and backup products previously under the care of HP's storage division.
Martin said that HP can name reference customers that will testify that the bugs have been ironed out of the box. Even so, the OEM giant is trying to help customers forget the RISS heritage, by renaming the system as the HP Integrated Archive Platform. "This is RISS version 2," Martin confirmed.
The new name was obviously chosen to emphasize what HP believes is the best quality of the system, which is that it is ready-integrated.
"Organizations have been implementing archiving systems as a response to an event like audit or litigation, and typically they've gone out and bought say Enterprise Vault from Symantec, CAS from EMC, servers from Dell, and services from Deloitte, and then cobbled them all together," Martin said.
That contrasts with the ready-integrated turn-key nature of the HP system, although the IAP is not the only such product on the market. Another example is IBM's DR550 disk archive, which since around 2004 has stitched together IBM servers, Tivoli archiving software, and conventional non-CAS disk.
To Continue Reading: Click Here
---------------------------------------
Source: CBROnline
By: Tim Stammers
The RISS has been HP's flagship email archiving product since 2003. Based on technology originally developed by start-up Persist Technologies, it is a CAS or content-addressed storage system and as such competes with systems such as EMC's Centera disk archive.
Unlike the Centera, the RISS included its own email archiving software. Also unlike the Centera, the RISS has never been a hot seller. One source close to HP has said that bugs in the RISS box threw up a sales roadblock that prevented anything but limited sales.
Yesterday HP came clean. "Two years or eighteen months ago, maybe even only a year ago, there were challenges with the quality of the system," admitted HP's chief marketing officer Jonathan Martin.
"But we've got a new focus at HP and we've dealt with those problems," Martin. The device is now under the control of an HP business unit set up to take responsibility for archiving and backup products previously under the care of HP's storage division.
Martin said that HP can name reference customers that will testify that the bugs have been ironed out of the box. Even so, the OEM giant is trying to help customers forget the RISS heritage, by renaming the system as the HP Integrated Archive Platform. "This is RISS version 2," Martin confirmed.
The new name was obviously chosen to emphasize what HP believes is the best quality of the system, which is that it is ready-integrated.
"Organizations have been implementing archiving systems as a response to an event like audit or litigation, and typically they've gone out and bought say Enterprise Vault from Symantec, CAS from EMC, servers from Dell, and services from Deloitte, and then cobbled them all together," Martin said.
That contrasts with the ready-integrated turn-key nature of the HP system, although the IAP is not the only such product on the market. Another example is IBM's DR550 disk archive, which since around 2004 has stitched together IBM servers, Tivoli archiving software, and conventional non-CAS disk.
To Continue Reading: Click Here
---------------------------------------
Source: CBROnline
By: Tim Stammers
Morgan Stanley to pay $12.5 million fine to settle 9/11 e-mail charges
Morgan Stanley has agreed to pay $12.5 million to settle a case brought by the Financial Industry Regulatory Authority (formerly NASD) for failing to produce pre-9/11 e-mails to regulators and investor plaintiffs, while claiming that the destruction of the firm's email servers in the Sept. 11, 2001 terrorist attacks on New York's World Trade Center resulted in the loss of all pre-9/11 email.
FINRA found that Morgan Stanley made statements in numerous arbitration proceedings and to the former NASD, New York Stock Exchange Regulation and the Massachusetts Securities Division that those emails had been destroyed. Those statements were not true, the regulator said.
FINRA said Morgan Stanley actually had "millions of pre-9/11 e-mails" that had been restored to the firm's active email system using back-up tapes that had been stored in another location. Many other emails were maintained on individual users' computers and had not been affected by the events of 9/11.
The firm "later destroyed many of the pre-9/11 emails it did possess," FINRA said.
The regulator said Morgan Stanley did this in two ways - by overwriting backup tapes that had been used to restore the emails from 11 of its 12 servers to the firm's system, and by allowing users of the firm's email system to permanently delete the emails over an extended period of time.
As a result, between September 2001 and March 2005, the firm's former affiliate, Morgan Stanley DW, Inc. (MSDW), deleted millions of pre-9/11 emails from the company's systems."The integrity of our process demands that brokerage firms comply with their obligations to search diligently for, and provide in a timely way, information and documents required in arbitration proceedings and regulatory investigations," Susan Merrill, FINRA Executive Vice President and Chief of Enforcement, said in a statement.
"The action announced today underscores FINRA's commitment to ensuring that firms live up to those obligations. We are particularly pleased that this unique settlement directs the bulk of the monetary sanction to the customers in arbitrations, to remedy MSDW's discovery failures," she added.
Under the terms of the settlement, Morgan Stanley will deposit $9.5 million into a fund to pay customers who had arbitration cases against the firm. Morgan Stanley will pay all fund expenses, as well as the cost of hiring and compensating a fund administrator acceptable to FINRA.
To Continue Reading: Click Here
---------------------------------------
Source: wallstreetandtech.com
FINRA found that Morgan Stanley made statements in numerous arbitration proceedings and to the former NASD, New York Stock Exchange Regulation and the Massachusetts Securities Division that those emails had been destroyed. Those statements were not true, the regulator said.
FINRA said Morgan Stanley actually had "millions of pre-9/11 e-mails" that had been restored to the firm's active email system using back-up tapes that had been stored in another location. Many other emails were maintained on individual users' computers and had not been affected by the events of 9/11.
The firm "later destroyed many of the pre-9/11 emails it did possess," FINRA said.
The regulator said Morgan Stanley did this in two ways - by overwriting backup tapes that had been used to restore the emails from 11 of its 12 servers to the firm's system, and by allowing users of the firm's email system to permanently delete the emails over an extended period of time.
As a result, between September 2001 and March 2005, the firm's former affiliate, Morgan Stanley DW, Inc. (MSDW), deleted millions of pre-9/11 emails from the company's systems."The integrity of our process demands that brokerage firms comply with their obligations to search diligently for, and provide in a timely way, information and documents required in arbitration proceedings and regulatory investigations," Susan Merrill, FINRA Executive Vice President and Chief of Enforcement, said in a statement.
"The action announced today underscores FINRA's commitment to ensuring that firms live up to those obligations. We are particularly pleased that this unique settlement directs the bulk of the monetary sanction to the customers in arbitrations, to remedy MSDW's discovery failures," she added.
Under the terms of the settlement, Morgan Stanley will deposit $9.5 million into a fund to pay customers who had arbitration cases against the firm. Morgan Stanley will pay all fund expenses, as well as the cost of hiring and compensating a fund administrator acceptable to FINRA.
To Continue Reading: Click Here
---------------------------------------
Source: wallstreetandtech.com
Thursday, September 27, 2007
Opinion: Lost data tapes are non-events
The recent theft of a tape containing bank-account and other sensitive financial data for all Connecticut state agencies made for great headlines but, all things considered, it was probably a non-event (see "Connecticut sues Accenture over stolen backup tape").
Much of the concern about lost, misplaced and stolen tapes stems from the fear that the data stored on these tapes is in an unencrypted format. While this concern is certainly justified if a laptop or USB drive should go missing, the risk of just anyone retrieving usable data from a tape is almost nonexistent for the following reasons:
Numerous tape formats. 3592, 9840, 4mm, 8mm, LTO, SAIT and SDLT are just some of the available tape formats. To read data from any tape first requires access to a tape drive that can recognize and read that specific tape media.
Multiple generations of tape formats. Linear Tape Open is one of the newest tape formats at about nine years old, and it is already in its fourth generation -- LTO-4. However, a tape drive can only read data back from tape drives that are, at most, two generations older than the tape drive, and it can't read data stored on newer generations of tape cartridges.
Different backup software. There are as many brands and versions of backup software as there are of tape drives and tape. So unless the thief happens to have the right combination of backup software, tape drives and tape, the data will remain inaccessible.
To Continue Reading: Click Here
-----------------------------------------
Source: Computer World
By: Jerome Wendt
Much of the concern about lost, misplaced and stolen tapes stems from the fear that the data stored on these tapes is in an unencrypted format. While this concern is certainly justified if a laptop or USB drive should go missing, the risk of just anyone retrieving usable data from a tape is almost nonexistent for the following reasons:
Numerous tape formats. 3592, 9840, 4mm, 8mm, LTO, SAIT and SDLT are just some of the available tape formats. To read data from any tape first requires access to a tape drive that can recognize and read that specific tape media.
Multiple generations of tape formats. Linear Tape Open is one of the newest tape formats at about nine years old, and it is already in its fourth generation -- LTO-4. However, a tape drive can only read data back from tape drives that are, at most, two generations older than the tape drive, and it can't read data stored on newer generations of tape cartridges.
Different backup software. There are as many brands and versions of backup software as there are of tape drives and tape. So unless the thief happens to have the right combination of backup software, tape drives and tape, the data will remain inaccessible.
To Continue Reading: Click Here
-----------------------------------------
Source: Computer World
By: Jerome Wendt
E-discovery becoming a trend in civil cases
Divorce attorney Carol Goloff often hears stories from wives whose husbands have been unfaithful. The proof, she says, is in the printout.
"The spouse will always have the e-mails and instant messages," said Goloff, who has offices in Northfield and Upper Township. "I have more than a dozen cases where we have the actual transcripts of the online conversation."
When matrimonial bliss goes bust, attorneys are looking to technology - from laptops to BlackBerrys to E-ZPass - for evidence to build their cases. This new way of collecting information is called electronic discovery, or e-discovery, and it's changing the way law firms do business.
"As a trend, it's been the biggest development in civil litigation in decades," said attorney John Coughlin, of the law firm Duane Morris in Princeton.
Coughlin, who has written on the topic for the New Jersey Law Journal, said e-discovery has been essential in all types of cases, from murder trials to anti-trust lawsuits.
In one high-profile case in 2003, a former female employee of financial firm UBS Warburg successfully sued the company for employment discrimination, saying her boss made ridiculing and sexist remarks about her. E-discovery played a role when she requested related company e-mails, but UBS was found to have willfully deleted them.
New Jersey is one of the few states that has updated its Rules of Civil Practice, which govern civil suit procedures, to include e-discovery. In December, the Federal Rules of Civil Procedure were similarly revised.
While e-discovery can be costly and time-consuming in legal disputes, it has been a boon to businesses that specialize in computer forensics.
In a 2007 survey put out by Socha Consulting, an e-discovery consulting service in St. Paul, Minn., the revenue from e-discovery tools and services reached a reported $1.95 billion last year. The market, which shows no signs of slowing down, is expected to grow this year with revenues of $2.6 billion, according to the survey.
To Continue Reading: Click Here
-----------------------------------------
Source: pressofatlanticcity.com
By: Erik Ortiz
"The spouse will always have the e-mails and instant messages," said Goloff, who has offices in Northfield and Upper Township. "I have more than a dozen cases where we have the actual transcripts of the online conversation."
When matrimonial bliss goes bust, attorneys are looking to technology - from laptops to BlackBerrys to E-ZPass - for evidence to build their cases. This new way of collecting information is called electronic discovery, or e-discovery, and it's changing the way law firms do business.
"As a trend, it's been the biggest development in civil litigation in decades," said attorney John Coughlin, of the law firm Duane Morris in Princeton.
Coughlin, who has written on the topic for the New Jersey Law Journal, said e-discovery has been essential in all types of cases, from murder trials to anti-trust lawsuits.
In one high-profile case in 2003, a former female employee of financial firm UBS Warburg successfully sued the company for employment discrimination, saying her boss made ridiculing and sexist remarks about her. E-discovery played a role when she requested related company e-mails, but UBS was found to have willfully deleted them.
New Jersey is one of the few states that has updated its Rules of Civil Practice, which govern civil suit procedures, to include e-discovery. In December, the Federal Rules of Civil Procedure were similarly revised.
While e-discovery can be costly and time-consuming in legal disputes, it has been a boon to businesses that specialize in computer forensics.
In a 2007 survey put out by Socha Consulting, an e-discovery consulting service in St. Paul, Minn., the revenue from e-discovery tools and services reached a reported $1.95 billion last year. The market, which shows no signs of slowing down, is expected to grow this year with revenues of $2.6 billion, according to the survey.
To Continue Reading: Click Here
-----------------------------------------
Source: pressofatlanticcity.com
By: Erik Ortiz
How to Go Native Without Going South
Proceed with caution when producing native file format copies of enterprise e-mail
I could hear the frustration in her voice. "We keep going back and forth with the plaintiff's lawyer. I don't understand what he wants. Can you help us?"
Defense counsel was trying to satisfy an opponent bent on getting e-mail in "native file format." With each disk produced, the plaintiff's lawyer demanded, "Where's the e-mail?" Now he was rattling the sanctions saber. Poring over copies of what she'd produced, defense counsel saw the e-mail. "Why can't he see it?"
Reviewing the correspondence between the counsel, I spotted the problem. The e-mail was there, but in rich text format. Like many lawyers new to e-discovery, defense counsel regarded electronically stored information and native data as one and the same. They're not.
The IT department had dutifully located responsive e-mail on the mail server and furnished the messages as RTF, a generic format offering easy access and electronic searchability. Any computer can read RTF, so it's a reasonable choice. But it's not the native format.
CONTAINER FILES
The native format for virtually all enterprise e-mail is a container file lumping together relevant, irrelevant, personal and privileged communications, along with calendar data, to-do lists, contact information and more. The precise native format depends upon the e-mail client and server.
The prevailing enterprise e-mail application, Microsoft Corp.'s Exchange Server, uses a container file with the file extension EDB. Lotus Notes stores its e-mail on a Lotus Domino server in a container file with the extension NFS.
These containers are the "native file format" for server-stored e-mail, but they hold not only all then-existing e-mail for a specific user, but also the e-mail and other data for all users. Furnishing these files is tantamount to letting the opposition rifle through every employee's desk.
When enterprise e-mail is stored locally on a desktop or laptop system, it's almost always in a container file, sometimes called a compound file. For users of Microsoft's Outlook e-mail program (a "client application" in geek speak), the local container file is typically called "Outlook.PST" or "Outlook.OST." There may also be a file holding older e-mail called "Archive.PST." Collectively, these data are referred to as a user's "local PST."
To Continue Reading: Click Here
-----------------------------------------
Source: law.com
By: Craig Ball
I could hear the frustration in her voice. "We keep going back and forth with the plaintiff's lawyer. I don't understand what he wants. Can you help us?"
Defense counsel was trying to satisfy an opponent bent on getting e-mail in "native file format." With each disk produced, the plaintiff's lawyer demanded, "Where's the e-mail?" Now he was rattling the sanctions saber. Poring over copies of what she'd produced, defense counsel saw the e-mail. "Why can't he see it?"
Reviewing the correspondence between the counsel, I spotted the problem. The e-mail was there, but in rich text format. Like many lawyers new to e-discovery, defense counsel regarded electronically stored information and native data as one and the same. They're not.
The IT department had dutifully located responsive e-mail on the mail server and furnished the messages as RTF, a generic format offering easy access and electronic searchability. Any computer can read RTF, so it's a reasonable choice. But it's not the native format.
CONTAINER FILES
The native format for virtually all enterprise e-mail is a container file lumping together relevant, irrelevant, personal and privileged communications, along with calendar data, to-do lists, contact information and more. The precise native format depends upon the e-mail client and server.
The prevailing enterprise e-mail application, Microsoft Corp.'s Exchange Server, uses a container file with the file extension EDB. Lotus Notes stores its e-mail on a Lotus Domino server in a container file with the extension NFS.
These containers are the "native file format" for server-stored e-mail, but they hold not only all then-existing e-mail for a specific user, but also the e-mail and other data for all users. Furnishing these files is tantamount to letting the opposition rifle through every employee's desk.
When enterprise e-mail is stored locally on a desktop or laptop system, it's almost always in a container file, sometimes called a compound file. For users of Microsoft's Outlook e-mail program (a "client application" in geek speak), the local container file is typically called "Outlook.PST" or "Outlook.OST." There may also be a file holding older e-mail called "Archive.PST." Collectively, these data are referred to as a user's "local PST."
To Continue Reading: Click Here
-----------------------------------------
Source: law.com
By: Craig Ball
For Those Who Believe That Backup Does Archiving – NOT!
Faced with limited budgets and the desire to simplify operations, some IT executives believe that if they have a reliable backup procedure, it will also fulfill their archiving needs. But with new organization standards for accessing data and with legal and regulatory compliance mandates, IT executives expose themselves to greater costs and management risks by relying on this erroneous assumption. The good news is that archiving not only greatly reduces overall storage costs and addresses long-term data retention needs, but it also dovetails wonderfully with backup. When used intelligently, archiving greatly reduces the scope, expense, and complexity of backup, and thereby makes overall storage management operations much less expensive.
Backup is typically the process of copying large volumes of data onto alternative storage, which can be quickly recovered ‘en masse’ to rebuild an environment after a system crash or other disaster. The emphasis of backup is to rebuild a storage environment, reverting to a previous safe point-in-time, as fast a possible. To do this, backup software should be optimized for fast data transfer and managing multiple generations of points in time.
Archiving, on the other hand, is focused on data management needs. Archiving software copies or moves data off the primary store to less-expensive storage alternatives without compromising the organization’s ability to access the data if needed. It can do this to reduce the cost of storing seldom accessed data. Or, it can do this to ensure safe and compliant data retention under tighter IT control. Since unused data may still have a lengthy retention requirement, archiving particularly responds to the long-term management challenges of storing specific data over a long time period for compliance or legal reasons.
When you want to rebuild a failed system, backup is your tool. When you want to find a group of related files that haven’t been touched in 4 years, archiving provides the answer.
Backup is like insurance. Despite all that you invest in backing up the primary storage environment, as with insurance, you ardently hope you will never have to use your backups.
To Continue Reading: Click Here
-----------------------------------------
Source: wwpi.com
By: Patrick Dowling
Backup is typically the process of copying large volumes of data onto alternative storage, which can be quickly recovered ‘en masse’ to rebuild an environment after a system crash or other disaster. The emphasis of backup is to rebuild a storage environment, reverting to a previous safe point-in-time, as fast a possible. To do this, backup software should be optimized for fast data transfer and managing multiple generations of points in time.
Archiving, on the other hand, is focused on data management needs. Archiving software copies or moves data off the primary store to less-expensive storage alternatives without compromising the organization’s ability to access the data if needed. It can do this to reduce the cost of storing seldom accessed data. Or, it can do this to ensure safe and compliant data retention under tighter IT control. Since unused data may still have a lengthy retention requirement, archiving particularly responds to the long-term management challenges of storing specific data over a long time period for compliance or legal reasons.
When you want to rebuild a failed system, backup is your tool. When you want to find a group of related files that haven’t been touched in 4 years, archiving provides the answer.
Backup is like insurance. Despite all that you invest in backing up the primary storage environment, as with insurance, you ardently hope you will never have to use your backups.
To Continue Reading: Click Here
-----------------------------------------
Source: wwpi.com
By: Patrick Dowling
HP Aims to Make E-Discovery Easier
In this compliance-crazed, litigation-laden world we live in, business and IT executives better be prepared to deliver the digital data when demanded.
Easier said than done, though, as the volume of information your enterprise produces grows unabated.
Looking to help you get a handle on things and be prepared for the day when the subpoena comes, HP today announced new products and services that help customers better manage and optimize business information as well as their technology infrastructure.
The HP Integrated Archival Platform is a part of the company's Business Technology portfolio and is designed to help mitigate risk in electronic data discovery and compliance. It's also designed to lower costs through better use of data center assets. The new platform is designed to make a single point to manage e-discovery by providing the infrastructure and tools to store, search and retrieve e-mails, documents and images.
Today's news follows HP's April announcement of its business intelligence server. "The focus was on helping customers shift through data," said Tom Rose, worldwide product marketing director, HP Information Management, HP Software. "The focus has been on business intelligence. This time it's on e-discovery to help you prepare for the inevitable."
When it comes to data that might contain either incriminating or vindicating information, "e-mail is usually the smoking gun," Rose said. HP points to IDC research that shows that 87 billion e-mail messages were exchanged worldwide on a typical day in 2006. When it comes to e-discovery businesses face many challenges, but "e-mail is the biggest culprit," Rose said.
Enterprises have typically addressed e-discovery in one of two ways, Rose said. "They pray litigation doesn't happen," he said, or they cobble together a system that includes CAS and search and then buy integration services.
The HP Integrated Archive Platform is a factory-integrated product that includes HP Storageworks grid storage system, an HP Proliant server, HP's search and indexing technology and policy management software. The starting price is $71,000, Rose said.
To Continue Reading: Click Here
-----------------------------------------
Source: Enterprise Storage Forum
By: Dan Muse
Easier said than done, though, as the volume of information your enterprise produces grows unabated.
Looking to help you get a handle on things and be prepared for the day when the subpoena comes, HP today announced new products and services that help customers better manage and optimize business information as well as their technology infrastructure.
The HP Integrated Archival Platform is a part of the company's Business Technology portfolio and is designed to help mitigate risk in electronic data discovery and compliance. It's also designed to lower costs through better use of data center assets. The new platform is designed to make a single point to manage e-discovery by providing the infrastructure and tools to store, search and retrieve e-mails, documents and images.
Today's news follows HP's April announcement of its business intelligence server. "The focus was on helping customers shift through data," said Tom Rose, worldwide product marketing director, HP Information Management, HP Software. "The focus has been on business intelligence. This time it's on e-discovery to help you prepare for the inevitable."
When it comes to data that might contain either incriminating or vindicating information, "e-mail is usually the smoking gun," Rose said. HP points to IDC research that shows that 87 billion e-mail messages were exchanged worldwide on a typical day in 2006. When it comes to e-discovery businesses face many challenges, but "e-mail is the biggest culprit," Rose said.
Enterprises have typically addressed e-discovery in one of two ways, Rose said. "They pray litigation doesn't happen," he said, or they cobble together a system that includes CAS and search and then buy integration services.
The HP Integrated Archive Platform is a factory-integrated product that includes HP Storageworks grid storage system, an HP Proliant server, HP's search and indexing technology and policy management software. The starting price is $71,000, Rose said.
To Continue Reading: Click Here
-----------------------------------------
Source: Enterprise Storage Forum
By: Dan Muse
Wednesday, September 26, 2007
Rethinking the Decision Criteria for Choosing Tape
The traditional back-up and archival model has evolved, but as technology evolves the question becomes, is the role of tape changing? The simple answer is yes. For years, speeds and feeds have been the primary decision criteria when considering a tape back-up technology as a front-end device. Now, we see a technology shift where disk is the front-end component to the data management model. With this fundamental shift, it is no longer a question of whether your tape drive alone can manage a back-up window; but how tape fits with disk for data retention strategies.
Based on this changing model, we need to review and revise decision-making criteria with emphasis and priority on the features that best match today’s requirements for tape storage. Increasing the priority of reliability for recoverability and relegating tape speed to a much lower priority is required in order to choose the most cost-effective disaster recovery and archival tape technology.
Businesses cannot afford to use an unreliable product for disaster recovery and archival. When disaster strikes you will either need to recover files written many years earlier or you may be dealing with the only copy you have left. Which is why reliability is the first criteria in the decision making process. If businesses need to produce an archived file or search large volumes of data the critical question is...Will the file be recoverable? What is the reliability of the solution installed? Are systems installed to insure the media can and will be read? What technology is in place that assists the preservation of media and data integrity? The data written today must be the data read tomorrow.
Your second priority feature is space and density. In disaster recovery and archival, extended retention easily managed at a reduced cost is crucial. Generally, media used for both disaster recovery and archival have similar handling procedures – packed up and transported for storage off-site for extended periods. Picking the highest density capability of a tape storage medium will translate into cost savings. In addition to long-term storage, a common thread that runs throughout our industry and data centers is form factor and footprint. In virtually every instance, reduced rack space, reduced floor space and reduced off-site storage will save money.
While some technologies provide the ability to read legacy tapes written at lower capacities, not all manufacturers are introducing new tape designs with the specific purpose of providing optimized capacity utilization. Many companies, while demanding enterprise class reliability, in reality achieve much less than 50 gigabytes of daily incremental data archival. As an example, take a remote office with daily incremental data archival of 40 gigabytes to a 100 gigabytes LTO tape. Compressed, they are writing 20 gigabytes of data to a tape that holds 200 gigabytes compressed. Essentially, they are utilizing ten percent of the tape’s potential capacity. To maintain a compliant recovery model the incremental back-up is removed to an off-site facility daily to meet compliance policies. Most off-site facilities charge by either a per tape or volume of space basis so regardless of whether the tape has 20 gigabyte or 200 gigabytes of data you are charged the same cost. This common condition exemplifies a gross underutilization and incredible inefficiency in a capacity to cost equation. Selecting tape technology with the right capacity for data archived insures optimal cost effectiveness. Some tape technologies, such as AIT, allow businesses with remote offices to address capacity utilization and cross-organizational requirements with multiple capacity choices that have a backward read/write compatibility path between multiple generations of product in the market.
The time to re-evaluate the need for speed is now. Not because tape drives are too slow, but because many tape drives are not designed for the process we ask them to perform. Faster transfer rates do not always equal faster back-ups and in some cases can slow back-ups down as the media repositions in a “shoe-shining / back-hitching” motion or is stopped, when the system and/or network cannot process data fast enough to keep up with the recording speed requirements of the tape drive. The "shoe-shining / back-hitching" condition adversely impacts the performance of the tape drive, because high-speed transfer rates are negated by the limitations of the system versus speed. Additionally, if the selected tape technology is designed to write to alternate sections of tape when the buffer runs out, as a means to prevent stops and restarts, the tape media continues to stream and stops writing data resulting in underutilization of the media capacity.
To Continue Reading: Click Here
-----------------------------------------
Source: Computer Technology Review
By: Alan Sund
Based on this changing model, we need to review and revise decision-making criteria with emphasis and priority on the features that best match today’s requirements for tape storage. Increasing the priority of reliability for recoverability and relegating tape speed to a much lower priority is required in order to choose the most cost-effective disaster recovery and archival tape technology.
Businesses cannot afford to use an unreliable product for disaster recovery and archival. When disaster strikes you will either need to recover files written many years earlier or you may be dealing with the only copy you have left. Which is why reliability is the first criteria in the decision making process. If businesses need to produce an archived file or search large volumes of data the critical question is...Will the file be recoverable? What is the reliability of the solution installed? Are systems installed to insure the media can and will be read? What technology is in place that assists the preservation of media and data integrity? The data written today must be the data read tomorrow.
Your second priority feature is space and density. In disaster recovery and archival, extended retention easily managed at a reduced cost is crucial. Generally, media used for both disaster recovery and archival have similar handling procedures – packed up and transported for storage off-site for extended periods. Picking the highest density capability of a tape storage medium will translate into cost savings. In addition to long-term storage, a common thread that runs throughout our industry and data centers is form factor and footprint. In virtually every instance, reduced rack space, reduced floor space and reduced off-site storage will save money.
While some technologies provide the ability to read legacy tapes written at lower capacities, not all manufacturers are introducing new tape designs with the specific purpose of providing optimized capacity utilization. Many companies, while demanding enterprise class reliability, in reality achieve much less than 50 gigabytes of daily incremental data archival. As an example, take a remote office with daily incremental data archival of 40 gigabytes to a 100 gigabytes LTO tape. Compressed, they are writing 20 gigabytes of data to a tape that holds 200 gigabytes compressed. Essentially, they are utilizing ten percent of the tape’s potential capacity. To maintain a compliant recovery model the incremental back-up is removed to an off-site facility daily to meet compliance policies. Most off-site facilities charge by either a per tape or volume of space basis so regardless of whether the tape has 20 gigabyte or 200 gigabytes of data you are charged the same cost. This common condition exemplifies a gross underutilization and incredible inefficiency in a capacity to cost equation. Selecting tape technology with the right capacity for data archived insures optimal cost effectiveness. Some tape technologies, such as AIT, allow businesses with remote offices to address capacity utilization and cross-organizational requirements with multiple capacity choices that have a backward read/write compatibility path between multiple generations of product in the market.
The time to re-evaluate the need for speed is now. Not because tape drives are too slow, but because many tape drives are not designed for the process we ask them to perform. Faster transfer rates do not always equal faster back-ups and in some cases can slow back-ups down as the media repositions in a “shoe-shining / back-hitching” motion or is stopped, when the system and/or network cannot process data fast enough to keep up with the recording speed requirements of the tape drive. The "shoe-shining / back-hitching" condition adversely impacts the performance of the tape drive, because high-speed transfer rates are negated by the limitations of the system versus speed. Additionally, if the selected tape technology is designed to write to alternate sections of tape when the buffer runs out, as a means to prevent stops and restarts, the tape media continues to stream and stops writing data resulting in underutilization of the media capacity.
To Continue Reading: Click Here
-----------------------------------------
Source: Computer Technology Review
By: Alan Sund
US rules will affect your data
The way in which organisations handle their electronic data is changing for CIOs
Yet another aspect of compliance is about to loom large on the chief information officer (CIO) agenda.
Recent changes to Federal rules of civil procedure governing lawsuits in the US will have big implications for UK CIOs who also operate Stateside.
The procedure raises questions about how an organisation handles electronic evidence and alongside other legislation requires companies to be able to locate relevant information wherever it is stored.
Software that is used to automate the so-called e-discovery process is starting to arrive on the market.
Eventually CIOs will be able to look to a single system capable of automating the whole spectrum of consolidated archiving, analytics and real-time policy management.
E-discovery software could best be described as being a linguistics engine with specialist tools that analyse words and the construction of phrases and sentences in stored, unstructured text files.
Such applications are fronted by a deliberately simple user interface, so that any business user could carry out searches in natural language. E-discovery software is ultimately capable of searching and discovering information held, not only in documents and applications, but in voice and video records as well.
Regulatory and judicial bodies recognise the area is enormously complex. The unique characteristics of electronic data, compared with paper records, present unprecedented challenges for the CIO.
But start to examine electronic information and records management from the three different perspectives of legal, records management and IT, and it quickly becomes clear that software tools are only part of the issue.
Obligations of the litigation process such as the duty to preserve information that is, or may become, discoverable differ greatly from the operational needs of data storage, where data deletion and destruction is a real and acceptable stage in the information lifecycle.
To Continue Reading: Click Here
---------------------------------------
Source: VNUnet
By: Nick Kirkland
Yet another aspect of compliance is about to loom large on the chief information officer (CIO) agenda.
Recent changes to Federal rules of civil procedure governing lawsuits in the US will have big implications for UK CIOs who also operate Stateside.
The procedure raises questions about how an organisation handles electronic evidence and alongside other legislation requires companies to be able to locate relevant information wherever it is stored.
Software that is used to automate the so-called e-discovery process is starting to arrive on the market.
Eventually CIOs will be able to look to a single system capable of automating the whole spectrum of consolidated archiving, analytics and real-time policy management.
E-discovery software could best be described as being a linguistics engine with specialist tools that analyse words and the construction of phrases and sentences in stored, unstructured text files.
Such applications are fronted by a deliberately simple user interface, so that any business user could carry out searches in natural language. E-discovery software is ultimately capable of searching and discovering information held, not only in documents and applications, but in voice and video records as well.
Regulatory and judicial bodies recognise the area is enormously complex. The unique characteristics of electronic data, compared with paper records, present unprecedented challenges for the CIO.
But start to examine electronic information and records management from the three different perspectives of legal, records management and IT, and it quickly becomes clear that software tools are only part of the issue.
Obligations of the litigation process such as the duty to preserve information that is, or may become, discoverable differ greatly from the operational needs of data storage, where data deletion and destruction is a real and acceptable stage in the information lifecycle.
To Continue Reading: Click Here
---------------------------------------
Source: VNUnet
By: Nick Kirkland
CACI to aid SEC with e-discovery
CACI International Inc. will provide electronic document discovery and computer forensics solutions to the Securities and Exchange Commission’s Division of Enforcement under a new five-year, $48 million contract.
The Federal Systems Integration and Management Center of the General Services Administration awarded the contract under the Millennia Lite contract vehicle. The contract increases the size and scope of electronic document discovery services the company has been providing to the SEC on other contracts.
Since information is now routinely stored in electronic form, electronic document discovery has become an important part of the business of government. It essentially involves the successful location and retrieval of information from stored electronic documents.
As the SEC enforces regulations governing the securities industry, CACI’s electronic document discovery solutions help the SEC convert electronic documents into formats that SEC attorneys can use to prepare their legal cases. The company’s computer forensics services provide the tools necessary to systematically inspect a computer system and its contents for evidence, while also preserving the integrity of the original data.
To Continue Reading: Click Here
---------------------------------------
Source: washingtontechnology.com
The Federal Systems Integration and Management Center of the General Services Administration awarded the contract under the Millennia Lite contract vehicle. The contract increases the size and scope of electronic document discovery services the company has been providing to the SEC on other contracts.
Since information is now routinely stored in electronic form, electronic document discovery has become an important part of the business of government. It essentially involves the successful location and retrieval of information from stored electronic documents.
As the SEC enforces regulations governing the securities industry, CACI’s electronic document discovery solutions help the SEC convert electronic documents into formats that SEC attorneys can use to prepare their legal cases. The company’s computer forensics services provide the tools necessary to systematically inspect a computer system and its contents for evidence, while also preserving the integrity of the original data.
To Continue Reading: Click Here
---------------------------------------
Source: washingtontechnology.com
Multinationals Take a Global View of EDD
Information technology has undeniably become a key element of most business organizations, supporting both the primary methods of communication and the means of processing and storing vast amounts of proprietary information. The application of technology systems to the day-to-day activities of business has naturally caused electronically generated and stored information to become a primary target for litigation discovery requests.
In response to what are now commonplace requests for discovery of such information, the Federal Rules of Civil Procedure have been amended to include specific provisions relating to discovery of electronically stored information. This change, along with the growing body of case law concerning electronic discovery, reflects the legal community's effort to catch up with the rapid progress of technology.
Both lawyers and their clients have an obligation to adjust their respective practices to respond to the consequences of these legal developments. For a multinational corporation, the challenge of implementing policies to ensure compliance is twofold: First, the corporation must determine whether and to what extent its foreign affiliates should also establish compliance policies in light of the broad scope of U.S. discovery. Second, the corporation must ascertain which forms of electronic information should be considered when developing these policies and how they can be implemented to strike a balance between legal considerations and effective business practices.
DOMESTIC AND INTERNATIONAL SCOPE
Pursuant to the language of the federal rules, the touchstone for discoverability is whether the information sought is within the litigant's "possession, custody, or control." Consistent with the full disclosure approach that embodies the spirit of the American legal system, the notion of "control" is broadly construed: "It does not require that the party have legal ownership or actual physical possession of the documents at issue; rather, the documents are considered to be under a party's control when the party has the right, authority or practical ability to obtain the documents from a non-party to the action," according to the Southern District of New York's In re NTL Securities Litigation.
Moreover, as litigation increasingly involves organizations that operate on a multinational level, this analysis isn't limited to information stored on U.S. soil. As the threshold for production of documents is control not location, it is well established that the Federal Rules permit litigants to obtain discovery of information located in foreign jurisdictions. A litigant seeking such information located in a foreign jurisdiction need not refer to the Hague Convention on Taking Evidence Abroad in Civil or Commercial Matters before proceeding with its Rule 34 request. Although the convention provides optional guidelines for obtaining evidence abroad, it does not pre-empt the authority of the federal rules.
To Continue Reading: Click Here
---------------------------------------
Source: law.com
By: Stefanie Jill Fogel and Lauren E. Bishow
In response to what are now commonplace requests for discovery of such information, the Federal Rules of Civil Procedure have been amended to include specific provisions relating to discovery of electronically stored information. This change, along with the growing body of case law concerning electronic discovery, reflects the legal community's effort to catch up with the rapid progress of technology.
Both lawyers and their clients have an obligation to adjust their respective practices to respond to the consequences of these legal developments. For a multinational corporation, the challenge of implementing policies to ensure compliance is twofold: First, the corporation must determine whether and to what extent its foreign affiliates should also establish compliance policies in light of the broad scope of U.S. discovery. Second, the corporation must ascertain which forms of electronic information should be considered when developing these policies and how they can be implemented to strike a balance between legal considerations and effective business practices.
DOMESTIC AND INTERNATIONAL SCOPE
Pursuant to the language of the federal rules, the touchstone for discoverability is whether the information sought is within the litigant's "possession, custody, or control." Consistent with the full disclosure approach that embodies the spirit of the American legal system, the notion of "control" is broadly construed: "It does not require that the party have legal ownership or actual physical possession of the documents at issue; rather, the documents are considered to be under a party's control when the party has the right, authority or practical ability to obtain the documents from a non-party to the action," according to the Southern District of New York's In re NTL Securities Litigation.
Moreover, as litigation increasingly involves organizations that operate on a multinational level, this analysis isn't limited to information stored on U.S. soil. As the threshold for production of documents is control not location, it is well established that the Federal Rules permit litigants to obtain discovery of information located in foreign jurisdictions. A litigant seeking such information located in a foreign jurisdiction need not refer to the Hague Convention on Taking Evidence Abroad in Civil or Commercial Matters before proceeding with its Rule 34 request. Although the convention provides optional guidelines for obtaining evidence abroad, it does not pre-empt the authority of the federal rules.
To Continue Reading: Click Here
---------------------------------------
Source: law.com
By: Stefanie Jill Fogel and Lauren E. Bishow
IT practices inadequate for forensic evidence
IT management practices inadequate to preserve forensic evidence
The second annual New Zealand Computer Crime and Security Survey has revealed New Zealand organisations are ill-equipped to preserve computer forensic evidence.
The University of Otago conducted survey – which aims to raise the level of security awareness and determine the scope of computer crime in New Zealand – has found that IT management practices are inadequate when it comes to the preservation of forensic evidence that could lead to criminal convictions for computer hackers or fraudulent employees.
University of Otago researcher KJ Spike Quinn is concerned that New Zealand organisations do not appreciate the full seriousness of computer crime and associated consequences – both financially and with regard to the reputation of an organisation.
“Management of forensic capability is woefully short of ensuring admissibility of evidence in court. Having a suitably trained person first on the scene makes all the difference in whether a prosecution is successful,” Mr Quinn says.
Most organisations reported having the basic protection, such as antivirus and firewall technologies in place, but only 7 per cent of respondents had a forensically-trained first responder.
When an incident or intrusion occurred, 40 per cent reported it to management and 30 per cent did their best to patch security holes in network systems. Only 16 per cent reported intrusions to law enforcement. A third of the respondents who did not report intrusions to law enforcement were unaware of law enforcement interest.
Sixty-six per cent of New Zealand organisations invest of up to 5 per cent of their IT budget on security issues, compared to the 43 per cent Australian and 55 per cent United States figures.
“This investment figure initially sounds good, but AusCERT found in its 2006 report that 51 per cent of respondents considered an investment of up to 5 per cent to be inadequate. We need to be investing more now to be protected in the long term,” Mr Quinn says.
Only 5 per cent of New Zealand organisations spent more than 10 per cent of their IT budget on security, compared with 13 per cent in the United States and 14 per cent in Australia.
“These figures, coupled with the forensic readiness finding, predict a rise in failed prosecutions. The implementation of basic policies and procedures, plus basic security training, need to be adopted more widely. If there’s no training and no procedure laid down, you can’t expect staff to act appropriately,” Mr Quinn says.
To Continue Reading: Click Here
---------------------------------------
Source: scoop.co.nz
The second annual New Zealand Computer Crime and Security Survey has revealed New Zealand organisations are ill-equipped to preserve computer forensic evidence.
The University of Otago conducted survey – which aims to raise the level of security awareness and determine the scope of computer crime in New Zealand – has found that IT management practices are inadequate when it comes to the preservation of forensic evidence that could lead to criminal convictions for computer hackers or fraudulent employees.
University of Otago researcher KJ Spike Quinn is concerned that New Zealand organisations do not appreciate the full seriousness of computer crime and associated consequences – both financially and with regard to the reputation of an organisation.
“Management of forensic capability is woefully short of ensuring admissibility of evidence in court. Having a suitably trained person first on the scene makes all the difference in whether a prosecution is successful,” Mr Quinn says.
Most organisations reported having the basic protection, such as antivirus and firewall technologies in place, but only 7 per cent of respondents had a forensically-trained first responder.
When an incident or intrusion occurred, 40 per cent reported it to management and 30 per cent did their best to patch security holes in network systems. Only 16 per cent reported intrusions to law enforcement. A third of the respondents who did not report intrusions to law enforcement were unaware of law enforcement interest.
Sixty-six per cent of New Zealand organisations invest of up to 5 per cent of their IT budget on security issues, compared to the 43 per cent Australian and 55 per cent United States figures.
“This investment figure initially sounds good, but AusCERT found in its 2006 report that 51 per cent of respondents considered an investment of up to 5 per cent to be inadequate. We need to be investing more now to be protected in the long term,” Mr Quinn says.
Only 5 per cent of New Zealand organisations spent more than 10 per cent of their IT budget on security, compared with 13 per cent in the United States and 14 per cent in Australia.
“These figures, coupled with the forensic readiness finding, predict a rise in failed prosecutions. The implementation of basic policies and procedures, plus basic security training, need to be adopted more widely. If there’s no training and no procedure laid down, you can’t expect staff to act appropriately,” Mr Quinn says.
To Continue Reading: Click Here
---------------------------------------
Source: scoop.co.nz
Security Experts Pitch 'Culture of Data'
The companies that are having the most success in advancing their data security efforts are those that are finding a way to protect information without getting in the way of users, industry experts maintain.
In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.
After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information.
Even within IT giants like IBM, the struggle to balance security issues with emerging business demands to work with information in new ways hasn't always been approached in this manner, said Julie Donahue, vice president of the security and privacy service in the company's Global Technology Services group.
Only through experience and ongoing efforts to constantly rationalize security policies with business demands has the massive firm been able to get a grip on its own data-handling needs, she said.
"Customers need to step back and see what their own culture wants. If we locked down everything within IBM, it would be so difficult to manage that we would have a serious management problem, so you have to ask questions around culture before you begin thinking of enforcement," said Donahue.
"You have to assess the risk environment and think of this as a holistic problem in terms of how you place bets and need to manage pools of risk, even though that for most CIOs it often feels like you have to spend your time going day-to-day dealing with the crisis of the moment," she said. "You really need to look at where to make the right investments, where to do enforcement, and where to monitor to have a truly strategic view."
To Continue Reading: Click Here
---------------------------------------
Source: CIO
In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.
After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information.
Even within IT giants like IBM, the struggle to balance security issues with emerging business demands to work with information in new ways hasn't always been approached in this manner, said Julie Donahue, vice president of the security and privacy service in the company's Global Technology Services group.
Only through experience and ongoing efforts to constantly rationalize security policies with business demands has the massive firm been able to get a grip on its own data-handling needs, she said.
"Customers need to step back and see what their own culture wants. If we locked down everything within IBM, it would be so difficult to manage that we would have a serious management problem, so you have to ask questions around culture before you begin thinking of enforcement," said Donahue.
"You have to assess the risk environment and think of this as a holistic problem in terms of how you place bets and need to manage pools of risk, even though that for most CIOs it often feels like you have to spend your time going day-to-day dealing with the crisis of the moment," she said. "You really need to look at where to make the right investments, where to do enforcement, and where to monitor to have a truly strategic view."
To Continue Reading: Click Here
---------------------------------------
Source: CIO
Tuesday, September 25, 2007
Court Denies Motion to Compel Production of Plaintiff's Personal Computer
Benton v. Dlorah, Inc., 2007 WL 2225946 (D. Kan. Aug. 1, 2007)
In this employment discrimination case, defendants moved to compel plaintiff to provide complete responses to requests for production, to produce the hard drive of her personal computer for inspection and copying, and to stop destroying emails and other relevant evidence. Defendants had requested all communications between plaintiff and defendant National American University or its employees, agents, or students. Plaintiff produced some documents as part of her initial disclosures and in response to defendants’ discovery requests. In subsequent discussions regarding the sufficiency of plaintiff’s production, plaintiff's counsel informed defense counsel that plaintiff had deleted email correspondence with her students and could not produce any additional emails beyond what she had already provided in her initial disclosures. Prompted by concerns about recovering these emails, as well as the discovery responses, defendants requested that she produce the hard drive of her personal home computer to facilitate recovery of the deleted emails by a computer forensics specialist. Plaintiff refused to produce her computer hard drive without an order of the court. After further efforts to resolve the discovery dispute, defendants filed a motion to compel.
In support of the motion, defendants noted that plaintiff had produced only a handful of emails for the months of November 2006 through January 2007, only one email for the month of February 2007, and no email beyond that date. Defendants voiced their belief that, because plaintiff admitted to deleting all email communications between NAU students and herself aside from those that she produced in the litigation, and because she had not produced any email communications that took place after February 2007, that plaintiff had been deleting emails relating to her employment at NAU since that date.
In response, plaintiff argued that she had “produced all e-mails and other documents related to her claims in this case." In regard to specific disputed requests, plaintiff stated that she had either provided the requested information or that there were no responsive documents. Moreover, plaintiff pointed out that she had already provided documents requested by defendants in her Rule 26 initial disclosures, that the email she received from defendants and their employees were always on defendants' email server, and the there was little, if any, communication with defendants on her personal email server.
Regarding defendants’ suggestion that plaintiff must have destroyed additional responsive documents by her deletions; because she has produced only one e-mail since February 2007 and otherwise admitted to deleting emails, the court stated it found “nothing to lead to such an inference, beyond speculation.” The court stated that it would “not assume that Plaintiff is lying or that she has been discredited in her responses to the requests for production.”
The court denied defendants’ motion without prejudice, finding that defendants had not sustained their burden to show that plaintiff had in fact failed to comply with their requests for production, that her personal hard drive contained any additional information subject to discovery, or that plaintiff had spoliated evidence.
To read a copy of the opinion: Click Here
---------------------------------------
Source: eDiscoverylaw.com
In this employment discrimination case, defendants moved to compel plaintiff to provide complete responses to requests for production, to produce the hard drive of her personal computer for inspection and copying, and to stop destroying emails and other relevant evidence. Defendants had requested all communications between plaintiff and defendant National American University or its employees, agents, or students. Plaintiff produced some documents as part of her initial disclosures and in response to defendants’ discovery requests. In subsequent discussions regarding the sufficiency of plaintiff’s production, plaintiff's counsel informed defense counsel that plaintiff had deleted email correspondence with her students and could not produce any additional emails beyond what she had already provided in her initial disclosures. Prompted by concerns about recovering these emails, as well as the discovery responses, defendants requested that she produce the hard drive of her personal home computer to facilitate recovery of the deleted emails by a computer forensics specialist. Plaintiff refused to produce her computer hard drive without an order of the court. After further efforts to resolve the discovery dispute, defendants filed a motion to compel.
In support of the motion, defendants noted that plaintiff had produced only a handful of emails for the months of November 2006 through January 2007, only one email for the month of February 2007, and no email beyond that date. Defendants voiced their belief that, because plaintiff admitted to deleting all email communications between NAU students and herself aside from those that she produced in the litigation, and because she had not produced any email communications that took place after February 2007, that plaintiff had been deleting emails relating to her employment at NAU since that date.
In response, plaintiff argued that she had “produced all e-mails and other documents related to her claims in this case." In regard to specific disputed requests, plaintiff stated that she had either provided the requested information or that there were no responsive documents. Moreover, plaintiff pointed out that she had already provided documents requested by defendants in her Rule 26 initial disclosures, that the email she received from defendants and their employees were always on defendants' email server, and the there was little, if any, communication with defendants on her personal email server.
Regarding defendants’ suggestion that plaintiff must have destroyed additional responsive documents by her deletions; because she has produced only one e-mail since February 2007 and otherwise admitted to deleting emails, the court stated it found “nothing to lead to such an inference, beyond speculation.” The court stated that it would “not assume that Plaintiff is lying or that she has been discredited in her responses to the requests for production.”
The court denied defendants’ motion without prejudice, finding that defendants had not sustained their burden to show that plaintiff had in fact failed to comply with their requests for production, that her personal hard drive contained any additional information subject to discovery, or that plaintiff had spoliated evidence.
To read a copy of the opinion: Click Here
---------------------------------------
Source: eDiscoverylaw.com
Computer forensics: Uses and benefits
Computer crime is very common. Stealing secret data, decoding passwords and above all misusing computer saved documents and files have become regular malpractices among the computer users. Computer forensics plays a vital role in inhibiting such offences.
Computer forensics can be otherwise called as computer investigation. It provides with the legal evidence against different mishandlings and crimes related to computer. The use of computer forensics has made it possible to detect the exact crime area and also supports in the recovery of the lost or destroyed documents.
Computer forensic specialists handle with care
While conducting the forensic examination, the forensic specialist has to be very careful in handling the computer system altogether. Any misplacement or corruption of data or virus attack can damage the whole system.
Computer forensics allows the forensic specialist to find out each and every file. Both the ordinary saved files and the password saved files are recovered through the forensic detection. Any file once stored in the hard disk will be recovered as much as possible through the computer forensic detection mechanism.
The hidden and the protected files along with their contents can be accessed through the forensic tool. The computer forensics also plays the role of a technical analyzer thereby investigating the most unreachable part of the disk.
Technically, the unallocated parts of the computer disk can be accessed through computer forensics. The specialists in this field really do it with efficiency. If expert opinion is required the computer forensic specialist immediately opts for such views without delay. They know very well that any discrepancy in the data and delay in its recovery may damage the entire system. The computer forensic professionals do very much care for time.
Real benefits in different professional fields
Companies dealing with law, insurance and banking business make use of computer forensics to the most. The prosecutors dealing with criminal offences like theft and counterfeit, cases related to child pornography, drugs deals and financial forgery can take the help of legal evidences through computer forensics to prove the authenticity of the case. The law board accepts this evidence as the genuine source and the convict is punished. Civil cases related to domestic violence, sexual harassment and divorce also seek evidential proof through the computer forensics.
The insurance companies use the computer forensics evidences in an alternative way. The forgery cases in insurance are always due to fake identities and information. A person might have never met with an accident but suddenly claims for compensation through insurance. Whether the person's claim is genuine or fake can be detected through computer forensics.
To Continue Reading: Click Here---------------------------------------
Source: PR-GB
Code Green Networks Launches Industry's First Data Loss Prevention Appliance for Small Businesses and Branch Offices
CI-750 Helps Small Offices Comply With Federal Privacy and Discovery Guidelines by Protecting Customer Information and Safeguarding Intellectual Property
Code Green Networks, a leading provider of data loss prevention solutions for protecting customer data and safeguarding intellectual property, today announced the availability of the CI-750, its new Content Inspection Appliance designed to bring enterprise-class data loss prevention to smaller organizations and branch offices of large distributed enterprises. The CI-750 combines award-winning features from Code Green's mid-sized business appliance, the CI-1500, in a package designed specifically to meet the challenges of organizations or locations with fewer than 250 network users.
Data protection is a huge concern for organizations of all sizes today -- with the average cost of a data breach now exceeding $100 dollars per customer record and over $1 million dollars per incident, according to The Ponemon Institute.
Similarly, the latest 2006 CSI/FBI Computer Crime and Security Survey found that data protection ranked as the most critical issue over the next two years, leaving smaller enterprises unprepared and at a clear disadvantage with significantly fewer resources to deal with the problem. In addition to security concerns, both small and large distributed branch offices are grappling to comply with stricter guidelines set forth by the Federal Trade Commission (FTC) for protecting personal information and recent amendments to the Federal Rules of Civil Procedure (FRCP) regarding the protection of electronic communications for e-Discovery purposes.
"Large enterprises have a critical need for data loss protection solutions, but so do smaller businesses that face significant risks from the loss of sensitive and confidential information," said Michael Osterman, President, Osterman Research. "For these small businesses the low cost, plug-and-play installation and enterprise-class feature set of a data loss protection appliance can protect the organization while imposing virtually no additional management burden on IT."
Enterprise Class Data Loss Protection for Small Offices
The new CI-750 resides at an organization's Internet gateway, delivering enterprise-class protection to offices with as many as 250 network users for one-third the cost of other data loss prevention products. Starting at $10,000, the appliance monitors content flows on the corporate network, automatically enforcing data protection policies to log, alert, retain, block, encrypt or re-route transmissions across all popular Internet communications channels -- Email (SMTP), Web (HTTP / HTTPS), Secure Sockets Layer (SSL), File Transfer Protocol (FTP), online tools such as Blogs and Wikis -- and all popular WebMail services including Google Gmail, MSN Hotmail, AOL Mail, Windows Live Mail and Yahoo! Mail.
To Continue Reading: Click Here
---------------------------------------
Source: marketwire.com
White House E-Mails Still Missing
Lawsuits and a congressional inquiry fail to move the Bush administration, group says.
The Bush administration may be running out the clock in its efforts to resist a congressional inquiry and two lawsuits seeking the whereabouts and contents of more than 5 million missing White House e-mails, according to one of the organizations that has filed a suit.
"The White House has known for a number of years the e-mails were missing and refused to do anything about it," Anne Weisman, chief counsel for CREW (Citizens for Responsibility and Ethics in Washington), told eWEEK.
Covering more than a two years, the missing e-mails came to light as part of congressional inquiries into the White House's firing of U.S. attorneys.
The White House admits the e-mails are missing and that the EOP (Executive Office of the President) in 2002 abandoned the electronic records management system put in place by the Clinton administration. The e-mails were deleted between March 2003 and October 2005.
The Presidential Records Act requires that all White House e-mail be saved.
CREW filed a FOIA (Freedom of Information Act) request with the White House Office of Administration on March 29 for records on the missing e-mail. When the office refused to turn over the information, CREW sued the White House May 23 for the information. The organization also released a report on the missing e-mails based on information obtained from two confidential sources.
The Bush administration countered in an August court filing that the Office of Administration is not subject to FOIA and there has been no further movement in the CREW lawsuit.
To Continue Reading: Click Here
---------------------------------------
Source: eWeek
By: Roy Mark
The Bush administration may be running out the clock in its efforts to resist a congressional inquiry and two lawsuits seeking the whereabouts and contents of more than 5 million missing White House e-mails, according to one of the organizations that has filed a suit.
"The White House has known for a number of years the e-mails were missing and refused to do anything about it," Anne Weisman, chief counsel for CREW (Citizens for Responsibility and Ethics in Washington), told eWEEK.
Covering more than a two years, the missing e-mails came to light as part of congressional inquiries into the White House's firing of U.S. attorneys.
The White House admits the e-mails are missing and that the EOP (Executive Office of the President) in 2002 abandoned the electronic records management system put in place by the Clinton administration. The e-mails were deleted between March 2003 and October 2005.
The Presidential Records Act requires that all White House e-mail be saved.
CREW filed a FOIA (Freedom of Information Act) request with the White House Office of Administration on March 29 for records on the missing e-mail. When the office refused to turn over the information, CREW sued the White House May 23 for the information. The organization also released a report on the missing e-mails based on information obtained from two confidential sources.
The Bush administration countered in an August court filing that the Office of Administration is not subject to FOIA and there has been no further movement in the CREW lawsuit.
To Continue Reading: Click Here
---------------------------------------
Source: eWeek
By: Roy Mark
Monday, September 24, 2007
The World's Biggest SANs
Who has the world's biggest storage network? We've unearthed a few candidates
We at Byte and Switch are on the trail of the world's biggest SAN, and this article reveals our initial findings.
There are several reasons we've embarked on the search for gargantuan storage networks. For one, large SANs push the envelope. If I'm looking to expand a network of 5 Tbytes, what better way than to study the fate of those who've gone above the petabyte level? Big SAN stories furnish a glimpse into the outer limits of scaleability.
Really big storage networks also are highly visible and get lots of feedback and testing. Often, this yields information that is useful in similar situations -- albeit on a smaller scale.
Those are just a few of the reasons we're seeking big SANs. The most compelling driver is that, like everyone, we enjoy a great story. And what better tale to tell than one of new frontiers in our chosen field of coverage?
Again, this list is meant to be a starting place for further endeavor. If you've got a big SAN story to tell, we'd love to hear it. Hit that message board, call us, or send us a message.
So, without further ado, we present five of the world's biggest SANs:
To Continue Reading: Click Here
---------------------------------------
Source: ByteandSwitch
By: James Rogers
We at Byte and Switch are on the trail of the world's biggest SAN, and this article reveals our initial findings.
There are several reasons we've embarked on the search for gargantuan storage networks. For one, large SANs push the envelope. If I'm looking to expand a network of 5 Tbytes, what better way than to study the fate of those who've gone above the petabyte level? Big SAN stories furnish a glimpse into the outer limits of scaleability.
Really big storage networks also are highly visible and get lots of feedback and testing. Often, this yields information that is useful in similar situations -- albeit on a smaller scale.
Those are just a few of the reasons we're seeking big SANs. The most compelling driver is that, like everyone, we enjoy a great story. And what better tale to tell than one of new frontiers in our chosen field of coverage?
Again, this list is meant to be a starting place for further endeavor. If you've got a big SAN story to tell, we'd love to hear it. Hit that message board, call us, or send us a message.
So, without further ado, we present five of the world's biggest SANs:
To Continue Reading: Click Here
---------------------------------------
Source: ByteandSwitch
By: James Rogers
Records advocates wary of government e-mail deletions
An e-mail pops into your inbox. You scan over it. Now you've got a decision to make: Delete it, or keep it?
These decisions are made daily by hundreds of millions of people around the world, often without more than second of thought.
That may be fine if you're reading a friend's message or a consumer solicitation on your home computer. But if you are a public employee, a hasty deletion could be a crime. Really.
A 1961 Missouri law requires all government records to be kept open for public inspection. Officials who violate the law can be impeached, removed from office and charged with a misdemeanor crime punishable by up to 90 days in jail and a $100 fine.
That law was passed long before anyone envisioned e-mail as a replacement for paper. But modern laws treat e-mails no differently than paper documents when it comes to public records.
Thus the controversy that erupted when Gov. Matt Blunt's staff members recently acknowledged they frequently delete e-mails. Blunt admits he does it, too.
"I probably have four or five different e-mail accounts, like lots of people," Blunt said in an interview with The Associated Press. "Some e-mails I might keep a long time. Some e-mails I delete as soon as I receive, and will continue to do so."
So does that make the governor a lawbreaker?
"My position is we're in compliance with the law," Blunt said.
Applying Missouri's public records laws to real-life situations is not always simple. In fact, it sometimes requires a lot of interpretation.
One thing that's clear is that electronic mails are public records subject to Missouri's open-records law.
The Sunshine Law (Chapter 610 of Missouri's statutes) specifically defines a "public record" as "any record, whether written or electronically stored" that is retained by a public governmental body.
But that doesn't mean government employees must save all their e-mails, because state law specifically allows some records to be destroyed.
Missouri's record retention law (Chapter 109) delegates decisions on which things to keep, and for how long, to the State Records Commission, led by the secretary of state. That commission updated its general policy last month, though some state offices still have specialized policies that are a decade or more old.
Correspondence - whether by e-mail or paper - related to the development, implementation or review of government policies and plans are supposed to be kept permanently, so they can be included in the State Archives.
Other forms of general correspondence - including staff appointment calendars, project progress reports or messages that do not subsequently result in the formulation of policies - are to be kept for three years before they are destroyed.
To Continue Reading: Click Here
-----------------------------------------
Source: Belleville News Democrat
By: David Leib
These decisions are made daily by hundreds of millions of people around the world, often without more than second of thought.
That may be fine if you're reading a friend's message or a consumer solicitation on your home computer. But if you are a public employee, a hasty deletion could be a crime. Really.
A 1961 Missouri law requires all government records to be kept open for public inspection. Officials who violate the law can be impeached, removed from office and charged with a misdemeanor crime punishable by up to 90 days in jail and a $100 fine.
That law was passed long before anyone envisioned e-mail as a replacement for paper. But modern laws treat e-mails no differently than paper documents when it comes to public records.
Thus the controversy that erupted when Gov. Matt Blunt's staff members recently acknowledged they frequently delete e-mails. Blunt admits he does it, too.
"I probably have four or five different e-mail accounts, like lots of people," Blunt said in an interview with The Associated Press. "Some e-mails I might keep a long time. Some e-mails I delete as soon as I receive, and will continue to do so."
So does that make the governor a lawbreaker?
"My position is we're in compliance with the law," Blunt said.
Applying Missouri's public records laws to real-life situations is not always simple. In fact, it sometimes requires a lot of interpretation.
One thing that's clear is that electronic mails are public records subject to Missouri's open-records law.
The Sunshine Law (Chapter 610 of Missouri's statutes) specifically defines a "public record" as "any record, whether written or electronically stored" that is retained by a public governmental body.
But that doesn't mean government employees must save all their e-mails, because state law specifically allows some records to be destroyed.
Missouri's record retention law (Chapter 109) delegates decisions on which things to keep, and for how long, to the State Records Commission, led by the secretary of state. That commission updated its general policy last month, though some state offices still have specialized policies that are a decade or more old.
Correspondence - whether by e-mail or paper - related to the development, implementation or review of government policies and plans are supposed to be kept permanently, so they can be included in the State Archives.
Other forms of general correspondence - including staff appointment calendars, project progress reports or messages that do not subsequently result in the formulation of policies - are to be kept for three years before they are destroyed.
To Continue Reading: Click Here
-----------------------------------------
Source: Belleville News Democrat
By: David Leib
Friday, September 21, 2007
Getting a Grip on European Data Transfers
European data privacy laws prohibit the transfer of personal data to jurisdictions whose laws don't provide protection for personal data equivalent to that provided in Europe (the "adequacy requirement"). At present, only a limited number of jurisdictions have laws -- and the U.S. isn't among them -- that satisfy this requirement.
They're Argentina, Canada and Switzerland, and two British Crown dependencies, the Bailiwick of Guernsey and the Isle of Man. (Guernsey and the Isle of Man are possessions of the British Crown. They're internally self-governing dependencies, and not sovereign nations, and they aren't part of the United Kingdom (as overseas territories or otherwise) or members of the EU. (See CIA World FactBook.)
As a result, U.S. companies and multinational corporations seeking to transfer personal data from Europe to the U.S. have to follow prescribed methods to establish compliance with the adequacy requirement to the satisfaction of the national Data Protection Authorities in the relevant European countries. Achieving compliance is important to U.S.-based multinational companies that use centralized HR and other databases in the U.S. or that use corporate data processing centers in multiple countries to process personal data from Europe.
One of the newest methods of establishing compliance with the adequacy requirement is the use of "Binding Corporate Rules." Broadly stated, with BCRs, a multinational corporate group (referred to as a "Group" under European law) adopts a binding set of corporate rules, has them approved by the DPAs in one or more European countries, as required, and agrees to follow such rules with respect to personal data transferred from Europe and with respect to transfers between companies or business units within the Group outside of the European Economic Area.
As discussed further below, an advantage of BCRs is that they allow a multinational company to design its own corporate data protection policies and transfer data from Europe to a U.S. business unit as well as between business units located in different countries, including, significantly, countries outside of Europe and the United States.
BCRs constitute an alternative to the "traditional" methods of complying with the adequacy requirement, which include a "Safe Harbor" certification under U.S. Department of Commerce rules and the use of "Model Clauses," which are contract provisions that have been approved by the European Commission as providing sufficient privacy protection.
LAWS ON PRIVACY
Some background about the European privacy laws is required to put BCRs and the other methods in context. European privacy law is based on European Directive 95/46/EC, entitled "The Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data" and often referred to as the European "Data Protection Directive."
The Directive has been implemented through the national laws of the member countries in the European Union, which was recently expanded to include a total of 27 countries, and the national laws of Iceland, Norway and Liechtenstein, which aren't EU members. Together these 30 countries are known as the European Economic Area or EEA. For convenience, in this article these countries will be referred to as the "European countries," and the privacy laws of these countries will be referred to as "European law."
To understand the advantages and disadvantages of BCRs, it is necessary to review the advantages and disadvantages of Safe Harbor certification and the Model Clauses. Under the Safe Harbor regime, a company certifies that it will comply with the seven Safe Harbor "principles," which themselves meet the requirements of the European Data Protection Directive. These principles are notice, choice, onward transfer, access, security, data integrity and enforcement.
"Notice" requires organizations to inform individuals about the purpose for which their personal information is to be collected and how that information will be used once collected. "Choice" requires organizations to give individuals the opportunity to "opt out" of having their information disclosed to third parties or used for purposes that the individuals haven't previously authorized.
"Onward transfer" requires organizations to apply the notice and choice principles before transferring information to third parties, and also requires organizations to ensure that agents who receive information abide by the Safe Harbor principles or an equivalent level of protection.
"Access" requires organizations to permit individuals to review information that organizations have collected about them so that it can be corrected or deleted if inaccurate. "Security" requires organizations to take reasonable measures to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction of the information collected.
"Data integrity" requires organizations to take reasonable measures to ensure that information is reliable for its intended use and is accurate, complete and current. "Enforcement" requires organizations to provide individuals with a readily available and affordable means of ensuring that the organizations are complying with the Safe Harbor principles.
The U.S. Safe Harbor certification process is a self-certification not a registration process. Re-certification is required annually, and this may entail the cost of yearly privacy audits to verify that certification requirements are met. Certification subjects a company to the jurisdiction of the Federal Trade Commission. There are limitations to the Safe Harbor procedures. Some companies find it difficult to certify because the entire company can't comply with the Safe Harbor requirements.
To Continue Reading: Click Here
---------------------------------------
Source: Law.com
By: William A. Tanenbaum and Rafael Echegoyen
They're Argentina, Canada and Switzerland, and two British Crown dependencies, the Bailiwick of Guernsey and the Isle of Man. (Guernsey and the Isle of Man are possessions of the British Crown. They're internally self-governing dependencies, and not sovereign nations, and they aren't part of the United Kingdom (as overseas territories or otherwise) or members of the EU. (See CIA World FactBook.)
As a result, U.S. companies and multinational corporations seeking to transfer personal data from Europe to the U.S. have to follow prescribed methods to establish compliance with the adequacy requirement to the satisfaction of the national Data Protection Authorities in the relevant European countries. Achieving compliance is important to U.S.-based multinational companies that use centralized HR and other databases in the U.S. or that use corporate data processing centers in multiple countries to process personal data from Europe.
One of the newest methods of establishing compliance with the adequacy requirement is the use of "Binding Corporate Rules." Broadly stated, with BCRs, a multinational corporate group (referred to as a "Group" under European law) adopts a binding set of corporate rules, has them approved by the DPAs in one or more European countries, as required, and agrees to follow such rules with respect to personal data transferred from Europe and with respect to transfers between companies or business units within the Group outside of the European Economic Area.
As discussed further below, an advantage of BCRs is that they allow a multinational company to design its own corporate data protection policies and transfer data from Europe to a U.S. business unit as well as between business units located in different countries, including, significantly, countries outside of Europe and the United States.
BCRs constitute an alternative to the "traditional" methods of complying with the adequacy requirement, which include a "Safe Harbor" certification under U.S. Department of Commerce rules and the use of "Model Clauses," which are contract provisions that have been approved by the European Commission as providing sufficient privacy protection.
LAWS ON PRIVACY
Some background about the European privacy laws is required to put BCRs and the other methods in context. European privacy law is based on European Directive 95/46/EC, entitled "The Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data" and often referred to as the European "Data Protection Directive."
The Directive has been implemented through the national laws of the member countries in the European Union, which was recently expanded to include a total of 27 countries, and the national laws of Iceland, Norway and Liechtenstein, which aren't EU members. Together these 30 countries are known as the European Economic Area or EEA. For convenience, in this article these countries will be referred to as the "European countries," and the privacy laws of these countries will be referred to as "European law."
To understand the advantages and disadvantages of BCRs, it is necessary to review the advantages and disadvantages of Safe Harbor certification and the Model Clauses. Under the Safe Harbor regime, a company certifies that it will comply with the seven Safe Harbor "principles," which themselves meet the requirements of the European Data Protection Directive. These principles are notice, choice, onward transfer, access, security, data integrity and enforcement.
"Notice" requires organizations to inform individuals about the purpose for which their personal information is to be collected and how that information will be used once collected. "Choice" requires organizations to give individuals the opportunity to "opt out" of having their information disclosed to third parties or used for purposes that the individuals haven't previously authorized.
"Onward transfer" requires organizations to apply the notice and choice principles before transferring information to third parties, and also requires organizations to ensure that agents who receive information abide by the Safe Harbor principles or an equivalent level of protection.
"Access" requires organizations to permit individuals to review information that organizations have collected about them so that it can be corrected or deleted if inaccurate. "Security" requires organizations to take reasonable measures to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction of the information collected.
"Data integrity" requires organizations to take reasonable measures to ensure that information is reliable for its intended use and is accurate, complete and current. "Enforcement" requires organizations to provide individuals with a readily available and affordable means of ensuring that the organizations are complying with the Safe Harbor principles.
The U.S. Safe Harbor certification process is a self-certification not a registration process. Re-certification is required annually, and this may entail the cost of yearly privacy audits to verify that certification requirements are met. Certification subjects a company to the jurisdiction of the Federal Trade Commission. There are limitations to the Safe Harbor procedures. Some companies find it difficult to certify because the entire company can't comply with the Safe Harbor requirements.
To Continue Reading: Click Here
---------------------------------------
Source: Law.com
By: William A. Tanenbaum and Rafael Echegoyen
E-mail Remains a High Risk When Safeguarding Patient Privacy Under HIPAA
E-mail has become an indispensable tool in every industry, and health care is no exception, as busy professionals use the technology to quickly communicate with colleagues and patients. But for those who deal with protected health information (PHI), pressing the "send" button can be fraught with compliance dangers. As hospitals and covered entities (CEs) see their peers victimized by damaging electronic PHI breaches, more and more are installing filtering technologies that not only scan outgoing e-mails for PHI, but also can encrypt the messages.
Ensuring appropriate use of e-mail is a top HIPAA concern, say compliance and information officers. "E-mail is so prevalent in society and has become such a casual occurrence," says Michael Apfel, chief privacy officer at Truman Medical Centers in Kansas City, Mo. "It has integrated itself into our professional and personal lives. It's very important to us that we provide consistent and constant education and monitoring of those communications."
One slip-up can become a whopper. For example, a Palm Beach County, Fla., health department statistician and epidemiologist mistakenly attached a list containing more than 6,000 names of HIV/AIDS patients to an e-mail in 2005. The message was sent to 800 of the department's 900 employees.
Such a disaster is unlikely to happen at Truman Medical. The organization's internal e-mail system is encrypted, Apfel tells RPP. "E-mail that contains PHI that is business appropriate is permitted within our internal e-mail system," he explains. "Absolutely no PHI may be released or shared with any systems external to our e-mail system."
To ensure this doesn't happen, the hospital monitors outgoing e-mails with technology that searches for specific language or strings that could identify a patient account number or medical record number, Apfel says. While he declined to discuss any examples of the technology catching PHI before it was sent, Apfel says one area of e-mail concern involves the influx of new residents who work at the research institution every year.
New residents are required to go through HIPAA and privacy training before they are given access to any of the computer systems, he says. But mistakes can happen, Apfel acknowledges. One example might involve an intern sending PHI to his or her own personal e-mail account for later documentation in an educational paper. "In those scenarios, it's not so much patient names but enough identifying information that you could run afoul of the identification requirement within the privacy rule," Apfel says.
To Continue Reading: Click Here
----------------------------------------
Source: AIS Health
Ensuring appropriate use of e-mail is a top HIPAA concern, say compliance and information officers. "E-mail is so prevalent in society and has become such a casual occurrence," says Michael Apfel, chief privacy officer at Truman Medical Centers in Kansas City, Mo. "It has integrated itself into our professional and personal lives. It's very important to us that we provide consistent and constant education and monitoring of those communications."
One slip-up can become a whopper. For example, a Palm Beach County, Fla., health department statistician and epidemiologist mistakenly attached a list containing more than 6,000 names of HIV/AIDS patients to an e-mail in 2005. The message was sent to 800 of the department's 900 employees.
Such a disaster is unlikely to happen at Truman Medical. The organization's internal e-mail system is encrypted, Apfel tells RPP. "E-mail that contains PHI that is business appropriate is permitted within our internal e-mail system," he explains. "Absolutely no PHI may be released or shared with any systems external to our e-mail system."
To ensure this doesn't happen, the hospital monitors outgoing e-mails with technology that searches for specific language or strings that could identify a patient account number or medical record number, Apfel says. While he declined to discuss any examples of the technology catching PHI before it was sent, Apfel says one area of e-mail concern involves the influx of new residents who work at the research institution every year.
New residents are required to go through HIPAA and privacy training before they are given access to any of the computer systems, he says. But mistakes can happen, Apfel acknowledges. One example might involve an intern sending PHI to his or her own personal e-mail account for later documentation in an educational paper. "In those scenarios, it's not so much patient names but enough identifying information that you could run afoul of the identification requirement within the privacy rule," Apfel says.
To Continue Reading: Click Here
----------------------------------------
Source: AIS Health
Clamp down now on data theft
It could happen to anyone: In the midst of what you thought would be a cursory review of a competitor's Web site, you come across something very familiar -- data that until recently had been safely housed within your organization.
Then it clicks. Six months ago, a critical employee left your company in favor of greener pastures. She had access to that data, you're sure of it. Except that there's no way to prove it. You're six months too late.
At its most basic, computer forensics is the investigation of a computer system and its contents to uncover information, most commonly evidence to support a company's suspicion of wrongdoing, and preserve that information in a way that allows it to be admissible in court, if necessary.
Although we don't like to think about it -- these types of staff transgressions are often thought to occur only at "other organizations" -- it happens more than you'd think.
According to an FBI computer-crime survey, 44 percent of organizations that knew about security incidents reported those incidents as originating from within the organization. The 2006 Association of Certified Fraud Examiners "Report to the Nation" states that U.S. organizations lost five percent of their annual revenues to fraud, or an estimated $652 billion, in 2006.
Given that computers have become such an integral part of doing business, organizations must consider ways to protect and preserve that information to protect them in the event these thefts do occur.
When should you consider computer forensics?
There are a number of occasions when computer forensics should come to mind. In the event a critical employee should leave your company, it's a good idea to have an outside expert take a computer image of the staff member's computer. This way, should data show up at a competitor, you have evidence that it may have originated at your organization.
In addition, it can be helpful to monitor your current staff. For example, if you have a particularly high-performing salesperson relative to the rest of your organization, computer forensics can ensure that he's doing so within the rules of your organization, versus promising things or cutting deals that he shouldn't be.
Computer forensics also can be helpful for sexual-harassment claims, as e-mails and other data can be mined to uncover evidence.
Organizations can provide computer forensic experts with specific criteria to search for, such as a person's name or any document containing patent-related information.Finally it's common for staff members under suspicion to delete any evidence of wrongdoing. They believe that fraudulent activity can be erased with a few clicks.
To Continue Reading: Click Here
----------------------------------------
Source: Michigan Business News
By: Scott Petree and Karl Zager
Then it clicks. Six months ago, a critical employee left your company in favor of greener pastures. She had access to that data, you're sure of it. Except that there's no way to prove it. You're six months too late.
At its most basic, computer forensics is the investigation of a computer system and its contents to uncover information, most commonly evidence to support a company's suspicion of wrongdoing, and preserve that information in a way that allows it to be admissible in court, if necessary.
Although we don't like to think about it -- these types of staff transgressions are often thought to occur only at "other organizations" -- it happens more than you'd think.
According to an FBI computer-crime survey, 44 percent of organizations that knew about security incidents reported those incidents as originating from within the organization. The 2006 Association of Certified Fraud Examiners "Report to the Nation" states that U.S. organizations lost five percent of their annual revenues to fraud, or an estimated $652 billion, in 2006.
Given that computers have become such an integral part of doing business, organizations must consider ways to protect and preserve that information to protect them in the event these thefts do occur.
When should you consider computer forensics?
There are a number of occasions when computer forensics should come to mind. In the event a critical employee should leave your company, it's a good idea to have an outside expert take a computer image of the staff member's computer. This way, should data show up at a competitor, you have evidence that it may have originated at your organization.
In addition, it can be helpful to monitor your current staff. For example, if you have a particularly high-performing salesperson relative to the rest of your organization, computer forensics can ensure that he's doing so within the rules of your organization, versus promising things or cutting deals that he shouldn't be.
Computer forensics also can be helpful for sexual-harassment claims, as e-mails and other data can be mined to uncover evidence.
Organizations can provide computer forensic experts with specific criteria to search for, such as a person's name or any document containing patent-related information.Finally it's common for staff members under suspicion to delete any evidence of wrongdoing. They believe that fraudulent activity can be erased with a few clicks.
To Continue Reading: Click Here
----------------------------------------
Source: Michigan Business News
By: Scott Petree and Karl Zager
How To Archive Email
Knowing What To Save & What To Throw Away
For many employees, using email is really only about two things: sending and receiving. But for enterprises as a whole, email is their lifeblood. It is essential to find a way to leverage and manage the data within emails so it can be easily searched and used. There are legal requirements, too, which must be met.
According to Dean Richardson, vice president of sales with ArcMail Technology (www.arcmailtech.com), businesses should archive all email. “You never know which email you will need down the road,” he notes. Companies have saved thousands of dollars by finding just one email.
“We recently used [ArcMail’s] Defender to find a project-related email that probably saved the company $25,000,” says Rosemary Doerner, IT manager at Pinkard Construction.
“Emails should be archived in real time, as this provides a backup of all emails should the user suffer a catastrophic mail server crash and find themselves unable to restore some or all of their email,” Richardson says.
The Ins & Outs Of Archiving
Archiving all of a company’s email in a central archive with fast search/retrieve and export capabilities allows a company to respond to discovery requests solely from its archive, saving the cost and inconvenience of desktop discovery and discovery from mail server backups, which are very time-consuming. And it’s more than just email.
“The size of the company will have a strong bearing on what type of solution should be implemented. SMEs are typically companies with up to 1,000 seats, operating a Microsoft Windows environment possibly with MS Exchange server or running third-party software on the gateway. Thus, the IT administrator needs to identify a solution that can be installed on both exchange and gateway platforms and one that integrates with the company’s existing IT infrastructure such as Active Directory and SQL Server,” notes David Kelleher, global coordinator for GFI Software (www.gfi.com).
Examine questions such as: Will the company increase the number of mailboxes in the medium to long term? Must the company meet compliance requirements? Will it need to leverage SQL as an archiving store (or use NTFS on a separate server)? Can the solution carry out forensic auditing? Does it allow email retrieval on demand?
“SMEs are often cash-strapped with little or no IT budgets. Such limitations impact the email archiving strategy deployed. You need a solution that offers price-performance without affecting functionality. The solution must be user-friendly for both the IT administrator and the employee who needs to use it,” Kelleher says.
“A key trend is the need to archive other ‘unstructured’ data types. Examples are IM, voicemail, office files, etc.,” notes Bob Spurzem, director of product marketing at Mimosa Systems (www.mimosasystems.com). That is because all electronic data that office workers manage on a daily basis are a target for litigation and are largely unmanaged by organizations.
To Continue Reading: Click Here
---------------------------------------
Source: Processor
For many employees, using email is really only about two things: sending and receiving. But for enterprises as a whole, email is their lifeblood. It is essential to find a way to leverage and manage the data within emails so it can be easily searched and used. There are legal requirements, too, which must be met.
According to Dean Richardson, vice president of sales with ArcMail Technology (www.arcmailtech.com), businesses should archive all email. “You never know which email you will need down the road,” he notes. Companies have saved thousands of dollars by finding just one email.
“We recently used [ArcMail’s] Defender to find a project-related email that probably saved the company $25,000,” says Rosemary Doerner, IT manager at Pinkard Construction.
“Emails should be archived in real time, as this provides a backup of all emails should the user suffer a catastrophic mail server crash and find themselves unable to restore some or all of their email,” Richardson says.
The Ins & Outs Of Archiving
Archiving all of a company’s email in a central archive with fast search/retrieve and export capabilities allows a company to respond to discovery requests solely from its archive, saving the cost and inconvenience of desktop discovery and discovery from mail server backups, which are very time-consuming. And it’s more than just email.
“The size of the company will have a strong bearing on what type of solution should be implemented. SMEs are typically companies with up to 1,000 seats, operating a Microsoft Windows environment possibly with MS Exchange server or running third-party software on the gateway. Thus, the IT administrator needs to identify a solution that can be installed on both exchange and gateway platforms and one that integrates with the company’s existing IT infrastructure such as Active Directory and SQL Server,” notes David Kelleher, global coordinator for GFI Software (www.gfi.com).
Examine questions such as: Will the company increase the number of mailboxes in the medium to long term? Must the company meet compliance requirements? Will it need to leverage SQL as an archiving store (or use NTFS on a separate server)? Can the solution carry out forensic auditing? Does it allow email retrieval on demand?
“SMEs are often cash-strapped with little or no IT budgets. Such limitations impact the email archiving strategy deployed. You need a solution that offers price-performance without affecting functionality. The solution must be user-friendly for both the IT administrator and the employee who needs to use it,” Kelleher says.
“A key trend is the need to archive other ‘unstructured’ data types. Examples are IM, voicemail, office files, etc.,” notes Bob Spurzem, director of product marketing at Mimosa Systems (www.mimosasystems.com). That is because all electronic data that office workers manage on a daily basis are a target for litigation and are largely unmanaged by organizations.
To Continue Reading: Click Here
---------------------------------------
Source: Processor
Thursday, September 20, 2007
State Sues Consulting Firm Over Data Breach
Connecticut officials have announced they are suing Accenture LLP on Wednesday, saying the technology-consulting firm was responsible for a June security breach in which a tape containing state financial data and taxpayer information was stolen from a car in Ohio.
Attorney General Richard Blumenthal, who has been investigating a series of public- and private-sector security breaches that raise the risk of identity theft for Connecticut residents, said Accenture had violated the terms of a $98 million contract with the state by failing to adequately protect the state data.
“We paid them to keep this information confidential and secret,” Blumenthal said. “They broke that contract. We want money back.”
Accenture was working under a consulting contract with the state to help set up Connecticut's CORE-CT accounting system, a multi-year effort to centralize accounting procedures on a single computer system across state agencies.
Wyman said the company had improperly removed Connecticut data from the state's system and used those files in Ohio, where the company was helping set up a similar accounting system.
The information was contained on a backup tape, which was sent home with an intern working for a state vendor as a security precaution, according to the state's inspector general.
The tape was stolen from the intern's parked car in June, though Wyman said she was not notified that the stolen information included data from Connecticut until Sept. 4.
The theft followed earlier disclosures of security breaches at Connecticut's Department of Revenue Services, where an employee's laptop containing tax identifiers for 106,000 people was stolen last month, and in the private sector, where Pfizer Inc., the drug maker, had three security lapses in as many months.
To Continue Reading: Click Here
---------------------------------------
Source: theday.com
By: Ted Mann
Attorney General Richard Blumenthal, who has been investigating a series of public- and private-sector security breaches that raise the risk of identity theft for Connecticut residents, said Accenture had violated the terms of a $98 million contract with the state by failing to adequately protect the state data.
“We paid them to keep this information confidential and secret,” Blumenthal said. “They broke that contract. We want money back.”
Accenture was working under a consulting contract with the state to help set up Connecticut's CORE-CT accounting system, a multi-year effort to centralize accounting procedures on a single computer system across state agencies.
Wyman said the company had improperly removed Connecticut data from the state's system and used those files in Ohio, where the company was helping set up a similar accounting system.
The information was contained on a backup tape, which was sent home with an intern working for a state vendor as a security precaution, according to the state's inspector general.
The tape was stolen from the intern's parked car in June, though Wyman said she was not notified that the stolen information included data from Connecticut until Sept. 4.
The theft followed earlier disclosures of security breaches at Connecticut's Department of Revenue Services, where an employee's laptop containing tax identifiers for 106,000 people was stolen last month, and in the private sector, where Pfizer Inc., the drug maker, had three security lapses in as many months.
To Continue Reading: Click Here
---------------------------------------
Source: theday.com
By: Ted Mann
Law firm finds tape unreliable, switches to disk
To improve reliability, performance and security of data backup and recovery at the law firm where he works, Sean Curry switched from tape-based to disk-based backup.
"We decided tape wasn't reliable," Curry told attendees at AFCOM's Data Center World on Tuesday. In practice, Curry, director of IT Services at Dallas-based law firm Hughes & Luce LLP, said his firm simply couldn't recover data backed up to tape from his company's 55 servers.
Curry eliminated his tape system two and a half years ago and replaced it with two InfoStage "vaults," or centralized storage servers, from EVault Inc. in Emeryville, Calif. The backup storage servers reside in his two data centers in Austin and Dallas.
"We eliminated tape, and in order to do that we went to a dual vaulting environment. So to do that we have a disk backup vault in each of our data centers, and every night everything is backed up locally for a quicker restore, but it's also backed up across the WAN for our off-site vault. That was a requirement we had to achieve in order to eliminate tape."
Essentially, each backup storage server serves as a backup for its local data center as well as a remote backup for the firm's other data center. Engineers no longer needed to move old tapes out of the data centers in order to store data at a remote site.
Lauren Whitehouse, an analyst at Enterprise Strategy Group (ESG) in Milford, Mass., co-presented a session on best practices in data backup and recovery with Curry and Richard Heitman, vice president of product management at EVault. Whitehouse said a majority of companies do at least some disk-based backup and recovery. Of 228 surveyed companies, ESG found that only 29% back up to only tape. Fifty-one percent back up to tape and disk, and 21% back up to only disk.
To Continue Reading: Click Here
---------------------------------------
Source: searchsmb.com
"We decided tape wasn't reliable," Curry told attendees at AFCOM's Data Center World on Tuesday. In practice, Curry, director of IT Services at Dallas-based law firm Hughes & Luce LLP, said his firm simply couldn't recover data backed up to tape from his company's 55 servers.
Curry eliminated his tape system two and a half years ago and replaced it with two InfoStage "vaults," or centralized storage servers, from EVault Inc. in Emeryville, Calif. The backup storage servers reside in his two data centers in Austin and Dallas.
"We eliminated tape, and in order to do that we went to a dual vaulting environment. So to do that we have a disk backup vault in each of our data centers, and every night everything is backed up locally for a quicker restore, but it's also backed up across the WAN for our off-site vault. That was a requirement we had to achieve in order to eliminate tape."
Essentially, each backup storage server serves as a backup for its local data center as well as a remote backup for the firm's other data center. Engineers no longer needed to move old tapes out of the data centers in order to store data at a remote site.
Lauren Whitehouse, an analyst at Enterprise Strategy Group (ESG) in Milford, Mass., co-presented a session on best practices in data backup and recovery with Curry and Richard Heitman, vice president of product management at EVault. Whitehouse said a majority of companies do at least some disk-based backup and recovery. Of 228 surveyed companies, ESG found that only 29% back up to only tape. Fifty-one percent back up to tape and disk, and 21% back up to only disk.
To Continue Reading: Click Here
---------------------------------------
Source: searchsmb.com
Computer forensics: Clamp down now
It could happen to anyone: In the midst of what you thought would be a cursory review of a competitor's Web site, you come across something very familiar -- data that until recently had been safely housed within your organization.
Then it clicks. Six months ago, a critical employee left your company in favor of greener pastures. She had access to that data, you're sure of it. Except that there's no way to prove it. You're six months too late.
At its most basic, computer forensics is the investigation of a computer system and its contents to uncover information, most commonly evidence to support a company's suspicion of wrongdoing, and preserve that information in a way that allows it to be admissible in court, if necessary.
Although we don't like to think about it -- these types of staff transgressions are often thought to occur only at "other organizations" -- it happens more than you'd think.
According to an FBI computer-crime survey, 44 percent of organizations that knew about security incidents reported those incidents as originating from within the organization. The 2006 Association of Certified Fraud Examiners "Report to the Nation" states that U.S. organizations lost five percent of their annual revenues to fraud, or an estimated $652 billion, in 2006.
Given that computers have become such an integral part of doing business, organizations must consider ways to protect and preserve that information to protect them in the event these thefts do occur.
To Continue Reading: Click Here
---------------------------------------
Source: mlive.com
Then it clicks. Six months ago, a critical employee left your company in favor of greener pastures. She had access to that data, you're sure of it. Except that there's no way to prove it. You're six months too late.
At its most basic, computer forensics is the investigation of a computer system and its contents to uncover information, most commonly evidence to support a company's suspicion of wrongdoing, and preserve that information in a way that allows it to be admissible in court, if necessary.
Although we don't like to think about it -- these types of staff transgressions are often thought to occur only at "other organizations" -- it happens more than you'd think.
According to an FBI computer-crime survey, 44 percent of organizations that knew about security incidents reported those incidents as originating from within the organization. The 2006 Association of Certified Fraud Examiners "Report to the Nation" states that U.S. organizations lost five percent of their annual revenues to fraud, or an estimated $652 billion, in 2006.
Given that computers have become such an integral part of doing business, organizations must consider ways to protect and preserve that information to protect them in the event these thefts do occur.
To Continue Reading: Click Here
---------------------------------------
Source: mlive.com
Subscribe to:
Posts (Atom)
