Archive for category Privacy
Belbey Blogs: New Guidance on Using Social Media at Retail Banks
Posted by belbey in Actiance, Collaboration, Compliance, eDiscovery, Electronically Stored Information (ESI), Employee Behavior, Enterprise 2.0, Enterprise IM, FFIEC, Financial Services, FINRA, Legal, Malware, Privacy, Retail banking on January 25, 2013
This week, the Federal Financial Institutions Examination Council (FFIEC) released “Social Media: Consumer Compliance Risk Management Guidance. The FFIEC is asking for comments within sixty days. You can download the 31-page document here.
Its release has created quite a stir within the banking industry. A comprehensive article appeared on TheFinancialBrand.com, “Regulatory Shocker on Social Media in Banking Coming Soon” that summarizes the guidance quite nicely.
But . . . what’s so shocking?
We’ve been having the same conversations in the securities industry for three years. And in those three years, firms have learned that there are three major areas of risk that need to be mitigated before deploying social media:
- Security: your IT department needs to prevent your firm’s proprietary and client information from being leaked out either inadvertently or maliciously from the enterprise. They also need to ramp up malware protection. That’s because social media users are susceptible to incoming threats as they view themselves as part of a tribe and tend to click on any link sent by a “friend.”
- Compliance and Governance: your legal and compliance departments already know that there are thousands of rules and regulations that govern the communications and advertising of publicly held corporations, firms in general, and bank specifically. Take the securities industry as an example – the banking regulators aren’t issuing new rules and regulations around social media. Social media is viewed as just another form of written communications. Your compliance department is therefore challenged to interpret existing rules as they apply to social media and to develop and enforce firm policies.
- Enablement: your executive team is concerned about productivity and the bottom line. Now that every employee can be the face of the business, you either have a powerful marketing tool or your worst nightmare. Employees will need to be trained on how to use social media effectively to meet the firm’s goals, such as nurturing existing clients, attracting new business, recruiting, and brand awareness.
However, during the last three years, we’ve learned that all these risks can be mitigated by strong corporate polices, backed up with technology and training.
So far, so good. Nothing new here. Or is there? In addition to what we’ve already seen from other regulators, the FFIEC specifically also calls for:
- Creation of policies to address negative feedback or customer complaints, even if a financial firm chooses not to actively engage in social media.
- Monitoring to protect the firm’s brand identity
- Due diligence and oversight for third-party vendors that firms may hire in connection with social media
And the one that I find most interesting:
- Processes and reporting to demonstrate how social media “contributes to the strategic goals of the institution.”
In other words, the FFIEC recommends that firms measure the ROI of social media.
It will be interesting to see the reaction that FFIEC gets from the industry. I just hope that the banking industry can use some of the key learnings from the securities industry to streamline the processes to reap the benefits of “getting social.”
For more details on how to deploy social media within retail banking, you can also check out Belbey Blogs: Upcoming Guidance for the Use of Social Media for Retail Banking from FFIEC.
Would I lie to you?
Posted by doates in Electronically Stored Information (ESI), Privacy, Social Networking on November 5, 2012
Last week the head of internet security at the Cabinet Office, Andy Smith, was quoted as having said that users should give fake details to websites to protect their identity. Putting aside the fact that this violates sites such as Facebook’s usage policy, it demonstrates a lack of understanding about how these identities will evolve in the future and how social media functionality and privacy settings should be used to control misuse.
As social becomes more interwoven into our everyday lives, it starts to make sense to use real information in interactions. Most people don’t pretend to be someone else when they’re out on a Friday night meeting new people face to face, so why should it be any different online?
However, offline we are more careful with what information we tell people and question what we are told in return. It’s that instinct that needs to be developed when using social and that’s where privacy settings can help. As Actiance’s Chris Mannon says in Social Media Scammers – New Frontiers of Aggravation – The goal should be to make sure that your information is not accessible without your explicit knowledge.
Ironically for Andy Smith, the UK Government is soon to launch its ID Assurance scheme that enables people to interact with Government services using login from third parties, one of which is rumoured to be a social network as I mentioned in a recent blog post. Whether this will happen is yet to be seen, but it is expected that companies such as Paypal will sit alongside the Post Office and BT.
But using third parties does give people a choice as to who they trust with their identify and force those organisations that don’t come up to scratch or offer the right privacy settings out of the picture or to up their game.
What is required is an education programme in the same way that we were all advised to shred or burn personal information such as credit card bills that we no longer require to keep. Helping people understand the implications of different privacy settings and the best use of features such as Facebook’s lists and Google+’s circles, will do far more for everyone’s protection than fake identities.
Whilst one could argue that trusting Facebook et al with your date of birth and mobile phone number sounds alarming, when you consider the vast number of data loss and theft incidents incurred by the UK Government in the last year alone it doesn’t seem that bad.
Social Media Scammers – New Frontiers of Aggravation
Posted by cmannon in Application Filtering, Malware, Privacy, Social Networking, Web Security on March 28, 2012
Any veteran of social media has at one time or another put face-to-palm when they see another one of their contacts trying to distribute yet another scam through their profile. There is no escaping it. Whether it’s a third-party application that promises free coupons or a tweet promising a free iPad, illegitimate offers wanting your PII (Personally Identifiable Information) are everywhere. If this were 10 years ago, you would hear me complaining about e-mail or IM spam. Sure these spam attempts still happen, but that is broad attacks at best. E-mail or IM spam doesn’t even know your gender most of the time, let alone what demographic you may fall under. That’s what makes Social Media spam such a lucrative trade. Never before have people been so compelled to give away so much information about themselves. The content that we end up posting on social network sites is so descriptive of our personal lives that even corporations are asking for your content during the interview process.
It’s not difficult to tell if someone close to you has been hit by a spam attack. If their profile has been hijacked, then you can expect to see the same messages to several friends – always with a shortened URL link. Your best defense is to be weary of links that you receive, even if they are from trusted sources. You should also take a moment to explore what privacy settings you already have in place. The goal should be to make sure that your information is not accessible without your explicit knowledge.
You should look at all social network privacy settings, not just Facebook.
Spammers are able to find you and send targeted attacks, if you share all of your information with the open web. Any kind of application that you use to access a social network is acting as the middleman for your data. This usually means that you are allowing them access to your data in exchange for their ‘free’ service. What they do with that information after they provide their service is up to them.
The application above collects basic information. This means any information that you have made public.
Before you click that link, be more skeptical. Does this person really want to give me free money? Unfortunately, we don’t live in that kind of world. The more likely answer is that they are looking to sell your information to advertisers for other scam attempts. I could be wrong of course. A smartly-dressed woman could always show up in a diamond -crusted Bentley with $500 and a promise of a new monetary system that will work out in my favor.
If it's a new cash system, why is she holding the old cash?
Let’s use a recent scam example seen on Facebook. A common attack method on Facebook is to create a third-party application that immediately redirects the user away from Facebook. This could be as harmless as trying to build SEO tracking to a site or propagating something malicious to your PC. In this case, it’s just a scam to get more traffic to a site selling shoes. It starts as most of these scam attacks start: a buddy clicked something they should not have and now a third-party application on Facebook is posting messages as them. To make sure that their friends view the content, they tag them in a picture.
41 lucky people got a free picture of gold shoes!
Now they’ve got you on the hook. If you happen to click that link, you are navigated first to a Facebook Application page that only redirects to a site not belonging to Facebook.
The Facebook page immediately redirects the user to another site not controlled by Facebook.
Applications like this one are a dime a dozen. Facebook has been under heat in the past for allowing this kind of activity. This is an unavoidable side effect whenever you provide an open web platform for users to create their own applications. Facebook deletes the malicious ones, but they haven’t done an outstanding job of policing these in the past. In this case, the user is immediately taken to a blogger page that looks like this:
SCAM DUNK
There are a few tools that you can use in your browser to make sure your exchanges on social media are kept as private as possible. I recommend Ghostery for detecting any invisible trackers that exist on most web pages. These are usually advertisers trying to capitalize on your digital presence. Unless you intend to read a 30-page EULA describing what they are allowed to do with your data afterwards, just block it. Another useful tool is called LongURL. This allows you to see the link you are about to click. It will also help you avoid getting hit by that one friend that is always rickrolling people.
Where’s the line between private and public data?
Posted by Jae Kim in Privacy, Social Networking on March 23, 2012
In case you haven’t noticed, the line between private and public data seems to be disappearing. Traditional notions of privacy are broken down by the pervasiveness of social media. New Internet users, especially teens, use social media as their primary mode of communication. This next generation of Internet users communicate via SMS and Facebook, share photos on Instagram, and watch YouTube videos from their iPhones. Online communication and interaction is natural to them.
 |
| User education is needed on what is private and what is public and how to ensure the right option is chosen. |
However, if you look at the privacy aspects of data, there is a paradigm shift in how user data is treated. Email and instant messages are clearly personal data meant to be shared with people that we are directly communicating with. Back in the day, this would be analogous to sending a letter via the United States Postal Service and making a telephone call on a traditional landline. On the other hand, posts made on Facebook and Twitter are visible to just about anyone. When you publish a post, you don’t really know who will see it – much like tacking a piece of paper to a cafeteria bulletin board. There is no privacy.
The blurred line between public and private has led to questionable practices such as demanding Facebook passwords to screen employees or students. What today’s Internet users have to understand is that privacy is dependent upon the communication channel in use. Sending a message on Facebook (public) vs. sending an email (private) mean different things. Your intent, or expectation of privacy, should be expressed by your choice of communication medium. Yet, this is often not the case. Because users have become so accustomed to communicating via social media platforms, they forget that unless they specifically choose their audience (via blocking or setting up lists of who can see the data), what they post is in the public domain.
What’s interesting, and somewhat alarming, is that this same confusion over public and private communications is happening at the enterprise level. The line between internal communication and external communication is increasingly difficult to discern. In the age of BYOD – Bring Your Own Devices – most employees have a smartphone with LinkedIn, Facebook, or Twitter apps, among others. In fact, many individuals utilize apps that manage all of their social platforms in one handy location, such as Seesmic, or it’s too easy to confuse the line and make the mistake of sharing too much information or using the wrong medium to communicate with people. At the same time, the need for a flexible tool that supports both modes of communications with clear safety measures is that much higher.
Log into my bank through Facebook?!?!?
Posted by SarahActiance in Privacy, Social Networking, Web Security on December 27, 2011
Such is the proposition of Movenbank, a startup which launched at Sibos with a tagline of “No Paper, No Plastic, No Hidden Fees.” It aims to be the first cardless and branchless bank in the world. Everything will be centered on mobile and social media. The tagline is catchy enough, but what’s really raising eyebrows is Movenbank’s requirement for individuals to register and log in with their Facebook accounts. Now, I happened to speak at Sibos this year (Innotribe session on compliance), and the general consensus among my peers was that the problem with social media really wasn’t compliance, but rather, the enablement of it.
Here, with Movenbank, you get a perfect example of how the enablement of social media opens up new opportunities that perhaps might not have been possible five years ago. Privacy and security issues aside, if Movenbank succeeds with its grand plan, we’ll have witnessed a game-changing blend of old-school (banks) and new school (mobile and social). The fact that it involves real money makes it that much more compelling.
It’s possible with today’s technology to enable social media safely. Since we’re on the topic of banking, already we’ve begun to see firms deploy technology to enable their advisors and representatives to use social for marketing to customers and prospects. As the financial services industry is one of the most regulated when it comes to social media, technology plays a crucial role in assisting firms to remain compliant with current supervision and recordkeeping rules.
Back to Movenbank. Privacy advocates are quick to pounce on the seeming contradiction in using Facebook to log into a bank account that could potentially have someone’s entire life savings. But, as we’ve seen with Raymond James, with the right tools in place, what may have seemed impossible five years ago is now doable.
So, let’s not be too hasty in writing off Movenbank. With the right controls and technology in place, they may yet see their dream come to fruition.
”A Nightmare on Belbey Street”
Posted by belbey in Electronically Stored Information (ESI), Privacy, Web Security on December 23, 2011
I suddenly woke up in the middle of the night, convinced that my checking accounts had been hacked. Retirement accounts gone. Identity stolen. Turned on the light, stumbled around my hotel room to find my ATM card, turned it over, and called my bank’s Customer Service number. “Oh no, Ms. Belbey, everything is fine, you just had a nightmare.”
Why was I dreaming of data security breaches?
Actiance recently sponsored (I presented and staffed) an exhibit at the 2011 FS-ISAC Fall Summit, conducted by Financial Services – Information Sharing and Analysis Center. Over the course of three days, I was able to attend a number of sessions that did a deep dive on the risks that firms face protecting their data. The crowd was mostly male and many leveraged their long-time experience in the military to defend their organizations against cyber attacks. In fact, there were so few women at this event that Ernst and Young sponsored a special Women’s Reception — for all 12 of us!
So what do you need to know? First of all, none of this is new. For years, cybercriminals have attempted to gain access to systems or data by personally tricking someone into giving up, say, a password. It’s called social engineering.
There are many techniques. Phone calls, office visits, and “phishing,” where thousands of emails are blasted away in the hope that a few unlucky souls will give up their personal data, have all worked.
In response, data security departments have used technology to thwart these attacks and have done a good job of teaching us not to give out our passcodes or to open suspicious emails or attachments. But, as a result, the cybercriminals have gotten even craftier. They’ve improved their grammar, the look-and-feel of their emails, and even developed landing pages that look very authentic. But still, education and technology prevented many attacks.
In response, the cybercriminals developed new techniques such as “spear-phishing” to lend authenticity to requests for personal data. Not typically initiated by “random hackers,” these sophisticated, highly targeted attacks are perpetrated by criminals who seek financial gain, trade secrets, and military information. These well-researched requests appear to come from trusted sources, such as a colleague, service provider, or even a law firm, and include enough real information to look authentic. And, they often are directed at middle management or anyone gullible enough to let them into the enterprise.
And where can these thieves obtain personal data that they can use to trick us into giving up more data? You guessed it – social media. We post all types of information about ourselves online: our firm name, our titles and connections on LinkedIn, our high school and year of graduation, birthday, special projects and photos of our co-workers on Facebook, and our comings and goings on Twitter, Foursquare, and Sonar. The list goes on.
Our transparency makes us targets. We also tend to view requests for information on social media as coming from a trusted source, our tribe. So we oblige. And let in the bad guys.
When I told a new friend that I met at FS-ISAC , who heads up security at a major telecommunications firm, about my night terrors, he smiled and said, “Well, hanging around with a bunch of cyber security guys for three days is bound to make you paranoid. But, that’s our job. To protect you, so we all don’t have nightmares.”
As you deploy social media, are you engaging your IT Cyber Security teams in the conversations? What are you doing to protect your enterprise?
Don’t mess with the King
Posted by nleong in Privacy, Social Networking on December 8, 2011
I’m not talking about Elvis, but rather, the King of Thailand. And I must add, that in my globetrotting past, I’m qualified to write on this topic because of some time I spent in the Kingdom – and that anything anti-royalist that I might say is, of course, my view and not the view of my employer ( our editor made me put that in).
Anyway, back to the King. A near-deity in his homeland, no sane person would dare insult or disparage the King or his family, lest they feel like spending some quality time in a Thai prison (and before you ask, no, I didn’t insult, disparage, or log time in a Thai cell!). But, this wouldn’t be an interesting blog if there weren’t a lil ruckus thrown into the mix.
Facebook was recently asked by Thailand’s Ministry of Information and Communications Technology to remove 10,000 pages of content that the latter deemed to be “offensive” to the monarchy. Not stopping there, the ministry added that “liking” or “sharing” this Facebook content could get someone three to fifteen years in a cramped cell, a cruel punishment in a country that sports textbook beaches and fabulous street food.
Now, Thailand can pass whatever laws they want. I have no problem with that, but when you start messing with freedom of speech, that’s when things get a little sticky. Since social networks such as Facebook are predicated on openness and dynamic interaction, privacy concerns notwithstanding, it was bound to come into conflict with countries like Thailand that have strict lese-majesty (read: “don’t mess with the King”) laws.
Calls have already started to rain down on Thailand to amend its laws to permit more freedom of speech. We already saw the power of social media in the Arab Spring earlier this year; you’ve got all the different Occupys going on right here in our backyard; and now, we get another litmus test on social media’s ability to influence on a political level. These are exciting times in which we live, perhaps too exciting for the Thai ministry’s tastes though.
One thing is for sure. Social can’t be ignored. Organizations can deploy social media monitoring solutions or do random spot checks, but at the end of the day, it’s about the people and policies. Organizations, whether private or public, can draft up policies and laws and rely on technology to enforce them. But, as we’ve seen already throughout history, the will of the people can’t be underestimated.
Will Thailand be the next “Arab Spring”? I don’t know, but writing this blog has made me damn hungry for some Thai food. (Editor: whaddaya mean, it made you hungry, you’re always hungry.)
Free speech alive and well in Kansas
Posted by nleong in Privacy, Social Networking on December 6, 2011
In an amusing tale of free speech and the Internet, Emma Sullivan, a high school senior from Kansas, tweeted that the governor of Kansas “sucked.” (Editor’s note: the author, Norv, is clearly in his element with this blog entry and “amusing” of course depends entirely on your point of view.) Instead of just dismissing it as an instance of free speech or teenage angst, Governor Sam Brownback’s staff went so far as to chase down the teen to extract an apology from her. Leery of the PR implications, the governor himself apologized for his staff’s over-zealousness. (Editor: OK, Norv, I see where you’re going with this one.)
What makes this story so relevant is the intersection of free speech, social media, and government intrusion. The proliferation of social media sites makes it easy for folks to chime in with their thoughts (good or bad) on everything from politics to sports to their favorite ice cream flavor. It’s the essence of free speech. However, where is the line drawn between protected and unprotected speech?
Google searches, monitoring software, and good ol’ fashioned word-of-mouth make it easy to find individuals and their comments railing on government. A teenager tweeting that the governor sucks is a much different ballgame than a parolee posting on his Facebook page that he intends to detonate some explosives at the federal building next week. However, it does raise the discussion point that when it comes to the Internet, does anything truly ever go away and will Emma still be remembered as the high school senior who… well, you see what I mean, I’m sure.
State and local governments are themselves still feeling their way on how best to leverage social media, which has emerged as a highly effective mechanism to engage with constituencies and to provide a transparent avenue for the exchange of information. Already, the states of Oregon, North Carolina, and Florida have specific guidelines on social media usage and other states are sure to follow.
So, while it may make you chuckle to hear someone say that their governor “sucks” (and mind you, I live in a state where the Governator did his thang for several years), the implications are real. Privacy is a misnomer when it comes to social networks; free speech is one of our most cherished rights; and the role of government in society will forever engender passionate debate.
The Facebooks and Twitters of the world just happen to represent new platforms for folks like Emma to express themselves.
Suck or not suck?
Wanna get away? A Google engineer does.
Posted by nleong in Privacy, Social Networking on October 21, 2011
This is not a Southwest Airlines promotion, but rather, a blog entry on how easy is it to mess up on social media. None other than a Google engineer (as it’s a social world, you’ll likely know his name already – Steve Yegge) is the latest victim to be ensnarled in the social media web. As most of you have probably heard by now, Stevie Boy ripped on his own employer in a Google+ post-cum-rant on the shortcomings of that very platform. Of course, he meant the post to be visible only to his Google colleagues and not to the outside world. Oooops.
There are oodles of smart folks at Google, but that doesn’t mean they’re immune to the occasional epic screw-up. Just goes to show how easy it is to forget about who you’re connected to and what your privacy settings are. Like many social networking platforms today, users have the option of selecting who their audience will be for particular posts and messages. If you’re not careful (or perhaps too inebriated), it’s quite easy to let 800 million of your closest Facebook “friends” know that you were at the local pub to check out the Rugby World Cup, instead of lying in bed at home since you called in “sick” for the day.
It reads like a broken record throughout the copious blogs, articles, and conferences surrounding social media these days: be careful what you put out there because you’re never gonna get it back. Just the other day, I read an article, saying that only 26% of those who use Facebook daily were concerned about privacy on that site. Pretty scary. I guess we’re living in a fishbowl world and no one seems to mind.
That’s not true, of course. Privacy and security will always be an issue for those persons or organizations where data confidentiality is crucial. From patient health records to financial data to credit card numbers, the types of data that require the utmost security controls would be a long list indeed. Companies like Actiance strive to bring peace of mind to those organizations in need of granular security and compliance controls.
Content comes in many shapes and sizes these days. It’s not just social media. There’s also instant messaging, BlackBerry, Skype, texting, collaboration software, and good ol’ fashioned email that people can use to communicate with one another. And that’s not an exhaustive list. As technological innovation chugs along, new communication channels will undoubtedly continue to emerge.
So, if you’re looking to avoid pulling a “Steve Yegge,” pay attention to the details: know who you’re connected to, check your privacy settings, and try not to get too sloppy before Facebooking or Google+’ing at the end of the evening.
Suck it up and take the good with the bad
Posted by nleong in Privacy, Social Networking on August 13, 2012
Today’s post comes from Norv Leong, Director of Product Marketing at Actiance.
Reading the smart-ass comments to online articles, blogs, Facebook posts, and the like is often more enjoyable than reading the actual article, blog, or Facebook post itself. Everyone wants to be a David Letterman or Rush Limbaugh, quick with the wit or politically charged rant. Tempers flare, folks get offended, or others just plain embarrassed. At the end of the day though, most all of what’s “out there” is deemed free speech.
That’s the beauty of the First Amendment. You can say what you want (most of the time) without reprisal. The US government – author, guardian, and object of the First Amendment – knows it’s in a pickle. Loads of federal agencies have their own Facebook pages and they’re very wary of the fact that the public can and will use these pages as a sounding board for all kinds of commentary and preaching.
Exactly when those comments cross the line and become, say, threats to national security, that’s when things get murky. Where does that line get drawn? When is a comment “libelous”? When does a comment lose its First Amendment protection? I think you get the idea.
Having a comment policy in place is a good start. Making it very clear what is acceptable behavior for comments sets boundaries that apply to anyone and everyone. There’s no singling out one person over another. Doesn’t matter what color skin you’ve got; what your sexual preference is; what religion you practice; what football team you follow. The policy applies to everyone. If you violate it, your comment will be removed. Simple as that.
Even better is utilizing technology to assist in the enforcement of these types of policies. I’m not saying to take down every comment that drops an f-bomb or some other derogatory comment, but you can use technology as the helping hand in flagging potentially libelous or incendiary material and, if need be, remove it from the system.
Think these guys would be Facebook friends?
I mean, c’mon, I’m sure our Founding Fathers bickered amongst themselves when they were laying the groundwork for the Constitution and Bill of Rights. Just think what it would’ve been like had they had Facebook at their disposal!?!? One of their Facebook conversations might’ve gone like this:
George Washington (GW): What do you think fellas… just make me the emperor and call it a day. No term limits. I’ll just pass the torch when I’m dead.
Benjamin Franklin (BF): Georgie baby, methinks you’ve been hittin’ the herbal remedy a bit too hard. How bout a ten-year max limit so you can spend some time with Martha and work on your garden?
James Madison (JM): Nah, I think George would get bored of ten years of emperor-ing. The guy’s got too many side interests. I think four years is just the right amount of time. Any longer than that and we’ll have another riot, like what happened in Boston a few years back….over tea fer crissakes!
BF: Yeah, good point. This land seems to have a bunch of rabble rousers. Which brings up another point. We better come up with a system that deals with these hooligan punks should they act up. Maybe some kind of judicial or trial system where we can put the hammer down on them, if they do something bad.
GW: Y’all crack me up. I was just kidding about the emperor bit. Let’s go with four years and call ‘em President. Well, I’m spent, fellas. Anyone fancy a beer….or 5?
And a country was born…
Share this:
Like this:
blogs, comments, facebook, first amendment, libel, social media
Leave a Comment