GRC Roll-up: Google Privacy Concerns, Encrypting Federal Data

Google Address Privacy Issues

Google has admitted that it didn’t get everything right with Buzz, but said it will do better in the future. The ‘everything’ in question relates to a letter sent by 10 global information commissioners to Google on April 19 expressing concerns over the protection of user data.

In particular, the letter, which was addressed to Google CEO Eric Schmidt, expressed concern that “…the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications…“

It added: “We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws…” Google Street View also came in for criticism for “…launch[ing] in some countries without due consideration of privacy and data protection laws and cultural norms.”

Just last week, Google responded to the letter and, while admitting that it did not get everything 100% right, said that they had "acted to address a number of issues… following the feedback we received.” The response, signed by Jane Horvath and Peter Fleischer, global privacy counsels at Google, said that they had reacted as soon as users’ concerns became obvious adding that protecting privacy was a core element of Google’s practices.

"Google is committed to ensuring that privacy is designed into our products at every stage of the development cycle…. “, the letter said and cited their privacy website and blogs as an example of who the company is ensuring transparency.

Whether this will be enough to reassure the information commissioners from countries like France, the UK and Spain remains to be seen, but a response to the response should be interesting.

File Exchange and Federal Data

Data protection is also at the core of a recent survey on file security and federal encryption. Entitled Why Encrypt Federal File Transfer Report, it says that while the government spends US$ 7.9 billion on cybersecurity measures, many agencies fail to implement even the most basic file security protocols.

The survey of 200 federal IT and information security professionals by MeriTalk, a government IT provider and Axway, a business network company found that agencies whose managers understand cyber threats are twice as likely (53%) to follow correct policies. However, only 58% were aware of agency file transfer policies.

At the core of the findings is that data security issues in federal agencies are mainly due to employees’ use of unsecure methods to exchange information, such as File Transfer Protocol (FTP).
Some of the principal findings include:

• 71% are concerned with the current security of file transfers
• 54% admit they do not currently monitor FTP usage
• 60% use FTP for information sharing
• 66% use physical media (e.g., tapes, CDs, DVDs, USB drives, etc.)
• 52% e-mail work files through personal e-mail accounts (e.g., Gmail, Yahoo, etc.)

It really beggars the questions as to how much of your company and personal information is floating around systems that it shouldn’t be. If you’re interested in more you can download the report here after registering.

Public Records Online

On the federal front there is also the news that a new legislation is in front of the Senate at the moment that would oblige agencies to put all public records up on the web and make them accessible free of charge. If passed, the legislation would also require agencies to publish a searchable list of all the records that are publically available.

The bill would require the Office of Management and Budget’s E-government administrator to develop regulations to ensure agencies make the records available. It only went in front of the Senate last week so it might take some time.

E-Discovery Use Increasing

Organizations will increase their use of electronic discovery, according to new research from CompTIA, the IT trade association. The CompTIA study shows 88 % of attorneys surveyed expect law firms to engage in e-Discovery processes more frequently as more and more cases involve electronic information.

Among more than 650 IT professionals surveyed, 53% expect the use of e-discovery within their organizations to increase over the next few years. E-discovery conventionally refers to the discovery process in civil litigation using electronically stored information. However, many firms routinely engage in data collection and informal investigations related to personnel matters, violations of company policies and security breaches.

The CompTIA survey also identified situations that most often trigger the use of e-discovery

• Suspicious of violating company rules ((66%)
• Security breach stemming from an outside threat (62%)

From the above figures it would also seem to suggest that companies are more concerned about internal violations than they are about external threats.

The complete study is available at no cost to CompTIA members who can access the report at CompTIA's website

AIIM Offers Help on ERM

AIIM (news, site) has just launched a new Electronic Records Management community to help companies work out what the best records management policies might be for them, explain what records management is, and even what records are.

A free resource, the online community features 150-plus wiki pages, a discussion forum, and a buyer’s guide for technologies and products.

Atle Skjekkeland, vice president of AIIM said the community is being developed because the increased need to retrieve information on demand, control access and confidentiality, and ensure secure retention and destruction means the deployment of ERM systems is becoming increasingly necessary.

IDC (news, site)  estimates that there will be 10 times more electronic information in 2011 than in 2006. And AIIM research shows that 37% of organisations are not confident that their electronic records would stand up in court.

What Does GRC Really Mean?

Finally, if there is any confusion as to what exactly GRC is, you might want to take a look at Norman Marks CMS Wire contribution recently. Norman is Vice President, Governance, Risk, and Compliance (GRC) at SAP (news, site) BusinessObjects, so he really knows his onions!

He tackles the increasingly difficult problem of defining what exactly GRC is and what vendors mean by it. Increasingly, it is an abbreviation used in the executive suite and boardroom, he says, but unfortunately, there is no single, commonly accepted definition of GRC.

Original article by: