<HTML dir=ltr><HEAD><TITLE>Re: [Dataloss] Wis. mailing sent with personal info</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.2900.3020" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText76710 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data.</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> dataloss-bounces@attrition.org on behalf of Chris Walsh<BR><B>Sent:</B> Thu 1/10/2008 8:43 PM<BR><B>To:</B> Adam Shostack<BR><B>Cc:</B> dataloss@attrition.org<BR><B>Subject:</B> Re: [Dataloss] Wis. mailing sent with personal info<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>EDS is a major provider of outsourced IT. They may well have a more <BR>general contract and, in effect, made this decision themselves. The <BR>SSNs would have been given as part of the larger scope of work, and <BR>then improperly used.<BR><BR><RUMSFELD><BR>Is this a risk firms take when they outsource? Heavens to Betsy, yes.<BR>Should Wisconsin have anticipated this? Great Caesar's ghost they <BR>should have.<BR>Does Wisconsin not have an information classification policy to which <BR>3rd parties must adhere? By jiminy, I would hope so.<BR></RUMSFELD><BR><BR>On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:<BR><BR>> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS<BR>> as part of mailing informational brochures.<BR>><BR>> You don't have to select * from row. You could have selected name,<BR>> address from row.<BR><BR>_______________________________________________<BR>Dataloss Mailing List (dataloss@attrition.org)<BR><A href="http://attrition.org/dataloss">http://attrition.org/dataloss</A><BR><BR>Tenable Network Security offers data leakage and compliance monitoring<BR>solutions for large and small networks. Scan your network and monitor your<BR>traffic to find the data needing protection before it leaks out!<BR><A href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</A><BR></FONT></P></DIV></BODY></HTML>