CIPP Information Privacy & Security News

A couple in Pittsburgh whose lawsuit claimed that Street View on Google Maps is a reckless invasion of their privacy lost their case. Aaron and Christine Boring sued the Internet search giant last April, alleging that Google "significantly disregarded (their) privacy interests" when Street View cameras captured images of their house beyond signs marked "private road." The couple claimed in their five-count lawsuit that finding their home clearly visible on Google's Street View caused them "mental suffering" and diluted their home value. They sought more than $25,000 in damages and asked that the images of their home be taken off the site and destroyed. However, the U.S. District Court for Western Pennsylvania wasn't impressed by the suit and dismissed it (PDF) Tuesday, saying the Borings "failed to state a claim under any count." Ironically, the Borings subjected themselves to even more public exposure by filing the lawsuit, which included their home address. In addition, the Allegheny County's Office of Property Assessments included a photo of the home on its Web site. The Borings are not alone in their ire toward the Google Maps feature. As reported earlier, residents in California's Humboldt County complained that the drivers who are hired to collect the images are disregarding private property signs and driving up private roads. In January, a private Minnesota community near St. Paul, unhappy that images of its streets and homes appeared on the site, demanded Google remove the images, which the company did. However, Google claims to be legally allowed to photograph on private roads, arguing that privacy no longer exists in this age of satellite and aerial imagery. "Today's satellite-image technology means that...complete privacy does not exist," Google said in its response to the Borings' complaint Not long after the feature launched in May 2007, privacy advocates criticized Google for displaying photographs that included people's faces and car license

An insurance company seeking to challenge the authority of Canada's privacy legislation and the privacy commissioner in an auto injury case will have to go to the Federal Court to make its case, the New Brunswick Court of Appeal has ruled. In State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada and Attorney General Canada, State Farm argued that Canada's privacy regime does not apply to surveillance tapes the insurer commissioned following a motor vehicle accident in 2005. In March 2005, Jennifer Vetter, insured by State Farm, was involved in a motor vehicle collision with Gerald Gaudet. State Farm subsequently hired a lawyer in anticipation of litigation by Gaudet against Vetter. The insurer also hired private investigators that conducted video surveillance on Gaudet. Gaudet filed a request under Canada's privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), that State Farm turn over to him the personal information it had compiled, including copies of the surveillance reports and tapes. State Farm went to the New Brunswick Court of Queen's Bench asking for "declaratory" relief on several issues. Among other things, the insurer asked for a court order declaring that PIPEDA did not apply to information obtained in a bodily injury damages claim. It also asked the court for an order confirming that the privacy commissioner had no right or authority to compel State Farm to turn over the documents. The privacy commissioner asked for a stay of proceedings in the New Brunswick court, arguing that the authority of the privacy commissioner was a matter for the Federal Court (which has jurisdiction over federal legislation such as the PIPEDA). The New Brunswick Appeal Court noted both the provincial and federal courts have jurisdiction to hear cases about the constitutionality of federal legislation. But only the Federal Court could determine the outcome of a direct challenge to the authority of the p

IT security typically has been deemed one of those services best provided in-house. But the stigma attached to outsourcing security and Security as a Service -- namely that an outsider does not know your company well enough to protect it -- may be falling away, as businesses look for more ways to cut costs. Certainly, some heavy-hitter providers believe attitudes are changing. This month, McAfee Inc. announced its new SaaS Security Business Unit. Headed by former Hewlett-Packard Co. SaaS executive Marc Olesen, the unit will oversee all McAfee products delivered over the Internet, including security scanning services, Web and email security services and remote managed host-based security software and hardware. Meanwhile, last April, IBM launched some hosted and managed services that it says help midsized businesses better manage risk and improve the security of their IT systems, all while offering cost savings over traditional products. Indeed, much of IBM's security strategy during the next 24 months will focus on moving security technologies into the cloud and expanding its managed services offerings, said Jason Hilling, an enterprise services business line executive with IBM Internet Security Systems. That includes providing some hosted implementations of technologies that once were located only at the customer premises. "Because the economy is struggling, I think there will be enough excitement in the marketplace over the cost benefits of Security as a Service that we are going to see a much higher degree of willingness to look at it as a real viable option," Hilling said. Hilling contended that a midmarket company with between 500 and 700 employees can realize costs savings from 35% to upwards of 60% by doing security as a managed service. Savings diminish as the deployment gets larger and more complicated, and the costs of managed services escalate. Yet outsourcing security is not just about cost. The world is becoming very hostile, said Sadik Al-Abdulla,

Social networking phenomenon Facebook has beaten out arch-rival and former market leader MySpace by most measures of popularity, except the one that pays the bills. While Facebook has outpaced MySpace in bringing in members - it has 175 million active users at the latest count, compared with around 130 million for MySpace - it has struggled make money from them. While MySpace is closing in on $1 billion in revenues, Facebook generated less than $300 million in sales last year, reports say. Indeed, Facebook's efforts to drum up revenue have led to it repeatedly becoming the target of some of the biggest online privacy protests on the Web. Its most recent fight earlier this month followed Facebook's attempt to redefine its own rules and assert ownership over anything its members posted on the site. The company has since backed off and is rethinking its policies. Why hasn't Facebook benefited from the vaunted "network effect" that makes such services more valuable the more its adds members and connections between them? After all, Facebook is spreading quickly in nearly 100 languages, while MySpace has focused on the United States and five other markets where Web advertising flourishes. The answer may lie in the origins of the five-year-old site started by then Harvard University student Mark Zuckerberg. Its appeal at the outset was that it was a place where users could share tidbits of their personal lives with selected friends and acquaintances. This blurred the distinction between a private space and a public one. MySpace is more explicitly a public place where friends hang out in the equivalent of a cafe or a club and the aim is often to meet new people. Most of all, MySpace is a place to share music with other fans.

Cash-squeezed privately held companies are facing another threat in this struggling economy: rising employee fraud. Employee fraud -- from check-forgery schemes to petty-cash theft -- tends to rise during tough economic times, when workers are feeling financial pressure in their personal lives, experts say. And small companies are especially vulnerable because they often lack stringent internal controls to prevent fraud. Sometimes, managers at affected companies attribute lost funds to lower sales -- never even suspecting foul play.

Big Brother may be at it again. Behavioral advertising - the tracking of consumer's Internet surfing activity to create tailored ads - has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. "Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion," said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. "Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously," she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as "deep-packet inspection." The practice gives companies the ability to track every Web site consumers visit and provides a detailed look at everything they're doing, such as where they're going on vacation, who is going, how much they spent on the trip and what credit card was used. But then came the first class action targeting behavioral advertising, filed against Foster City, Calif.-based NebuAd Inc., an online advertising company accused of spying on consumers from several states and allegedly violating their privacy and computer security rights. The lawsuit specifically alleges that NebuAd engaged in deep-packet inspection. Valentine v. Ne

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud. One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

A company that monitors P2P networks says it found details about the president's helicopter, Marine One, on a computer in Tehran. Pittsburgh station WPXI reports. Bob Boback, CEO of Tiversa, said, "We found a file containing entire blueprints and avionics package for Marine One. … What appears to be a defense contractor in Bethesda, MD had a file sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said. Retired Gen. Wesley Clark, an adviser to Tiversa, added: We found where this information came from. We know exactly what computer it came from. I'm sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went. It's no accident the information wound up in Iran, the company said. Countries like Iran, Pakistan, Yemen, Qatar and China are "actively searching for information that is disclosed in this fashion because it is a great source of intelligence," Boback said. Rep. Jason Altmire said he will ask Congress to investigate the risk to national security of this sort of exposure. Cnet's Charles Cooper interviewed the Tiversa's Sam Hopkins (Cooper says he's the CEO but the original report said Boback is CEO; the company website doesn't list executives), who said someone at the company was running a Gnutella client - possible a buggy one. Hopkins said it's hardly an unusual occurence - although presumably the usual breaches aren't so closely connected to the President. Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.'s who wanted to listen to music would install software on secure computers and it got compromised. … We see information flying out there to Iran, China, Syria, Qatar-you name it. There's so much out there that sometimes we can't keep up with it. Bottom line: P2P is the big

Visa Inc. said recent alerts it sent to credit card issuers are not related to a new breach, countering reports that a second payment processor had been compromised. In a statement issued Friday, San Francisco-based Visa said the alerts "were part of an existing investigation and are not related to a new compromise event." Credit unions last week reported receiving alerts from Visa and MasterCard about credit and debit card accounts that were exposed in the breach of a payment processor. They reported that the compromise was unrelated to the breach announced by Heartland Payment Systems in January. Information about newly affected accounts was relayed to banks and credit unions Feb. 9, via Visa's Compromised Account Management System (CAMS). The system, which informs banks of compromised account numbers, gives issuers the ability to monitor, close, or block the compromised accounts. Visa's statement did not say what existing investigation the alerts are related to and a company spokesman said he couldn't provide that detail. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," the company said in its statement. "In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones." Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said it's impossible to draw any conclusions based on the Visa statement. "It doesn't say if the breach is public or not, so it may be older but not revealed yet," he wrote in an email. "In other words, it just adds to the confusion. I assume the full story will come out eventually, and since they don't identify the breach it's hard to really evaluate this at all." Heartland disclosed Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards.

There were only two of us on the graveyard shift. "If it's not locked up," a colleague at my first newspaper declared as he snatched a folder of papers from our boss' desk and strode towards the office copying machine, "Xerox it." (Old-tongue for photocopy.) That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you. I guess that's the message behind the "revelation" released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them. Lots of it. My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.) Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data. What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers. Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it's sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn't weigh heavily enough on their conscience to set off an internal alarm. Most of the people who took data - 79% â

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders

Netbook web surfers beware. That low-cost netbook you're using could be a high-speed gateway into your life, bank accounts, passwords and other personal data. Netbooks have made headlines since their 2007 launch, making PCs accessible to millions of non-traditional users. But their cheap cost could also carry a steep price tag due to lax security that makes them easier prey for viruses and hackers. Since their introduction less than two years ago by Taiwan's Asustek, nearly all major PC makers, including Hewlett-Packard, Dell, Acer and Lenovo, have jumped on the netbook bandwagon. But their no frills nature, combined with low computing power and relative lack of sophistication among their users could combine to create the perfect storm for hackers and virus creators looking for easy targets, analysts say. "The Internet is full of dangers, regardless of what computer you are using," said Sam Yen, greater China marketing manager at anti-virus software maker Symantec. "But keeping in mind that the netbook is primarily used to surf the Internet, those dangers are possibly multiplied many-fold, especially if there is no anti-virus software installed in the machine." Price tags as low as $300 mean that netbooks often lack such standard gear as firewalls and other anti-virus software typically found in other computers, leaving them highly vulnerable to attacks. "Frankly, netbook security is not there yet," said Pranab Sarmah, an analyst at the Daiwa Institute of Research. "The positioning of the netbook means PC brands are going to do whatever it takes to make the price point attractive to consumers, which means keeping costs low." Many netbook users are relative Internet newcomers, and may not be aware of precautions they can take to protect themselves. Low computing power also means savvy netbook users may shut down critical security programs to boost speed. "It's a Catch-22 situation," said Gartner analyst Lillian Tay. "If you're running too many security prog

In an indication of the legal troubles that companies can find themselves in over data breaches these days, several banks and credit unions have begun suing Heartland Payment Systems Inc. over its recently disclosed data breach. In the six weeks since the potentially massive breach was disclosed, eight banks and credit unions have filed lawsuits against Heartland over its alleged failure to take adequate measures for protecting credit and debt cardholder data. Heartland said on Jan. 20 that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of customers. The breach, thought to possibly be the biggest ever disclosed, has already affected over 500 financial institutions, including a handful in the Bahamas, Bermuda and Canada. The lawsuits seek compensation from Heartland for the costs that the financial institutions said they've had to bear in notifying affected customers about the breach and in reissuing new payment cards. The lawsuits also claim damages from Heartland for costs of the alleged fraud that the banks claimed have resulted from the breach.

The team that ran the most technologically advanced presidential campaign in modern history is finding it difficult to adapt that model to government. WhiteHouse.gov, envisioned as the primary vehicle for President Obama to communicate with the online masses, has been overwhelmed by challenges that staffers did not foresee and technological problems they have yet to solve. Obama, for example, would like to send out mass e-mail updates on presidential initiatives, but the White House does not have the technology in place to do so. The same goes for text messaging, another campaign staple. Beyond the technological upgrades needed to enable text broadcasts, there are security and privacy rules to sort out involving the collection of cellphone numbers, according to Obama aides, who acknowledge being caught off guard by the strictures of government bureaucracy. "This is uncharted territory," said Macon Phillips, White House director of new media, which was a midlevel position in previous administrations but has been boosted by Obama to a "special assistant to the president."

The advertiser's dream of sending a particular commercial to a specific consumer is one step closer to reality as Cablevision Systems plans to announce the largest project yet using targeted advertising on television. Beginning with 500,000 homes in Brooklyn, the Bronx and some New Jersey areas, Cablevision will use its targeting technology to route ads to specific households based on data about income, ethnicity, gender or whether the homeowner has children or pets. The technology requires no hardware or installation in a subscriber's home, so viewers may not realize they are seeing ads different from a neighbor's. But during the same show, a 50-something male may see an ad for, say, high-end speakers from Best Buy, while his neighbors with children may see one for a Best Buy video game. "We have, as an industry, been talking about this since the beginning of time," said Matt Seiler, the global chief executive of the media firm Universal McCann, a part of the Interpublic Group. "Now we've got it in 500,000 households. This is real." The potential of customized ads worries some privacy advocates, despite the assurance of cable companies that they maintain anonymity about the households. "We don't have an objection to advertising that is targeted to demographics," said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a civil liberties group in Washington. But, he said, there is a need to show "that they can't be reverse-engineered to find the names of individuals that were watching particular shows." Cablevision says it segments its subscribers only by demographics, so that an advertiser can divide ads among various groups: General Motors, for example, could send an ad for a Cadillac Escalade to high-income houses, a Chevrolet to low-income houses, and one in Spanish to Hispanic consumers. Cablevision matches households to demographic data to divide its customers, using the data-collection compa

Days after Visa seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems and RBS WorldPay, the credit card company now is saying that there was no new security incident after all. In actuality, Visa said in a statement issued Friday, alerts that it sent recently to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor say why it is continuing to keep the name under wraps. Visa said that it had sent lists of credit and debit card numbers found to have been compromised as part of the investigation to financial institutions "so they can take steps to protect consumers." It added that it currently "is risk-scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones." Visa's latest statement follows ones issued by both it and MasterCard International earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on January 20 and suggested that a new breach had occurred.

Federal regulators slapped hundreds of small telecommunications providers for not abiding by new rules designed to protect consumer phone records, proposing more than $13 million in total fines. The Federal Communications Commission proposed $20,000 fines on more than 650 small phone, pager and wireless providers Tuesday, accusing them of not filing paperwork that certifies they have put protections in place to protect customer phone data. "I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers," said Michael Copps, the FCC's interim chairman, in a statement. "The broad nature of this enforcement action hopefully will ensure substantial compliance with our [privacy] rules going forward as the Commission continues to make consumer privacy protection a top priority." In April 2007, the FCC tightened privacy requirements on phone companies in response to consumer complaints about data brokers selling phone records they had obtained illegally through "pretexting," or getting information under false circumstances. The agency required telecom companies to increase security of phone records, requiring customers to provide a password before receiving account information over the phone or online. Phone companies are required to notify customers when changes are made to their accounts or if their information has been improperly accessed. Companies are required to file annual certifications that they have complied with those requirements. The FCC said hundreds of small companies didn't provide the information in 2008, although it noted it was the first year the agency had required the paperwork. The agency warned that future noncompliance could face "more severe penalties."

Heartland Payment Systems Inc., which announced a breach of potentially millions of credit and debit cards last month, said it plans to vigorously defend itself against lawsuits filed as a result of the data breach. In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business. "We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims." The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey. Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said. "In the weeks since our announcement of the breach, we have installed more margin, and have a bit

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security. The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. If the eccentric Collyer brothers had a better understanding of destruction practices, they likely would not have been killed by the very documents and newspapers they obsessively collected. While most organizations don't hoard junk and newspapers like Homer and Langley Collyer did, they do need to keep information such as employee personnel records, financial statements, contracts and leases and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business and will likely save organizations time, effort and heartache, legal costs as well as embarrassment and more. In December 2007, the Federal Trade Commission announced a $50,000 settlement with American Mortgage Company of Northbrook, Illinois, over charges the company violated the FTC's Disposal, Safeguards, and Privacy rules by failing to properly dispose of documents containing consumers' credit and personally identifiable information. In announcing the settlement, the FTC put all companies on notice that it is taking such failures seriously. A $50,000 settlement might seem low when measured against the potential for financial harm to individuals as a result of the company's negligence, but in addition to the negative PR for American Mortgage, the settlement includes an obligation to obtain an audit, every two years for the next 10 years, from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Any similar failures by this company during the next decade will be met with more severe punishment. That, indeed, is a