<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Dataloss] Wis. mailing sent with personal info</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This is also a PERFECT example of how a monolithic database with
vast amounts of data in the Government arena can and ultimately WILL always be
abused/misused. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>My assumption is that some WI State employee was told by their
boss to get the information to EDS so they could mail a letter. The
employee probably did not care about or even stop to think about the implications
of sending the entire database to the contractor. Heck, they
probably even sent it by email!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>EDS on the other hand probably provides these services for WI
after being awarded a contract for services. These contracts are “put
out for bid” and ultimately the lowest cost provider won. Price is
usually the only determining factor in Government Contracting.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We are dealing with the lowest common denominator here…
which ultimately is the component between the chair and the keyboard. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The employee probably said, “I’ll just send the
entire database to the contractor” and let them figure it out, instead of
spending the money and taking the time to figure out exactly what data they
actually need. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This employee should have asked “Do you want fries with
that?” – which is probably the only training this employee ever
had.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You can encrypt the data, attempt to limit access, enact secure
policies, but when one apathetic employee has access to vast amounts of data with
little or no oversight … ultimately you WILL have a breach.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You GET WHAT YOU PAY FOR. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div>
<p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif";
color:#1F497D'>James (Jim) Childers<o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>President & CEO<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Artemis Solutions Group (USA)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BioCert® - iQBio™ - BioSaf®<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://www.biometricsdirect.com">www.biometricsdirect.com</a>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <b>On
Behalf Of </b>Tracy Blackmore<br>
<b>Sent:</b> Friday, January 11, 2008 8:34 AM<br>
<b>To:</b> Chris Walsh; Adam Shostack<br>
<b>Cc:</b> dataloss@attrition.org<br>
<b>Subject:</b> Re: [Dataloss] Wis. mailing sent with personal info<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div id=idOWAReplyText76710>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>This is a GREAT example of 'out of sight out of mind'! Many
companies know that they do not absolve themselves of the risks when they
outsource but since they have outsourced they get busy concentrating on more
local problems.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I
hope that someone investigates this and gets to the bottom of the questions of
whether EDS made the decision to add this field into a mass-mailing or if the
State passed a bunch of data and asked EDS to run it.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Make
no mistake though - the State of Wisconsin is ultimately responsible since they
were the 'owners' of the data.</span><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> dataloss-bounces@attrition.org on behalf of
Chris Walsh<br>
<b>Sent:</b> Thu 1/10/2008 8:43 PM<br>
<b>To:</b> Adam Shostack<br>
<b>Cc:</b> dataloss@attrition.org<br>
<b>Subject:</b> Re: [Dataloss] Wis. mailing sent with personal info</span><o:p></o:p></p>
</div>
<div>
<p><span style='font-size:10.0pt'>EDS is a major provider of outsourced
IT. They may well have a more <br>
general contract and, in effect, made this decision themselves. The <br>
SSNs would have been given as part of the larger scope of work, and <br>
then improperly used.<br>
<br>
<RUMSFELD><br>
Is this a risk firms take when they outsource? Heavens to Betsy, yes.<br>
Should Wisconsin have anticipated this? Great Caesar's ghost they <br>
should have.<br>
Does Wisconsin not have an information classification policy to which <br>
3rd parties must adhere? By jiminy, I would hope so.<br>
</RUMSFELD><br>
<br>
On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:<br>
<br>
> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS<br>
> as part of mailing informational brochures.<br>
><br>
> You don't have to select * from row. You could have selected name,<br>
> address from row.<br>
<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
<a href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
<br>
Tenable Network Security offers data leakage and compliance monitoring<br>
solutions for large and small networks. Scan your network and monitor your<br>
traffic to find the data needing protection before it leaks out!<br>
<a href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a></span><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a href="http://www.mailscanner.info/"></b><b>MailScanner</a>,
and is <br>
believed to be clean. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p><span style='font-size:10.0pt'>No virus found in this incoming message.<br>
Checked by AVG.<br>
Version: 7.5.516 / Virus Database: 269.19.1/1219 - Release Date: 1/11/2008
10:19 AM</span><o:p></o:p></p>
</div>
</body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>