What Happens When You Leave (Either Your Company or Earth)?

Years ago, a New Yorker (?) cartoon depicted a widow and her deceased husband’s boss standing at the graveside of the newly departed. The boss turned to the now-deceased employee’s wife and asked, “I know this is an awkward time, but did he ever mention source code?”

Somewhat in that vein, I had an interesting discussion at MacWorld/iWorld with Allison Sheridan who runs the NosillaCast Mac podcast, and then followed this up by attending her talk (the only talk I have attended at a conference with “death” in the title). Allison recounted the experience of Tim and Alice Verpoorten. Tim, the geek in the family, died and left his wife Alice (a non-geek) with a large amount of stuff – old Macs, routers, cables, diskettes and a variety of other material for which she had no use. Worse, Alice had no access to Tim’s email accounts, cloud-service passwords and the variety of other stuff that would have proven to be extremely useful after Tim’s demise. Long story short, Allison condensed the Verpoorten’s experience (as well as that of her and her husband who helped dispose of this stuff) to four questions to which we should all take heed:

  • Who could access your passwords if something happened to you?
  • What services should you continue if you were incapacitated or worse?
  • How organized are your electronics?
  • What could you document to protect your interests and give your family/friends a helping hand?

This raises an important issue – and a number of questions – for business and IT decision makers for those situations in which their employees leave (regardless of how they do so):

  • Do these employees have corporate content stored away somewhere that is inaccessible to the company? Places like USB sticks, personal cloud storage accounts, home computers, personally smartphones and tablets, .PST files, etc.?
  • What are the consequences of the company not being able to access this content – or not even knowing it exists?
  • What steps are you, as a business or IT decision maker, taking today to ensure you know where your data is and that you have complete and unfettered access to it?
  • Do you have a succession plan in place that defines who owns Twitter followers, Facebook posts and content that has been posted to social media?
  • Have you consulted your legal counsel about your rights and obligations as an employer to ensure you have all of the data to which you’re legally entitled?
  • Employees, are you operating in compliance with the law and corporate policy in the context of how and where you store company-owned data?
  • Employers who hire people from other companies, do you know what these individuals are legally entitled – and not entitled – to bring with them? Are you sure you’re protected if these new employees use confidential or proprietary data from their previous employer?

These are the kinds of questions that organizations should address in order to protect against their key employees’ untimely demise or some other departure from the company. This is simply part of good information governance. Moreover, Allison’s experience is part of good life governance. We should all take steps to start pursuing both.

Should You Archive Social Media Content?

Many organizations are not aware of their regulatory obligations to retain social media, but this can result in serious problems. While the focus of social media management and control is today skewed heavily toward financial services, there is growing expansion into other heavily regulated industries, as well.

Archiving is an essential component of social media control and management for the simple reason that, from a legal or regulatory perspective, electronic content in a Facebook post or tweet is fundamentally no different than email or other electronic content. For example:

  • In Armstrong v. Shirvell, the defendant requested “[a] complete copy of all communications between you and the following individuals… whether it be on Facebook, in a blog, via e-mail, text message, voicemail, letter, facsimile, or anywhere else…”
  • In Calvert v. Red Robin International, Inc., the plaintiff ordered by the court to “bring all materials, electronic or otherwise, including e-mails, Facebook messages, and any other communications he has had with putative class members in this action”.
  • FINRA Regulatory Notice 10-06 states that “Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.”
  • In addition to Notice 10-06, there are a number of other financial services-focused regulatory obligations, including FINRA Notice 11-39, NASD 2310 and FINRA Rule 2210(c)(6). In addition, the SEC offered advice in a January 2012 National Examination Risk Alert about how investment advisers should use social media.
  • In early 2014, the US Food and Drug Administration issued guidelines for the use of social media in advertising and marketing by pharmaceutical companies. These guidelines focus on a wide range of social media, including blogs, social networks, live podcasts and other platforms.
  • The Government of Queensland (Australia) has published its opinion that “Public authorities that embrace social media must manage the content created in accordance with the recordkeeping requirements of the Public Records Act 2002, Information Standard 40: Recordkeeping and Information Standard 31: Retention and Disposal of Public Records.”

Although relatively few organizations archive corporate-sponsored social media content like Facebook posts or tweets, and even fewer archive employees’ personal social media posts, there are some use cases to consider, as in the following examples:

  • If an employee is terminated for an offensive post he or she made on her non-work-related social media page, the employer must be prepared to defend its actions. A case in point is that of Lindsey Stone who was terminated because of a photo she posted on Facebook mocking the Tomb of the Unknown Soldier at Arlington National Cemetery. An archive of social media content used to make a termination decision – if it can be produced in context and authenticated – may prove valuable in helping an organization to justify it decision if the decision is ever challenged in a legal action.
  • A 2012 survey by CareerBuilder found that almost 40% of hiring managers use prospective employees’ social media posts to evaluate them, and many reject applicants based on their discovery of objectionable content in those posts. However, Title VII of the Civil Rights Act of 1964 prohibits employers from discriminating against prospective employees based on their race, color, religion, sex, pregnancy or national origin. If a hiring manager evaluates prospects’ social media posts that might include references to their national origin or their participation in a gender-based organization, how will he or she prove that this “off-limits” information was not taken into account if the employer is accused of failing to hire someone because of this information? If the organization has a process that a) has someone outside of the HR department cull information from the social media stream that cannot legally be evaluated, b) presents only this data to HR, and then c) archives this content, it will be better able to defend itself against charges of illegal hiring practices because it can demonstrate, through its archived content, that HR managers evaluated only legally relevant information. Archiving probably will not insulate the organization completely from charges of illegal hiring practices, but it will allow it to present evidence that it is complying with the law.

The bottom line is that even if an organization does not have a specific regulatory or other obligation to retain social media content today, it should seriously consider doing so as a means of protecting the organization and managing the risk it faces from the growing use of social media, both official and unofficial.

Smarter Authentication

Robust and reliable authentication is the essential first line of security for any application or system. Make authentication too difficult and users won’t use your solution, make it too easy and bad guys will.

There are various flavors of authentication, from simple username/passwords solutions through multi-factor and risk-based authentication systems that provide very high levels of security. Here are a couple of noteworthy solutions – both of which have been available for quite some time – that should be on your short list if you’re trying to protect an application, a network or your data:

  • TextPower offers an elegant solution called TextKey that provides an interesting twist on two-factor authentication. Many banks, cloud providers and others offer two-factor authentication that sends a code to your mobile phone and asks you to enter it after you’ve entered a username and password. While this scheme does provide an added layer of security, it’s still subject to man-in-the-middle or man-in-the-browser attacks and other hacking exploits. However, what TextKey does is reverse the process for using a mobile phone for authentication purposes: instead of receiving a code via mobile to enter into a browser, the secure application displays a code and asks the user to text it to the application. Because every mobile phone has a Unique Device Identifier (UDID), the mobile carrier will not send the SMS message if someone is trying to spoof the system because the sending mobile number (already stored in the application’s database) and the UDID must match. In short, authentication cannot take place simply because a bogus user cannot get their SMS through. TextKey also uses a number of other authentication criteria to provide very solid protection against hackers and others.
  • Confident Technologies has developed an authentication solution that studies have proven to be quite secure despite its simplicity. Instead of a user entering a password, he or she will identify images within categories that have previously been memorized. For example, when setting up access to an application, a user will select three categories of images, such as planes, rockets and dogs. When he or she attempts to access a system, there will be a presentation of a grid of images from which the user will select the images that correspond to predetermined categories. The images will change each time access is attempted, but will always be consistent with their predetermined choices. The company also offers an image-based CAPTCHA system, far better than the text-based solutions that are widely deployed. Studies have shown that image-based authentication is easier to use than password-based systems and is more resistant to brute force attacks and dictionary attacks.  In one study, users were asked to set up text-based passwords and image passwords.  After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Add to this the fact that image-based systems are also more resistant to keystroke loggers, a serious problem for many.

Authentication is a necessary evil, but there are solutions that can offer greater security while not making life more difficult for users.