Let's look at the Bloomberg News brouhaha from the perspective of security and privacy controls, or perhaps in this case, the lack thereof.
See Also: Secure Access in a Hybrid IT World
First, the facts: Bloomberg operates a financial news operation, as well as a service aimed at professional traders that monitors and analyzes real-time financial market data and is delivered through a proprietary computer system, including hardware known as the Bloomberg Terminal. Until a customer complained, Bloomberg gave its reporters access to clients' login history, as well as when a login was created. Reporters also could see high-level types of user functions on an aggregated basis, with no ability to look into specific security information. Writing in a blog, Bloomberg Editor In Chief Matthew Winkler likened this to being able to see how many times someone used Microsoft Word vs. Excel. Reporters also had access to clients' help desk inquiries.
There is a real concern about having compromised the trust of their customers because there was an expectation, and the expectation was not met.
The complaining customer - Goldman Sachs - found out about the practice when the client received a call from a Bloomberg reporter in Hong Kong, asking if a certain employee had left the company because the journalist noticed no activity on the employee's Bloomberg Terminal, according to a published report.
From an information risk management standpoint, Bloomberg didn't implement tightly-drawn security and privacy controls to limit all inappropriate company personnel from accessing information that didn't deal with the specifics of serving their clients. A systems administrator might need to see the logs, but why would a reporter?
In this instance, it's Bloomberg's top brass' responsibility to ensure that controls are in place that safeguard all customer data. Bloomberg Chief Executive Daniel Doctoroff seems to have taken responsibility for the lack of safeguards. In a statement, Doctoroff says:
"Having recognized this mistake, we took immediate action. Last month we changed our policy so that all reporters only have access to the same customer relationship data available to our clients. Additionally, we decided to further centralize our data security efforts by appointing one of our most senior executives to the new position of client data compliance officer. This executive is responsible for reviewing and, if necessary, enhancing protocols which, among other things, will continue to ensure that our news operations never have access to confidential customer data."
Safeguarding the Organization
Policies - and controls - aren't just to protect an organization's customers, but also to safeguard the organization itself. The failure to have tight controls over access to log information has hurt Bloomberg's reputation. And a less than stellar reputation could place an enterprise at risk.
Winkler's blog is an attempt at reputation damage control. He says Bloomberg has never compromised the integrity of customer data in its reporting. But, he concedes, it should have paid more attention to data privacy: "As we've grown, and as data privacy has become a central concern to our clients, we should go above and beyond in protecting data, especially when we have even the appearance of impropriety."
Privacy lawyer Lisa Sotto, a partner in the law firm Hunton & Williams, isn't involved in the Bloomberg matter, but says the reputational risk to the company is enormous. "There is a real concern about having compromised the trust of their customers because there was an expectation, and the expectation was not met," she says.
Sotto doesn't see a legal threat to Bloomberg unless its contracts with its clients specifically forbade the sharing of log information with reporters. Still, she says, a company in Bloomberg's position needs to toughen its IT security and privacy governance process with more granular policies and procedures to set the rules of the road, which include better enforcement and training. "It is critically important to have a stringent set of access controls, but the integrity and ethics issues really go beyond privacy and data security," she says.
What's at risk here is Bloomberg's reputation. Will the steps Bloomberg has taken to stop the practice of sharing clients' log information with its journalists maintain (or rebuild) the trust with its customers? It might. But there's no doubt Bloomberg's reputation has been tarnished. And that's a lesson to other organizations that don't firmly control access to even what may be deemed as inconsequential data.