Several weeks ago I took ASIS International and Jack Lichtenstein (Director, Government Affairs and Public Policy) to task regarding the society’s decision to define pretexting as “the use of false, fraudulent, or fictitious information in order to gather personal information during investigations (emphasis added).” I pointed out that using a plausible but false assertion to conceal one’s true purpose or intent has been an acceptable method of investigation for investigators for years. In fact, most covert investigations use pretexts at some level and I cited a number of examples. Professional investigators will agree that whether an organization uses private sector investigators or its own employees to conduct its investigations, pretexts are often necessary in order to gain the confidence of those being investigated and conceal the investigator’s true purpose. As any rational person would surely admit, covert investigations can only be successful if the investigator conducting the investigation does not reveal his real identity or intent. ASIS now seems to agree, or so it appears.

In the June 17, 2008, issue of Security Management Daily, ASIS ran a piece entitled “Counter Attack”: Companies Should Take Steps to Stop Counterfeiting. The piece was an excerpt from a June 5, 2008, item posted on CFO.com entitled Counter Attack by Jack Myers, a contributing editor. According to Myers, 7% of all goods sold globally are likely counterfeit. The damage to U.S. businesses is staggering. Myers claims that counterfeit goods cost American businesses about $600 billion in lost revenue and the elimination of nearly 750,000 jobs. China of course, is widely acknowledged to be ground zero for the production of most counterfeit products, accounting for 80 percent of all the items confiscated last year by U.S. Customs. Myers explains that victim companies employ investigators to seek out and indentify counterfeiters. He says that “getting the evidence to pursue a case all the way to the ultimate kingpin can be very difficult” and often the only investigative tool available is undercover. As most security professionals know, undercover by its very nature is the ultimate investigative pretext. It and other pretexts are used by hundreds, if not thousands, of ASIS members every day in the course of their investigations. Yet until citing Myers, ASIS maintained “it [would] not invest its reputation in an effort to convince lawmakers to not outlaw pretexting”.

Read more »

Last month the giant retailer, TJX Companies (operator of TJ Maxx and Marshalls among others) fired an employee for allegedly disclosing confidential information regarding what he considered lax security procedures. According to widely published reports, Nick Benson, an employee at the TJ Maxx outlet in Lawrence, Kansas, had complained to management that coworkers could access company servers using blank passwords. Benson also claimed that his store manager had recorded his administrative password and username on a publicly displayed Post-It® note. According to the reports, in the summer of 2007, Benson began voicing his concerns on the Internet. Over the course of the ensuing nine months Benson left eight posts on Sla.ckers.org regarding the issue.

Benson was quite aware that prior to his posts, the central servers at TJ Maxx had been hacked and credit card information of over 94 million customers had been potentially compromised. Thus, it should have been no surprise when his posts caught the attention of management. In late May, allegedly while marking down items on retail floor of the Lawrence outlet, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. Benson claimed the manager then told him he was being fired for disclosing confidential company information and he was summarily asked to leave the store.

I have been unable to resurrect Benson’s original posts from a reliable source and cannot opine as to whether the manager’s alleged assertions have merit. However, when you consider the right of TJX’s customers and employees to know that their personal information may be at risk, it’s not unreasonable to consider him a whistleblower. If indeed, TJ Maxx was not PCI compliant (referring to the payment card industry security rules governing businesses that accept credit and debit cards) and Benson revealed it to the public, was he really disclosing company confidential company information?  Given the facts as I know them, I cannot render a fair opinion. However, the Benson Dilemma is worth pondering:

Read more »

Last night several of us from BCI attended the 2008 CSIA Apex Awards. There were over six hundred people in attendance and although we didn’t come home with any hardware it was still a great night. We did get some good exposure though as both Gene and Steve presented awards.

After seeing how many great technology companies are here in Colorado I came to appreciate the award we won last year even more. Maybe next year we’ll be back up there accepting awards instead of presenting them.

It seems every so often the software industry has to re-invent itself. One of its latest incarnations is software as a service. Proponents (including myself), believe SaaS will change the way the world buys and uses software. In principle, the idea permits thin-client desktops and reduces the need for expensive tech-support by largely eliminating the need for application upgrades and other fixes. Nicholas Carr in his best-seller, The Big Switch: Rewiring the World, From Edison to Google takes the notion even further. Carr envisions the eventual networking of today’s networks into a gargantuan super-network; a network which not only distributes computer power (not a new idea, by the way), but distributes the software that the network users access as well. This, he says will give way to new businesses which function as software utilities, much like the electric utilities of today. Thus today’s SaaS providers will become the service utilities of tomorrow. Far fetched? Not really.

According to Carr, large manufacturers of the late 19th Century generated their own electricity. Because a reliable distribution grid did not exist until Edison created one, businesses could only grow to the extent they could generate their own power. Similarly, businesses today must generate their own computing capacity. Through them, they distribute information often managed on proprietary platforms or through proprietary applications (think of yesterday’s CRM software). Instead, what if today we had a fast and efficient way to distribute computing capacity through wireless thin client appliances - appliances as simple as any that exist in our home or office today? That is the future of SaaS. How we get there is really the question.

Carr and I agree that three things will be necessary: 1) expanded, high capacity connectivity; 2) software architecture that transcends the MS/Mac standards of today; and 3) consumer acceptance. The sooner requirements 1 and 2 are met, the faster we can achieve number 3. However the biggest obstacle is clearly number 1. Already, our existing Internet backbone is reaching capacity. Without significant investment, it is estimated we will reach overload sometime shortly after 2010. How we will address that crisis (and it indeed may be a crisis) is not yet known. In the meantime, the SaaS model will gain popularity and acceptance in spite of considerable resistance. Regardless, for those who like it or not, software on demand is the future. All we have to do is figure out how to get there and as far as I am concerned, the faster the better. Our businesses will be better for it.

In recently deciding CBOCS West Inc. v. Humphries, the U.S. Supreme Court takes a surprising excursion back to the Civil War era and examines the Nation’s first major civil rights law¾ the Civil Rights Act of 1866. The case raises the issue: does the Act’s first section (now codified as 42 U.S.C. 1981), guaranteeing equality in the right to make a contract, forbid reprisals against an individual who complains of discrimination against others. More specifically, the case asks whether retaliation is itself a form of forbidden discrimination when contracting rights are at stake and do federal civil-rights laws protect not only employees who suffer discrimination, but also colleagues who face retaliation for bringing the complaints of others to management. 

In the 7-2 decision handed down on Tuesday, May 27, 2008, the Court sided with a Cracker Barrel restaurant manager who claims he was fired for complaining that a fellow worker was fired because she was black. To come to its decision, the Court examined the Section 1981, which gives “all persons (in the U.S.) the same right…to make and enforce contracts” that “is enjoyed by white citizens.” Interestingly the law however says nothing about retaliation. Justice Clarence Thomas who dissented (and was joined by Justice Antonin Scalia) seemed to recognize this small but critical point. Justice Thomas opined that the individual subject to reprisal because he complained about racial discrimination, that “the injury he suffers is not on account of his race; rather it is the result of his contract.” I would tend to agree. 

So what that employers may now face liability for actions taken against whistleblowers that report discrimination against co-workers? Shouldn’t all whistleblowers be protected? The answer to the latter question may indeed be yes. However, to be sure, one must know the motive of the whistleblower. Employees today are more sophisticated than their predecessors and many know the law as well as their employers. Some employees blow the whistle as a cover; either to deflect attention from themselves or other people in their workplace. Even when they don’t, a whistleblower facing discipline or corrective action for an unrelated matter can now claim retaliation¾even those who were not a victim of the alleged discrimination they report. This form of immunization seems unfair to employers. It extends protection to a whole new class of employees while doing little for those who employ them. It will be interesting how many whistleblowers this decision protects and how many contracts it upholds.

Yesterday BCI hosted a very successful event, “IT Forensics & the World of Corporate Investigations”, in partnership with the Colorado Software & Internet Association (CSIA). Thirty-five people attended the event and were provided lunches and a chance to network before and after the presentation.

A special thanks to our CEO Gene Ferraro who stepped in at the last minute to present on behalf of our President, Steve Foster. Also a special thanks to Michael Horwith, our forensics expert, who aided Gene in the presentation, all of the BCI employees who helped organize the event, and to CSIA who helped promote it.

The topic has yet to be determined but we plan on hosting another Lunch-n-Learn this fall. Now that we have one under our belts we should be pros at organizing these in the future.

Two of the first books written on the topic of undercover investigations in the workplace had chapters dedicated to investigating workplace gambling. Authors, Charles Sennewald and Kirk Barefoot agreed, employee gambling was a big problem and deserved the attention of every employer. Their books, both written almost thirty years ago are almost comical in their approach to workplace criminal activity given the threats posed in today’s workplace. However, according to a recent article in HR Magazine (May 2008) more women are becoming addicted to gambling and more of their gambling is taking place in the workplace. According the article and research conducted by the National Council on Problem Gambling (NCPG), compulsive gambling has increased in all groups of people, including women.

According to the NCPG, about 2 million American adults—about 1 percent of U.S. adults—are pathological gamblers, and another 4 to 6 million adults are considered problem gamblers. The NCPG also notes that when employees are unable to control their gambling impulses employers often pay the price. Uncontrolled employee gambling is often connected to workplace issues such as embezzlement, fraud, theft and even violence. A gambling addiction can also affect productivity. An employee with a gambling addiction will have difficulty achieving peak performance and meeting employer expectations. Because the disease is difficult to detect, employers should focus on managing performance and behavior. By making unreasonable accommodations for employees who have failed to reveal a gambling problem, the unwitting employer often becomes an enabler, and thus initiates a vicious and very destructive cycle.

Best advice: Establish policies which prohibit workplace gambling, even activities as innocent as office pools; offer assistance to those who admit they have a problem and want help; and consistently manage employee performance and behavior.

Like most effective processes, the investigator’s effort should also produce measurable results. First and most immediate, is the return on investment, or ROI. The properly engineered investigation will often produce tangible, measurable results such as the recovery of stolen property or money; the termination of dishonest employees or vendors; and of course, successful prosecution when appropriate. When properly conducted, workplace investigations are complex affairs. They typically involve the convergence of many disciplines and an assortment of uncommon skills. More often than not, the investigator must have a comprehensive understanding of criminal, civil and employment law. They also require a considerable investment of time, money and patience by the employer or client. Then finally, to ensure success, the process must be highly structured and flawlessly executed. Even the most sophisticated organization can find the task consistently challenging. Thus, workplace investigations of even the simplest variety are not for the faint hearted.

Read more »