Ethical Workplace Investigations: A Case for Better Practices

In May 2006, the U.S. House of Representatives, by unanimous vote, passed HR4709, the “Telephone Records and Privacy Protection Act of 2006.” Its passage was clearly the result of the avalanche of publicity over the trafficking of personal telephone records by unscrupulous data brokers and private investigators. While the Senate will not likely take up the bill until after the Fall elections, insiders agree that the bill will likely receive the Senate’s blessing and see the desk of the President before year’s end.

If this important bill becomes law, the use of most pretexting (a covert investigative technique in which an assumed identity is used to collect information) will be unlawful. Business Controls, Inc. supports this legislation but believes that pretexting, when used properly, is an important investigative tool. This belief is shared by other professional investigative firms as well as regulators. Recently, the Association of Security and Investigative Regulators (IASIR) issued the following resolution:

"Be it resolved that IASIR recognizes the common practice of pretext as an investigative tool in lawful investigations by both public law enforcement and licensed private investigators and security practitioners."

Like other professionals, our firm believes that pretexts which do not assume the identity of the subject (unlike the pretexts allegedly used in the HP matter) are appropriate and often necessary. For example, covert drug investigations would not be possible if an undercover investigator could not use an assumed identity.

However, the issue of pretexting to obtain private records continues to grab the nation’s attention. On September 28, 2006 the House Committee on Energy and Commerce’s subcommittee on Oversight and Investigations questioned Hewlett-Packard Chief Executive, Mark Hurd, and former Chairman Patricia Dunn about their knowledge and involvement in an internal investigation conducted by HP security personnel. Allegedly HP hired private investigators who used pretexting to obtain the personal telephone records of several board members, HP employees, and reporters. Hurd and Dunn answered few questions, but succeeded in demonstrating the devastation a poorly and possibly illegal investigation can have on the reputation of an organization and the careers of its executives. The public relations disaster that has ensued was unnecessary and unfortunate.

Our firm is opposed to obtaining telephone or cellular phone records through the use of pretext or by any other method which is unlawful. We also oppose the sale or other dissemination of these records to the general public for any reason, by any method. Business Controls, Inc. supports the creation of legislation that would establish severe civil and criminal penalties for the unlawful acquisition or dissemination of both cellular and land line telephone records.

Our firm performs only lawful and ethical investigations and is committed to serve only those clients that share these same principles.

by Eugene Ferraro, CEO/President

top

---

Business Controls Launches Partner Program

On September 1, 2006, Business Controls, Inc. launched a new Referral and Affinity Partner Program, giving organizations an opportunity to reap the benefits of Business Controls’ expanding market share. The program is designed to broaden and accelerate adoption of Business Controls’ incident reporting, education/training and corporate investigation services across enterprises, government, and education using one of the strongest marketing tools available – word of mouth.

This program will allow Referral and Affinity Partners a vehicle to provide an added value service to their clients and members, while also generating cash and new business for themselves.

Under the Referral program, a partner provides a lead referral introduction and contact information to Business Controls. The Business Controls’ sales team will move forward with the lead, and the Partner is compensated when a referral results in a new client sale to Business Controls.

Affinity Partners are primarily Associations. Any member of a Business Controls Affinity Partner will be afforded a special member price for all Business Controls’ products and services purchased.

Referral and Affinity Partners also receive opportunities to participate in collaborative marketing projects.

The Referral and Affinity Partner Program is available now. Potential partners can learn more by calling (866) 904-3308.

top

---

The Wall of Shame: Prevent Data Loss Incidents, Don’t Contribute to Them

So far in 2006 over 32 Million clients have had personal data exposed in 218 data loss incidents – up from 112 in 2005. That number will likely reach 300 by the end of the year. The organizations exploited included colleges, government, service providers, and companies alike. Most disturbing, the majority of these incidents were entirely preventable.

Most data loss is preventable with diligence, particularly in cases from this year where a laptop theft was the root cause of the problem. To keep your organization from becoming the next poster child for what not to do, don’t start with the laptop – start with good practices.

First, most organizations should never store private client information on a laptop – or even a desktop. The data should be stored on a server in a locked area not accessible to the public or most employees. For small organizations that lack a central server, store the data on an external hard drive in a locked location every night when the business closes – also not accessible to most employees. Lesson: do not store private data on unprotected systems.

Second, the data should be encrypted. Period. There is no excuse for stolen data to ever be compromised while numerous, often free, encryption solutions exist. Even for organizations with laptops with no private client data on them, those laptops should be encrypted. You have Intellectual Property, client lists and contact data, and inter-company information on them that are a part of your business. Protect those mobile systems as if they contained private client information. Lesson: use encryption.

Third, use clear policies and procedures for handling, client and corporate information. The public understands that not every breach can be prevented, but a company who has taken reasonable measures to protect data is likely to be forgiven. Saying that one of your laptops was stolen and it exposed data because you never encrypted it or stored it on a server is unforgivable.

Use a Virtual Private Network (VPN) to encrypt data transiting mobile systems as well. Storing private protected client data on a server is a first step. If you are not using a VPN or other encrypted connection, the data you transmit back to the home office can be monitored or stolen. Most data loss is preventable, and your organization becoming another statistic of failure is only a certainty if you fail to act.

by Robert J Bagnall, CEO, Maverick-Security, LLC

top

---

Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. The use of such RFID technology has become increasingly popular throughout the years and is commonly used in transport payments including electronic toll collection “passes,” product tracking, automotive theft protection, and correctional systems across various states in the US. Both large and small organizations alike are using this technology in the form of corporate access or “proxy” cards. Additionally, RFID tags are used in passports throughout many European countries, and its specific use in the passports of millions of Americans is scheduled to begin in October. However, grave security concerns have arisen as of late with RFID technology.

At a security conference this past August, researchers from a security firm in Hildesheim, Germany demonstrated that passports equipped with RFID tags can be cloned, with ease, using a laptop outfitted with a RFID reader and a smart card writer, both of which are relatively inexpensive. Similarly, the researchers were also able to successfully copy corporate access cards. So, what are the implications for organizations? Put quite simply, this means a potential attacker could copy access cards and use the copies to gain access to an organization’s most secured rooms and/or buildings, thus creating a security breach. Additionally, for employees who travel internationally, the concern is about personal privacy and a potential attacker merely knowing that you are carrying a passport. Aside from other concerns, many fear the plausibility that American travelers could be identified and targeted by potential attackers abroad. The discovery of the security deficit discussed above has sparked additional research into the use of RFID and the overall security of such technology. Please monitor upcoming Security News Headlines for follow up articles relating to this topic.

TIP: Contact your organization’s Information Technology department to learn how the use of RFID within your organization could affect you.

top

---

The world of instant messaging (IM), once dominated by teens and college students, has begun to take the corporate world by storm. Workers are increasingly using commercial instant messenger services to communicate with fellow employees, as well as with individuals outside of their workplace. According to the 2006 Workplace E-Mail, Instant Messaging & Blog Survey from American Management Association (AMA) and The ePolicy Institute, 35 percent of employees are now using instant messaging at work. In addition, 50 percent of these users also reported that they have downloaded free consumer IM tools from the internet to facilitate chatting.

What are people chatting about and what types of content are passing through workplace networks? The 2006 AMA/ePolicy Institute Survey revealed that 26 percent of communication contained attachments; 24 percent included jokes, gossip, rumors, and disparaging remarks; 12 percent consisted of confidential company, employee, and client information; and 10 percent incorporated sexual, romantic, and pornographic material.

What does this mean for corporations? By allowing for real-time interaction, messenger services do have the ability to increase productivity and efficiency, but only if they are used correctly and securely. IT managers are becoming increasingly concerned over the ability of an IM service to create a gap in the security wall put in place by company installed firewalls. Also a concern is the amount of bandwidth being utilized by messaging and chatting services.

Another challenge for companies is the fact that consumer instant messaging services do not provide services such as archiving, auditing, encryption, authentication and the logging of communications. These services are necessary to ensure corporate compliance under The Sarbanes-Oxley Act of 2002 and the SEC Rule 17a-4. To comply, an organization must have the ability to control who individuals can instant message, to log and archive those messages and a systematic method to review those messages.

As a response to the security and manageability concerns faced by organizations, numerous programs have been developed to aid organizations in implementing compliant and secure messenger services for their employees. These programs generally are classified as those which will work with existing consumer IM services or those which will provide a comprehensive, stand-alone instant message service for the organization.

One thing is for sure, instant messaging will continue to push its way into the corporate world. Resources and programs are available and will continue to evolve assisting organizations with the challenges instant messaging presents. Proactive organizations have already begun to manage this issue.

For more information on the AMA study, click here: http://www.amanet.org/press/amanews/2006/blogs_2006.htm.

top

---

Perhaps the most important part of having an Anonymous Incident Reporting System (AIRS) is making the employees aware of the service, the purpose of having it, and how to use it appropriately. It is vital to not only conduct an initial adverting/communication campaign but to establish a routine schedule for continued communication.

Organizations that set up new AIRS often do a large initial communication campaign for their employees but as time goes by those employees forget that they have this service available to express their concerns. Employees who might have initially received materials have subsequently thrown them out or misplaced them. Turnover in the workforce is also an issue where new hires may not be aware of the service unless they are properly communicated with.

Conducting a re-communication campaign is also a perfect time for organizations to re-emphasize their current policies and procedures for bringing forward concerns. It may be beneficial to emphasize that the system is an added benefit to current policies and procedures – not necessarily a replacement. Here are some suggested ideas for a re-communication campaign:

• Publish articles in the company newsletterDisplay posters or informative material in high traffic areas

• Send out email announcements and include information in employee handbooks

• Add links and information on the organization’s Intranet and external Website

• Train mid-level managers so they can effectively communicate to their employee base

• Distribute wallet cards and employee brochures to employees

top

---

DETAILS > > >

DETAILS > > >