Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Another Laptop Stolen With Personal Patient Information: HIPAA & Breach Notification | Main | Another Incident of Throwing Personal Data into Dumpsters: The Royal Bank of Scotland »

AOL CTO & 2 Other Employees Resigned...Or Fired?...for Privacy Breach of ~658,000 Users

According to a widely published news story, AOL today announced in an inter-office memo that their CTO, Maureen Govern was fired and immediately being replaced by an interim CTO, John McKinley.  A CNN report, however, indicates she resigned

Govern was in charge of the area that released search data for the 658,000 users during March through May earlier this year.  According to the initial reports about the release of the search data, AOL had indicated it had been released for "research purposes" to a publically available site, but that it was "mistakenly" released, and the decision to do so was "not appropriately vetted."

"A researcher in AOL's technology research department and the employee's supervisor have also left the company in the wake of the disclosure, a source familiar with the matter said on Monday." 

"In response to a torrent of criticism across the Internet, AOL also said it plans to create a task force to review its customer information privacy policy."

The AOL privacy policy is pretty much standard fare...including the statement, "Your AOL Network information will not be shared with third parties unless it is necessary to fulfill a transaction you have requested, in other circumstances in which you have consented to the sharing of your AOL Network information, or except as described in this Privacy Policy." 

It will be interesting to see how they update their policy as a result.

Since the AOL spokesperson, Andrew Weinstein, indicated this was "a screw up, and we're angry and upset about it," in a BNA news release, and also indicated "AOL is undertaking an internal investigation into the matter to ensure that it does not happen again," these personnel eliminations are likely part of the actions they are taking to mitigate any potential fines and penalties and try to demonstrate due diligence in addressing the incident. 

So, the personnel eliminations could have been sacrificial lambs, or perhaps they really did perform their job responsibilities in ways that were either completely negligent in consideration of potential consequences, or maybe purposefully malicious in intent.  It will be interesting to see if any statements will be made by Govern...highly unlikely considering she and the other dismissed employees probably signed NDAs.

This AOL incident is a good example of the need for thoughtful and well communicated and enforced privacy policies and procedures.  Put it in your awareness and training file to use so your organization doesn't make a similar mistake.

  • Know your privacy policy and inplement procedures to support them.
  • Communicate often and clearly about what is considered as personally identifiable information (PII) along with the other types of sensitive information (e.g., search data) that, when coupled with PII can create a huge invasion of privacy and violate your own privacy policies.
  • Communicate how to protect PII and sensitive data often and effectively.
  • Make businss leaders accountable for their decisions and enforce sanctions when they "screw up."
  • Very, very basically, don't use the Internet as your company's open research data repository!  Just because a research URL may not be easy to guess, it usually is very easy to find.

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 21, 2006 4:56 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/163

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.