Where Does Organizational Responsibility End - I.T. & Privacy

I wish to relate a few lessons in something that I have experienced as recently as of yesterday. Mind you, this is not the first time I have incurred an information "leak", such as I did yesterday, nor is it the first time I notified a Company upon finding a "leak", but it is the first time I have notified a large group of individuals.

What occured yesterday was that I was doing some simple research online, looking up a Company's name and Staff by utilizing a geographical address search as my base. It just so happened that I performed this search on Google.

While doing so, I ran across an entire listing of over 400 names of V.P.'s, CEO's, COO's, Attorney's, etc. All with their names, titles, Company names, addresses, phone and fax numbers listed plainly on the Internet as a Google Search Result. Needless to say, I was quite taken aback. My first thought was that the individuals on this "Member" and "Non-Member" listing had absolutely no clue their business or even possibly their personal information was listed on the Internet so publicly.

I took a bit of initiative *okay, so yes, I'm known for that* and visited the website of the Trade Organization that was responsible for the listing getting posted on Google. I wanted to check to see if their Membership List was available online out in the open. Obviously, if that were the case, then the "Members" would clearly realize their information was available via the Internet. Before you think to ask, yes, it did occur to me that the information was probably all business listings, which could probably be accessed on the Net at some other location. However, as the Membership list was a mixed lot of genders (and not to be gender bias), but, I wanted to make sure that if the list wasn't available openly on that Trade Association's website, then the persons listed knew that whatever information they had given that Trade Association, was actually available for "prying eyes" to see, heck, they didn't even have to be "prying" eyes, since anyone could see the information easily on Google.

During my visitation to the Trade Organization's website, I learned the following:

1. The Organization itself was a Risk Management Organization, apparently, a very large one. I was even further floored. They certainly could afford the I.T. staff needed to "protect" their Member's private information.
2. The information "leak" was not just confined to a "whoops" it got posted on Google, but, their own log-in and access processes on their national website made it very easy for anyone to assume another "Members" identity.

Of course, after consulting with an Attorney (there just so happened to be several listed on that information "leak", so I called one and asked him if I could legally get into any trouble by notifying the Trade Organization along with the individual's whose information was "aired in public".) The Attorney assured me that I was legally protected, because the information was basically out in public, so I was only stating facts, along with the fact that I meant no maliace by my actions and that I was only trying to help notify the Company along with warn the "Members". The Gentlemen with whom I spoke was beyond very nice and polite, particularly considering the "oddness" of my call and what I had to explain to him. He also was kind enough to thank me for taking the time to notify the members and not just the Company.

So, I sent off a very detailed and descriptive e-mail explaining:
1. The information I found
2. Where I found the information
3. How I came about finding the information on the Internet
4. How I came upon finding out how there was an error in their identification process on their national website
5. How they could avoid future information leaks of the type that had occured as it related to Google
6. The needed information for the Company to contact Google and request a removal of the senstive information.

I sent this e-mail information off to the WebMaster for the Website, along with a little less than 100 of the names on the list. I stopped at that "few", because I did not wish for my ISP to begin thinking I was sending out SPAM, okay, that and by the time I had sent out 100 e-mails manually, I was fairly sick of doing someone else's work. By someone else's work, I mean, another company's, another persons, etc. all of whom I am certain were getting paid to do a job, but who had made an error (yes, I realize it is human to make an error). Oh, by the way, when I sent out my e-mails, I protected each indivdual's privacy by blind copying each individual, so no one else could easily "see" who the e-mail was going to, not that they couldn't just look up the link I had enclosed in the e-mail, which served as proof to where the information was listed and see all the other Member's and Non-Member's information that was available through an easy Google Search.

Today, I received back an e-mail from the CIO of the Trade Organization. I have cut and paste it below (editting out some name information out of respect for that Company's privacy):
******************** COPY OF THE E-MAIL THE COMPANY SENT ME BACK ****
Bonnie,

Thank you for alerting us to the issue. The problem is with one of our chapter sites, not through the (changed) national site. I have alerted them to the problem and they have fixed it (although obviously it will take a while for google to remove it from its cache). The list was one they put together for some reason or another and was not a membership list as it contained a mixture of people.

Thanks,
Mr. CIO (changed)
**************

I had to shake my head when I read it, for several reasons:

A. This is a CIO, but, apparently he could not be bothered to actually "read" the list, which in itself states "Members" and "Non-Members", but, of course, it was NOT a Membership list...umm..yeah, right!

B. How freakin' typical, Why must people B/PASS THE BUCK?/B
Why can't they just admit their error and fix it? How come that is so hard?

C. I personally have never taken a course in .HTML, I've never read a book, etc. yet, I learn as I go and as I need to do something, I seek out the information and figure out how to do it. Yet, the information leak itself was a result of an incredibly easy to fix error, because someone did not protect against "bots" crawling a website. To show you how easy it is to "guard" against this issue, for example, say you have a file called "hats.xls", which is an Excel file you do not wish to show up on Search Engines:

It is as simple as doing the following:

1. Create a file titled: Robot.txt (in notepad, a plain text document)
2. Open the Document and on the 1st line type the following shown text which is shown in the quotes: "User-agent: *"
3. That line basically says, Hey Bots! (and because of the *, you mean ALL BOTS!)
4. On the 2nd line of the text (you can press enter to drop down to the 2nd line), type the following text, which is shown in the quotes: "Disallow: hats.xls"
5. You would change the "hats.xls" to whatever file you do not wish to have bots "crawl", for example: "/cgi-bin" or "dates.ppt" or whatever the file name and file type

WA-LA, it's that easy, nothing to it and it's something that is basic, I mean, even if you know nothing about HTML, but you are just learning, for you to get your website listed on any Search Engines, this information should be something you have come across. The disgusting part is, the Trade Association that experienced this easy "leak", has a whole I.T. Department!! in apparently SEVERAL CITIES!!!!

D. If the CIO actually "read" my e-mail he would have to be rather "thick" not to notice that I state in my e-mail there was a 2ndary issue, which revolved around the National website's Member log-in process. If you noticed, he made no mention of that little "error".

Which brings me back to the beginning of my article, "Where does Organizational Responsibility End?"

Personally, I think that as an Organization they should admit the error to their members, apologize and fix it.

WRONG! I visited the Trade Association's website today and they made absolutely NO mention of this issue to their Members, through either a press release or Forums medium.

It never ceases to amaze me that Companys/Organizations (whatever) can act so irresponsibly when it comes to other's private information.

How many times in the news over the last 6 mths for example, have you seen a report of a company's sensitive information on their member's having been accessed or leaked?

So, the point of my posting?

1. If you are a Company or have the power within your own Company, STEP UP & TAKE RESPONSIBILITY. I think that is all, anyone can ask as a customer, outside of course, the obvious of do your best to protect the information in the first place.

2. Understand that NO information is completely safe. If a hacker or whatever you wish to call "bad people" want to get to information bad enough, they will. It's the same principle as protecting your home against burglars, you can only do so much, but if someone really wants in, they'll find a way to get in. Heck, there are museums that have thousands of dollars invested in security systems, yet thieves find ways to steal from them or defraud them.

3. Don't forget the Basics, this statement more so than anything, seems to apply so often recently. People seem to not "forget", but "over look" the basics of so many things, Companies more guilty than most, but it is individuals behind Companies and they seem to be forgetting the "basics" of programming, customer service, operations and marketing. I am still baffled as to why.

I hope that you drew some sort of lesson from my experiences related above and as always,

I wish you the best and every success,

Bonnie