by Robin Sundaram and Michelle Ward

January 29, 2010

There were so many questions for our panelists that we simply ran out of time to address them all. As a follow-up to the lively discussion at the January WIT Forum, our panelists kindly agreed to give their expert insight on some of the most popular questions submitted by the audience.

Q: What recommendation do you have to help us protect our info? When should you give your photos, insurance, etc and when shouldn’t you?

A: Robin Sundaram (Lexis Nexis)

I think the biggest advice I can offer is to use common sense. Does a recreational sports league really require your personal information such as SSN? If it doesn’t make sense to give your personal information, don’t – just leave the information blank. If they need it, they will ask again, and you can make them justify it. Except for insurance, utilities, etc. who need your personal information (e.g. to verify identity and file claims, etc.), there’s rarely a good reason to hand out your personal information. Leave information off forms and force people to explain exactly why they need it.

Q: What are the solutions to protect our personal information especially since it is not just on our credit file? What do we do if we receive a compromise letter?

A: Robin Sundaram (Lexis Nexis)

Here are some things you can do to protect your personal information:
– Share it with caution
– Check on it constantly and consistently
– Address any issues found promptly

If you do receive a compromise letter, make sure it is legitimate! There have been instances where people have received faked compromise letters and given away their PII to fraudsters. Make sure it’s legitimate by independently contacting the company that sent it to you (e.g. if you got one from Acme Bank, call Acme Bank using a phone number you get from their official website, not the one on the letter). Once you confirm it, make sure you understand the scope of the compromise before deciding on next steps. In general, if you’re offered free credit monitoring, it’s not a bad idea to take the company up on it. I wouldn’t continue paying for it afterwards (personally, not a company position), but I would use it if it were free. The FTC has a very useful consumer resource guide at: I would suggest you read that and use it.

Q: What are the impacts of cloud computing. How to address the risk?

A: Robin Sundaram (Lexis Nexis)

The primary impact of cloud computing is that data is not in your control anymore. This is somewhat like taking your wallet out of your pocket and giving it to someone for safekeeping. Now, if the person is a known cop, that might be fine, there is a comfort and trust level around them. But what if the person just bought a cop’s uniform and really is a thief? Or is a perfectly nice, but incompetent person who will leave your wallet in the washroom? Who bears the liability when your wallet is lost?
Use this exact analogy for cloud computing. The data is yours. The responsibility is yours. The liability is yours. When a company pursues cloud computing, it should be cognizant that they can outsource data management, but not the responsibility associated with it. Walk carefully into contracts with cloud computing providers. Address security, SLAs, data retention, liability, etc. explicitly.

Q: What are the proactive measures taken versus reactive? Do you recommend paying for protection planning?

A: Robin Sundaram (Lexis Nexis)

I personally don’t recommend paying for protection (in fact, I don’t have credit monitoring on myself – as John suggested, you can get 9 free credit reports every year if you’re a GA resident). I do the following: check my credit at least 3 times a year; check my credit card statements every month; have alerting set up on my credit cards for unusual/high charges; check my bank and brokerage statements every month; setup online billing for everything I do (utilities, mortgage, etc); never send checks in the mail, use electronic payment. I think all these steps together along with safe computing practices (don’t enter personal information online unless you are going to a trusted site) are sufficient to keep yourself reasonably protected against identity theft.

Q: How do you manage employees leaving your organization – taking info, docs with them to the competition?

A: Michelle Ward (SunTrust)

In many organizations, terminated employees sign an agreement stating that they will not take client or company proprietary information from the organization they are leaving. However it is likely that most of these individuals take something with them – whether it be their client contact list or some type of operational documents/report templates that they believe they might be able to use in their new position (so that they will not have to recreate something similar). From a security and privacy perspective, a bigger threat is the employee who is terminated by HR when the employee is not physically in the office (let’s say, a manager terminates this person over the phone because he stopped coming into work). When this happens, the terminated employee may have a company owned laptop, PDA or hardcopy documents that contain sensitive client information. The terminated employee is now an “unauthorized user” but still has access to this client data – in some organizations, this is considered a security breach and formal client notification/credit monitoring may be necessary if there is suspicion that the terminated employee may have misused this sensitive data. Chasing after individuals who have been terminated in an attempt to collect their laptop and other devices that contain this sensitive information can be a time consuming and frustrating process. Managers need to make every effort to ensure employees are physically in the office, with their laptops/PDAs, on the day of termination in order to avoid potential client notification due to an “unauthorized access” breach.