.
TOC Notes on
Liabilities and Vulnerabilities in the Information Age
Introduction:

The reader is familiar with the expressions "primary industry" and "secondary industry". By primary one means an economic activity concerned with the production or extraction of raw goods, such as agricultural and mineral goods. By secondary one refers to the processing and manufacturing of goods in workshops, factories and plants. The so-called Industrial Revolution marked the passage, in the XVIIIth century, of our Western society from an economy based mainly on primary industries to one based on secondary industries.
Economists created the term "tertiary industry" to encompass activities which fell outside the previous classification. However many felt that what these industries had in common was to deal with "services", such as banking, education, entertainment, retailing, healthcare, transportation... With it came the realization that since the Second World War we are witnessing a new revolution, progressively making service industries the mainstay of economic prosperity.

We beg to differ. There is indeed a new economic revolution going on but we see it as giving priorities to information industries, not to services. Services make an implicit reference to employing people to serve the customer rather than producing tangible goods. Yet, public relations aside, business news convincingly show that employees are treated as a cost to minimize, not a resource to expand. New economic prosperity stems from producing information, ever more in quantity, hopefully more and more refined in quality.
One should not misunderstand the lessons to be taken from this analysis. True, both the public and the political body are highly concerned to see outsourcing embraced by the very service industries on which they based their hope for job creation. Their fears are made even worse by the fact that outsourcing knows no border, thanks to the Information Revolution. Yet this pessimistic perspective but reflects their initial mistake. If we correctly identify information industries as the growth engine of the economy, employability should rather be sought in responding to the growing demand for information. For the XXIst century worker, the question to ask is: what information am I suited to provide better than my neighbor? We believe optimistically that, by the very nature of information, this question will always have an answer, though not necessarily an easy one.

This course then is designed to inform future business managers and executives of ways in which the Information Age changes how to conduct business, including in primary and secondary industries and of course in tertiary industries. As defined the topic cannot be covered in one course: information quality must come before quantity. So we leave to others the task to show how to produce information and exploit it for positive gains. We rather focus on the downside of the information revolution: what business got that business never wanted, ie. new liabilities and vulnerabilities.

Even so, our topic remains as vast as human imagination and propensity to do evil can be. Nothing new about that (see concurrent course in "Fraud Examination"), only its more modern manifestations. So in all modesty we aim at providing a useful foundation for our audience. This foundation is designed to enable each student to face the real life issues and master the solutions to be encountered later, in their unique circumstances.
Our approach is based on two considerations:

  • - from a business perspective, the best way to tackle the subject is as a risk management task
    for an overview of what risk management entails, see pages 1-6 of an article by Siegel, Sagalow and Serritella of AIG
    taking into account their professional bias as employees of an insurance company
  • - from a technical perspective, we propose to reduce the subject matter to a few heading:
    • who? dealing with virtual entities, whose identity cannot be taken for granted
    • whose? possession of confidential information about third parties
    • what? legal processing, duplication and destruction of confidential or valuable information
    • how? perpetration of, and protection against, malicious abuse

We also propose to apply to such data the legal perspective already developped to deal with financial fraud. Following Joseph T Wells (Principles of Fraud Examination, John Wiley & Sons, 2005), himself quoting Henry Campbell Black (Black's Law Dictionnary, West Publishing, 1979), we will use the following definitions:

  • - "larceny: a felonious stealing, taking and carrying, leading, riding, or driving away with another's personal property, with the intent to convert it or to deprive the owner thereof"
  • - "conversion: an unauthorized assumption and exercise of the right of ownership over goods or personal chattels belonging to another, to the alteration of their condition or the exclusion of the ownser's right".
  • - "to embezzle means willfully to take, or convert to one's own use, another's money or property of which the wrondoer acquired possession lawfully, by reason of some office or employment or position of trust."
  • - "a person is said to act in a 'fiduciary capacity' when the business which he transacts, or the money or property he handles, is not for his own benefit, but for another person, as to whom he stands in a relation implying and necessitating great confidence and trust on the one part and a high degree of good faith on the other part".

In our personal opinion, nobody should use any profile information obtained on an individual except in one case: in principle, the narrowest construction of the purpose for which this information has been disclosed, and in ideal practice, the execution of a single, specific transaction. Any other usage should be considered a case of embezzlement, when the information has been legally taken in possession, of larceny in all cases. We readily submit that this is an extreme position, especially when one compares it to currently legal marketing practices. But recent law has already witnessed surprising leaps of interpretation justified by the special needs of the Information Age. See for example the following explanation taken from an official analysis of the amended Computer Fraud and Abuse Act (18 U.S.C. 1030.):
"Consistent with Congress's prior construction of 1030(a)(2), 'obtaining information' includes merely reading it; i.e., there is no requirement that the information be copied or transported. This is critically important because, in an electronic environment, information can be 'stolen' without asportation, and the original usually remains intact. "
Compare this statement with the prior definition of larceny: "taking and carrying, leading, riding, or driving away with another's personal property" now extends to mere "reading".

Taking a more considered view, we argue that we currently witness a rising tension between the public clamor for better protection of confidential information and the need of organizations to be free from unnecessary regulatory burdens. The resulting trend has been a whole series of laws which do create new liabilities and therefore new expenses. See for example the bill introduced by Senator Dianne Feinstein aiming to bring California laws on identity theft to the Federal level (for a more complete list see The Center for Democracy and Technology). The uncertainty as to what current practice the next law will target can, of itself, have a significant negative impact on investment.
The positive response must be to recognize that, laws set aside, new vulnerabilities are unavoidable and that an organization should tackle them for its own benefit. And as we shall see in this course, the best regulations simply require all participants to adopt existing best practices. When an industry itself seeks stricter law enforcement to boost its own property rights, such as the entertainment industry today, it should too remember the most favorable law in the world does not dispense the industry it protects from evolving its business model in line with changing technology.

A final word on our approach: in view of the multifaceted aspect of the field, we have adopted a case-based organization. We acknowledge our choice of cases and the underlying topics they illustrate is by construction both limited and arbitrary. Examples of material not covered include industries regulated by the Food and Drug Administration, such as farms and pharmaceutical companies. We feel however students will gather from this case set enough of the general background needed to address new cases with an open and informed mind.
This capacity to create new information can be handy in several ways:

  • - as a compliance officer, you will be required to make sure your organization is ready and accountable in case of information misshaps
  • - as a staff manager, you will better understand how to integrate information-related risks into your own plans
  • - as a line executive, you will be able to better carry on your responsabilities in balancing the inevitable costs of risk mitigation with the appropriate degree of protection

This fundamental need for economic balance explains why this course is useful no matter the size of the organization to which you will bring your skills. Every business, large or small, is subject to new liabilities and vulnerabilities in the Age of Information Systems. And what counts ultimately is not the absolute amount of resources you muster against these risks, but how reasonable, how informed your decisions appear to be whether to a shareholder, an employee, a customer or potentially, a jury member.

Contents Covered:

In part I, we examine issues which stem from maintaining (for its legitimate owner) or ascertaining (for the intended users) an electronic identity.

  • The first case covers ID theft :
    • - the seriousness of the issue has been highlighted by a recent series of major breaches of confidential, personal financial identifiers, one involving up to 40M accounts
    • - the variety of reported causes offers a good view of real life complexity
    • - the case illustrates the importance of the human factor
  • The second case covers credit fraud :
    • - remote payment services and credit reporting are large markets, the reliability and efficiency of which are necessary conditions for Internet to deliver expected growth and productivity gains
    • - the complexity of a system involving users, merchants, banks and service providers with different, at times conflicting interests, shows the need for compliance regulation
    • - the case illustrates how quantitative risk management can be used to minimize exposure
  • The third case covers ambush marketing :
    • - most Information Age concepts, such as ID theft, apply to organizations as well as consumers
    • - law is not all about enforcing compliance by organizations, it also includes protection for them as well
    • - the case illustrates how competition among organizations use the Information Age to break new ground on trademark protection
In part II, we examine issues which stem from possession of personal, confidential data.
  • The first case covers the healthcare industry :
    • - the healthcare industry responds to a rapidly expanding market
    • - because of the highly sensitive nature of the data concerned, the law gives a strong interpretation of the right to privacy
    • - resulting regulations have been written with particular care, resulting in a methodology useful in many other situations
  • The second case covers marketing campaigns :
    • - direct marketing is a vital tool for most providers of consumer goods and services
    • - because of rising concerns about abuses, there is an ever growing body of compliance laws
    • - the case illustrates how laws are the result of implicit bargains among pressure groups
  • The third case covers safe harbors in the context of customer data processing:
    • - the globalization trend applies to information as well as any other aspect of the economy
    • - it is important to understand how international laws induce new compliance tasks on domestic organizations
    • - the case illustrates how laws can create new mechanisms or services
In part III, we examine issues which stem from the defense of digital information.
  • The first case covers the protection of information :
    • - "Information Security" is central to planning and implementation of today's organizations
    • - successful organizations will integrate business continuity, compliance and business strategies into security planning
    • - the chapter provides an overall methodology to develop and implement security policies
  • The second case covers the disposal of information :
    • - disposal and, by mirror effect, retention deserves a separate chapter within "Information Security"
    • - this reflects the law, which is often very specific and demanding in this ares
    • - the case illustrates how privacy rights and business compliance can clash
  • The third case covers the distribution of information :
    • - publishing deals with information sent outside for public consumption, a pervasive activity
    • - this is another case, copyright law, in which the law is written in favor of organizations
    • - the case focuses on developing new business models, less dependent on legal enforcement
In part IV, we examine issues which stem from the attack of digital information.
This part cover three well known types of attacks, each related to and emphasizing a prior topic:
  • - spamming, or how to maximize the reach of direct marketing while ignoring the interests of "bystanders" (see chapter II-2)
  • - denial of service, or how to close the Internet site of the target, e.g. a competitor, taking ambush marketing to its limit (see chapter I-3)
  • - copying, or how to defeat copyright law (see chapter III-3)

Conclusion:

One objective of this course is to highlight the many links which tie the different topics covered. Underneath the diversity of cases, one always find the same challenges rooted into the very nature of digital information. This supports our claim that our readers will be able to apply their knowledge outside of the situations we have not covered and, within a situation we have covered, to the particular circumstances of a specific organization.
Inspired by what we see as the unity of our subject matter, we have relied on a few encompassing principles which the reader will recognize time and again in the different chapters:

  • - integrate security, compliance and business considerations, rather than treating security and compliance as burdens on business, as if business could exist in some ideal world devoid of such practical issues
  • - identify the whole system and manage it as a whole, its security being as low as the lowest part of the fence.
  • - take the human element into account as the cornerstone of security, since all systems encompass the people who interact with them
  • - recognize the complexity of dealing with business affiliates / associates, with the inevitable dilution in security
  • - apply pattern recognition theory, to account for the tradeoffs inherent to practical cases for optimal decision making
  • - implement a personal view which seeks a solution to some of the issues encountered by:
    • - restricting profile data ownership to the original provider characterized by this profile
    • - decentralizing profile data to the local machine used by the profile owner
    • - minimizing profile data possession by others
    • - insuring that all exchanges of profile information are preceded by the recognition by the participants of a mutual interest
    • - allowing informal electronic exchanges to be conducted in total privacy between willing participants, total privacy defined by the status today granted to oral and postal communications
    • - thus depriving profile data thieves from the huge productivity boost of breaking into a central site, forcing them instead to steal from people as in the "good old days", one at a time

Disclosure:

The author is President of ePrio Inc., a company which has developped and patented a way for interacting over the Internet which is both personalized and totally confidential. By the latter we mean that no one, not even an intermediary, has nor need to have, access to personal user profiles. ePrio Inc. currently markets an infrastructure service which allows so-called market organizers to deliver mutual, confidential matching services to their users.

While the author's calls to extend privacy rights represent his personal views, ePrio Inc. would potentially benefit from some of the actions taken in response to such calls.

June 2005
Copyright © 2005 Philippe Coueignoux. All rights reserved.