Blogs

We spend a lot of time in this industry talking about how to capture information and, through good records management practices, dispose of content when appropriate.  But we don’t talk about how to use ECRM technologies to protect sensitive information.

We should.

The Wikileaks release of information contained in sensitive US State Department cables has complicated efforts for US diplomacy, at best, and compromised people who assisted the US, at worst.  Regardless of your views on transparency, the point is that the State Department would have preferred not have their sensitive content released to the world.  Government officials suggest that a person in a position of trust used the vast content management resources to capture and download the information to an external storage device.

Protection of sensitive content isn’t just an issue for the State Department.  The FBI itself has recently suffered the double embarrassment of an FBI employee copying confidential information to provide to his reporter girlfriend, and then for the confidential disciplinary reports to be copied and released to CNN.  In both cases, the information was made easier to access through the use of various content management technologies.

Corporate organizations are vulnerable as well.  A leading bank had sensitive information released by former IT employees.  A leading outsourcing vendor had a disgruntled employee attempt to blackmail a healthcare customer with the release of medical records.  Here is what the San Francisco Chronicle reported:

"Lubna Baloch sat in her office in the sprawling Pakistani commercial center of Karachi and gazed at the e-mail she'd composed. She tried to imagine the reaction half a world away when the people at UC San Francisco Medical Center saw what she'd written.

The famous U.S. hospital would have to take her seriously, Baloch knew, when it realized she was prepared to post its confidential patient records on the Internet. That is, unless UCSF helped her get the money she was owed from the mysterious Tom Spires, her link in a long chain of medical transcription subcontractors.

"Your patient records are out in the open to be exposed," Baloch wrote in her e-mail, "so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet."

Then the kicker: "Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital." Baloch had included private discharge summaries for two UCSF patients."

--------------------------

Organizations are beginning to react.  Companies such as MaxxSafe, KPMG, and Corporate Combat have emerging practices with a primary focus on records that deal with personally identifiable information (PII) and other corporate information theft.  PII has been a long-standing issue for Europe and continues to gain traction here in the US.

Protecting your organization’s content takes a variety of approaches.  First, be sure to implement tools and restrictions that limit the ability for USB drives and writeable CDs to be connected to the system.  Turn on auditing so that the audit logs can see which users are accessing which documents.  In situations where the information is especially sensitive, there are technologies from companies like Adobe, Xerox, Document Security Systems, and others who can help not only provide digital fingerprints to track electronic documents, but also to make paper documents unable to be photocopied or photocopied selectively.

As the US becomes a more information-based economy, expect more examples of this corporate information theft.  Just as manufacturing plants established processes and safeguards to prevent theft of product and materials, today’s modern companies will soon learn how to protect their valuable information.