UK to investigate breaches at outsourcing centres

The UK's Information Commissioner is launching an investigation into outsourced data centres after a Channel 4 television programme exposed security breaches at Indian call centres. Channel 4's Dispatches was offered individuals' banking details for as little as £8 by criminal networks in India, Out-Law.com reports. Deputy Information Commissioner David Smith said that dependent on the outcome of the investigation the office would consider whether it should use formal enforcement powers to prevent such incidents. It could potentially prevent some companies from sending their data outside of the UK for processing. Smith said that companies which outsource their data processing or any back office functions are entirely responsible for that data and its security. It is not permissible, he said, for a company to simply pass blame on to a contractor.Full Out-Law.com report

Creative Commons – a new copyright model

With the explosion in self-generated Web sites comes the problem of who owns copyright on content published for global consumption. CDU reports that Professor Brian Fitzgerald’s lecture on the new field of copyright law known as Creative Commons, outlined the enormous potential for copyright infringement where content posted on the Net can be easily accessed, altered and ‘cut and pasted’ into new versions of someone’s creativity. Fitzgerald, who is project leader for Creative Commons investigation in Australia, said those happy to share their content could simply badge their material as Creative Commons: Attribution. This allowed it to be reproduced, so long as the creator of the material was acknowledged. Full CDU report

IT Security: HSBC exposed by flaw

MORE than three million customers of global banking giant HSBC have been left vulnerable while banking over the internet for more than two years because of a security flaw.

Employers spying on workers, study suggests

Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday.
The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees' e-mails.
The results of the aforesaid study will most probably be exactly the same if such a study would be conducted in South Africa.

It is imperative for organisations in South Africa, when dealing with monitoring of communications, to ensure they comply not only with the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002, but also the Labour Relations Act and other Privacy related legislation.

For more information on:

1. eCommunication Policy
2. Record Management Policy
3. IT Security Policy
4. Interception and Monitoring Policy
5. Awareness programs for employees
6. In-house training to address the above issue
7. Correct implementation of a procedure / process to deal with the Interception of Communications
8. Software to assist with the implementation of Policies,

contact van Gaalen Attorneys:
Tel: 011 782 9511
Fax: 0866318898
email: info@vangaalenlaw.co.za
website: www.vangaalenlaw.co.za

Phishers come calling on VoIP

Cheaply available voice over Internet Protocol numbers and Net calling are helping crooks launch new data-thieving scams, a security company has warned.

Companies Read Employee E-mail

Big Brother is not only watching but he is also reading your e-mail.

According to a new study, about a third of big companies in the United States and Britain hire employees to read and analyze outbound e-mail as they seek to guard against legal, financial or regulatory risk.

Berners-Lee applies Web 2.0 to improve accessibility

Accessibility seminars often begin with a quote by Tim Berners-Lee: "The power of the web is in its universality. Access by everyone regardless of disability is an essential aspect." It's an old quote, but the web's inventor offered fresh ideas the day before yesterday.

Phones4u wins passing off appeal against phone4u

An online seller of mobile phones did not infringe the trade mark of John Caudwell's Phones4u chain when it used the domain name phone4u.co.uk, according to the Court of Appeal. But Friday's judgment concluded that there was passing off.

Dealing with a phishing attack

As phishing attacks have grown, the defences and mysterious counter-measures have evolved. Uri Rivner, Head of New Technologies at RSA Cyota Consumer Solutions, tells a detective's story.

The Business of CANning SPAM

The FTC took a short break from the business of security breach enforcement to remind corporate America that commercial email (a/k/a spam) has its rules, and failing to abide by them has a price. In statement released on May 11, the FTC announced that both Kodak Imaging Network (formerly Ofoto, Inc.) and ICE.com had agreed to settle a series of CAN-SPAM charges brought against them in a pair of FTC complaints. According to the Commission, Kodak allegedly "sent a commercial e-mail message to more than two million recipients that failed to contain an opt-out mechanism, failed to disclose in the email message that consumers have the right to opt-out of receiving further mailings, and failed to include a valid physical postal address, as required by law." Meanwhile, ICE.com purportedly "sent more than 6,000 e-mail messages to consumers who had previously requested not to receive future commercial e-mail messages from the company." Neither company was hit with a very big fine ($26,331 for Kodak, and only $6,500 for ICE.com). But, in addition to agreeing not to violate CAN-SPAM again, both companies agreed to submit themselves to a series of FTC monitoring, record-keeping, and reporting provisions intended to keep them honest.
© Copyright 2006 Steptoe & Johnson LLP

GET YOUR ECOMMUNICATIONS GUIDE NOW
If you want your organisation to be compliant with South African eCommunication legislation then email us (info@vangaalenlaw.co.za ) your details (Fulle Name, name of your organisation, website address, email address and tel. no.) and we will forward you our eCommunications Guide. The eCommunication Guide will include the topic as mentioned above - "how to reflect an 'unsubscribe' opt-out function in accordance with sec. 45 of the Electronic Communications and Transactions Act 25 of 2002"

Appeals Court says Denial of Service is a crime

A judge made a mistake when he suggested that a teenager using a 'mail-bombing' program to attack his former employer's computer system was not breaching the Computer Misuse Act, according to the Court of Appeal.

Others must learn from Morgan Stanley's missing emails

Morgan Stanley last week agreed to pay $15 million to settle a civil action brought by the US Securities and Exchange Commission for failing to produce tens of thousands of emails requested during SEC investigations from 2000 to 2005.

ISO/IEC standard benchmarks provision of software asset management

A new ISO and IEC standard for managing software assets is expected to result in cost savings for users, whether large or small enterprises, as well as improved efficiency, risk management and customer (internal and external) satisfaction.

Published by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), ISO/IEC 19770-1:2006, Information technology - Software asset management - Part 1: Processes will enable organizations to benchmark their capability in delivering managed services, measuring service levels and assessing performance.

Software asset management (SAM) principles apply to the media, installations, licenses, proof of license, and intellectual property associated with the software. Until now the application of these business processes has been arbitrary and relatively few organizations have been able to implement a comprehensive strategy. The implementation of ISO/IEC 19770-1:2006 will standardize the framework making it possible for companies to integrate SAM into their other compliance and best practice models.

ISO/IEC 19770:2006, which is issued in two parts under the general title, Software asset management, will enable service providers to understand how to enhance the quality of service delivered to their customers, both internal and external.

• 
  Part 1: describes the processes involved in SAM.
• 
  Part 2: defines a product identification that will simplify the software inventory process*.

The standard is intended to align closely to, and to support, ISO/IEC 20000:2005, issued in two parts under the general title, Information technology - Service management.

If you think it is time to audit your existing Software Assest Management ("SAW") process / practise and amend same to reflect the latest standard, then contact van Gaalen Attorneys who will be able to:-

1. Execute a SAW audit;
2. Provide a GAP analysis (incl. recommendations);
3. Deliver and assist with the implementation of the required process flows, policies, notices etc.to ensure that your organisation is compliant with the ISO/IEC standard

Contact van Gaalen Attorneys for more information: info@vangaalenlaw.co.za or tel: 011 782 9511/2 or fax: 0866318898

UK Data Protection Authority Takes Surprisingly Flexible Approach to Sale of Consumer Data

Upholding its reputation as one of the most flexible EU data protection authorities (DPAs), the Office of the UK Information Commissioner recently released Good Practice Note taking a surprisingly flexible approach to sale of databases containing consumers' personal data. To the initial question "Can databases be sold?," the Information Commissioner gave a qualified "Yes." The first circumstance in which the Information Commissioner notes that consumer databases may be sold is where the consumers included in the database have given their consent. The second, and more controversial, circumstance is the Information Commissioner's statement that if a business is insolvent, bankrupt, going out of business, or being sold, the "[UK Data Protection] Act will not prevent the sale of a database containing the details of individual customers, providing certain requirements are met." The "requirements" relate mainly to using the information for the "same or similar" purposes to those for which the information was gathered, and providing notice to consumers in the database of the sale. But nowhere does the Information Commissioner say that consumers must be given the chance to object to further use of their information upon a sale, and the authorization of "similar" use is quite flexible. Such guidance will certainly raise a few eyebrows at other EU DPAs.

© Copyright 2006 Steptoe & Johnson LLP

IT Security: Hacking law updates are overdue

It's taken some time for MPs to decide how to update the UK's laws against hackers. Nevertheless, the proposals in the new Police and Justice Bill don't look too shabby.

Apple argues that blogger can't protect source

A US appeals court has been hearing arguments in a case that tests the right of a blogger to protect his sources. Apple Computer wants to know who leaked details of a product called 'Asteroid' and expects bloggers to reveal the names.

IT Security: What's the Inside Attacker Profile?

What's the Inside Attacker Profile?
The United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center published an insider threats study report in 2005 which offered critical insights into the mind and motivation of the "inside attacker." According to the statistics gathered, the inside attacker is usually:

• Male
• 17-60 years old
• Holds a technical position (86 percent chance)
• May or may not be married (50/50 chance)
• Racially and ethnic diverse

Sufficiently broad pool? Absolutely. Here are some additional statistics, again from the same CERT study:

• In 92 percent of the incidents investigated, revenge was the primary motivator.
• Sixty-two percent of the attacks were planned in advance.
• Fifty-seven percent of the attackers surveyed would consider themselves "disgruntled."
• Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack.
• Only 43 percent had authorized access (by policy, not necessarily via system control).
• Sixty-four percent used remote access to carry out the attack.
• Most incidents required little technical sophistication.

Worker can't be fired for Web surfing

A New York City employee cannot be fired for surfing the Web from work, an administrative law judge has ruled.

High costs hamper domain resolution

The Department of Communications expects progress to be made on the development of an alternative domain name dispute resolution process within the next three months. The absence of an alternative dispute resolution process (ADRP) has led to high costs for businesses, say industry players...

ICANN mulls .tel domain for contact info

Reaching out and touching someone used to be as simple as dialing a string of numbers.

But now there are home, cell and work phone numbers from which to choose, and sometimes work extensions to remember. There are also e-mail addresses -- at home and at work -- and instant messaging handles, perhaps separate ones for the various services, some of which now do voice and video besides text.

Some people even have Web pages -- through their employer or Internet service provider, or perhaps a profile or two on MySpace.

To help people manage all their contact information online, the Internet's key oversight agency is considering a ``.tel'' domain name. If approved, the domain could be available this year.

Wireless TV all-clear

Is this something that we will see in South Africa when it comes to the braodcasting of TV over wireless devices or over the internet?

See what was said in Canada:
Cellphone TV services started with hockey clips and news but now the broadcasting regulator has given wireless carriers carte blanche to move beyond traditional television.
Mobile TV services from Telus Corp., Bell Mobility Inc. and Rogers Wireless Communications Inc. are delivered over the Internet and aren't subject to the same rules as those provided by cable operators and broadcasters, the Canadian Radio-television and Telecommunications Commission said Wednesday....

See Canadian Radio-television and Telecommunications Commission's Public Notice on Regulatory framework for mobile television broadcasting services - click here

source: www.theglobeandmail.com

Court rules that an email address is not a signature

A High Court judge has ruled that the presence of a sender's email address in the header of an email does not amount to a signature – although a typed name would have sufficed to form a binding contract.

Corporate blogs are a liability

EDITORIAL: Many bloggers wear suits, not pyjamas. A recent proliferation of corporate blogs has given numerous workers a new platform for self-expression. But while employers hope to see business benefits, lawyers will see nothing but trouble.

ID thect and fraud - The weakest link - uneffective policy implementation!!!

There's some good news and some bad news to report concerning the fight against identity theft and cyber fraud. The good news is that financial institutions and other companies continue to batten down their information security with high-end tecnological measures such as two-stage identification and multifactor authentication. The bad news is that even the most advanced information security systems often have an Achilles heel -- usually in inadequate, or unenforced, policies covering employees and contractors. The recent spate of thefts of employee or contractor laptops thefts, resulting in the loss of sensitive information, is a perfect example. No matter how much money a company spends on fancy data security measures, these less sexy links in its security chain will continue to be vulnerable to exploitation by clever fraudsters. This doesn’t mean companies should give up on the high-end technological measures. Rather, it means companies need to pay as much attention to the more mundane, less glamorous aspects of security, like establishing and enforcing rules on the handling of sensitive data, and regularly using encryption.

© Copyright 2006 Steptoe & Johnson LLP. Steptoe & Johnson LLP

Do you read the License?

Open Content Movement Finds a Poster Child From MTV
In early March, the District Court of Amsterdam ruled that Dutch gossip magazine Weekend infringed the copyright in four photos which were posted on photography website flickr. Adam Curry, who, among other things, is a former MTV "video jockey," had posted the photos under the Creative Commons Attribution-NonCommercial-ShareAlike license, which allows photos to be used freely (with attribution) for non-commercial purposes, but not for commercial purposes (such as the use by Weekend). Weekend defended Curry's action by arguing that it was misled by the notice "This photo is public" that was posted with the photos, and therefore did not click on the Creative Commons "CC" symbol accompanying a "some rights reserved" notice (also posted with the photos), which led to a summary of the terms of the license. The court rejected this argument, stating that "it may be expected from a professional party like [the publisher of Weekend] that it conduct a thorough and precise examination before publishing in Weekend photos originating from the internet." The Curry decision thus holds (at least under Dutch law) that not only are Creative Commons licenses valid, but more suprisingly that publishers are under a duty to understand and investigate such licenses even in the face of a confusing statement like "This photo is public."

Source: Steptoe & Johnson LLP. Steptoe & Johnson LLP

The first move in the direction of web accessibility standards

Separating coders from cowboys with PAS 78

A guide published earlier this month about how to commission accessible websites will transform web accessibility in the UK, according to Chris Rourke of User Vision. The firm is also seeking your views in a short online survey.

P2P Crackdown - soon in South Africa?

Crackdown on corporate P2P users in Britain - Is your company addressing this risk?!

The Federation Against Software Theft is about to take action against a number of companies in the UK that have been caught making illegal copies of software available for download from their networks – which may come as a complete surprise to the companies.

IMPORTANT - Cryptography Regulations

As of Friday 10 March 2006, providers of cryptography products or services will have to register at the Department of Communications certain information before they can provide cryptography services and/or cryptography products.

It is important to know that failure to register could lead to fine or up to two years imprisonment.

If you are unclear whether you are a cryptography service / product provider - here are the definitions as per the Electronic Communications and Transactions Act 2002:

This is according to the cryptography regulations published in the government gazette on 10 March in terms of the Electronic Communications and Transactions Act of 2002 (ECT Act):
"cryptography provider" means any person who provides or who proposes to provide cryptography services or products in the Republic.

"cryptography service" means any service which is provided to a sender or a recipient of a data message or to anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring
a) that such data or data message can be accessed or can be put into an intelligible form only by certain persons;
b) that the authenticity or integrity of such data or data message is capable of being ascertained;
c) the integrity of the data or data message; or
d) that the source of the data or data message can be correctly ascertained.

"cryptography product" means any product that makes use of cryptographic techniques and is used by a sender or recipient of data messages for the purposes of ensuring-
a) that such data can be accessed only by relevant persons;
b) the authenticity of the data;
c) the integrity of the data; or
d) that the source of the data can be correctly ascertained;

Contact van Gaalen Attorneys today to find out about their special offer to register you / your organisation as a Cryptography Service- / Product provider

Tel: 011 782 9511/2
Fax: 086 631 8898
email: info@vangaalenlaw.co.za (heading - cryptography special offer)

Security 'not a problem' for IT managers

The top two IT-related problems facing companies today are operational incidents and staffing issues, according to a study commissioned by the IT Governance Institute (ITGI).

Communications bill ushers in demise of Telkom’s monopoly

COMPETITION in the telecoms industry will get a major boost from the Electronic Communications Bill now awaiting presidential approval, the chairman of Parliament’s communications portfolio committee believes.

No TV licence fees for IPTV

Those planning to receive TV on their mobile devices or PCs using broadband technology will not have to pay a TV licence fee for this.

OSS: The alternative in digital forensics?

Open source software (OSS) tools can be credible and reliable in digital forensics, says Cobus Venter, senior researcher at The Cyber Security Science Centre, a division of the Council for Scientific and Industrial Research (CSIR).

Morgan Stanley offers $15m to make up for missing emails

Investment bank Morgan Stanley has offered to pay the Securities and Exchange Commission (SEC) $15m to settle an investigation by the regulator into an alleged failure by the firm to produce email evidence during a legal dispute.

Metatags and Trademark Infringement

Any business with an Internet presence wants to increase its website traffic. And one of the best ways to do this is to rely on something web surfers never see -- a bit of HTML coding called a "metatag" that describes the content of a website. Search engines use these small pieces of hidden coding to index web pages according to content so web surfers can be directed to web pages with the content they request. Where things can get problematic, though, is when businesses manipulate hidden metatags to draw more eyes to their websites. One way to do this, for instance, is to use the trademark of a competitor in your metatags to attract that competitor’s customers. But that clever tactic just ran into a roadblock, when a federal court in Ohio ruled that the use of a competitor's mark in metatags to pull consumers to a website constitutes trademark infringement, even if consumers eventually realized that the site was not that of the competitor. This decision could have major -- and negative -- ramifications for Google and other search engines that allow companies to use competitors' marks as keyword search terms, so that their own paid ads (and links) are displayed when someone searches for the competitor's name

How to avoid Open Source Licensing pitfalls

Open Source software can offer users greatcommercial advantages when care is taken to address the intellectual property issues andminimise contractual risks.

Open source has long held an imprtant place in fulfilling

Why SCO has no case

"IT directors shouldn't worry about SCO Group's latest sallies in its legal war on Linux vendors IBM Corp. and Novell Inc., says attorney Thomas Carey. It's just more posturing, or as Shakespeare said, a tale "full of sound and fury, signifying nothing."

Liable For Your Employee's Porn Addiction??!

With specific reference to our own Films and Publications Act (Amended), employers in South Africa should be aware of similar actions in South Africa - see below, information received from the USA:
Employers' monitoring of their employees' online activity is nothing new. And neither is reprimanding an employee for visiting pornography websites at the office. But thanks to a recent court decision, employers may now have a legal obligation to halt such activity by employees, or they could be liable if that activity "result[s] in harm to innocent third parties." On December 27, in Doe v. XYC Corp., the Superior Court of New Jersey, Appellate Division, ruled that "an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee's activities and to take prompt and effective action to stop the unauthorized activity." The court held that no privacy interest of the employee stood in the way of this duty. Although the ruling has serious implications for any company that offers Internet service in the workplace, it may be of special interest to Internet service providers -- who already have their own child pornography notification obligations under 42 U.S.C. § 13032, and who may come across illegal activity not only on the part of their employees but also on the part of their subscribers. And the court's reasoning could extend beyond pornography to any illegal or harmful conduct engaged in by employees from their work computers.

U.S. Government Pushes Banks to Tighten up Online

E-Commerce Times: The Federal Financial Institutions Examination Council, a federal agency that includes the Federal Reserve System, the Federal Deposit Insurance Corp. and the National Credit Union Administration, and oversees banking regulations in the U.S., issued guidelines in late 2005 calling for online banks to implement two-factor identity authentication. Now the agency has announced that it will begin evaluating banks for compliance with the guidelines later this year. The guidelines were issued because the FFIEC felt that single-factor authentication is not secure enough for online banking applications.

Interesting numbers!!

15 percent
Proportion of IT budgets to be allocated toward compliance projects in 2006, up from less than 5 percent in 2004, according to Gartner projections.Source: CRN
1,031
Number of companies restating their earnings in 2005 as of October, as compared to 650 for all of 2004 and 270 for all of 2001.Source: International Herald Tribune
90 percent
Proportion of companies that go under within two years of losing data, according to research firm Baroudi Bloor International.Source: Sarbanes-Oxley Compliance Journal

Overhaul of GPL set for public release

A major revamp of the General Public License is scheduled for public release next week, a move that's expected to kick off a long and vocal debate over the key foundation of open-source programming.