This week we saw the Pittsburgh Pirates teaching an unlikely lesson in the importance of Data Loss Prevention (DLP), California passed a notification bill for data leaks, the NY DA issued a 147-count indictment in an identity theft case, and more.

Major League Baseball Teaches Unlikely Lesson in Protecting Confidential Information. Embarrassing internal financial documents leaked from the Pittsburgh Pirates, apparently showing management finds it profitable to run a losing team. The Pirates deny the documents' authenticity. (On our blog)

NYC D.A. announces 147-count indictment in case involving 800 stolen credit reports. Iguosade Osahon is charged with stealing more than $500,000 over a three-year period using the names, dates of birth, and Social Security numbers for more than 750 people. (Office of Inadequate Security)

Security Best Practices for Small and Medium-Sized Businesses (Video). SC Magazine's Angela Moscaritolo sat down with Palisde CEO Christian Renaud to tell the magazine's readers about security best practices for small and medium-sized businesses. (On our blog)

California passes notification content bill, but will Schwarzenegger sign it? Senate Bill 1166 would mandate specific information be included in notifications of data leaks, including a description, type of information breached, date and time of the breach, and a toll-free number for major credit reporting agencies for security breach notices in California. (Office of Inadequate Security)

Panel suggests some patient consent is needed The federally chartered Health IT Policy Committee accepted recommendations from its Privacy & Security Tiger Team setting privacy restrictions on how healthcare providers share information between themselves. (ModernHealthcare.com)

5 percent of people scolded for inappropriate email use. They were chastised for inappropriate use of corporate email, including sending in appropriate jokes, angry emails, and other issues that could bring negative publicity to their company, according to a UK survey. (Messaging Architects)

For the second time this month, we're getting an important lesson from an unlikely source in the value of protecting the privacy of confidential information. This week, the lesson comes from the Pittsburgh Pirates.

The baseball team leaked confidential internal documents to the Associated Press outlining team finances in embarrassing detail.

The leak teaches two valuable lessons: One is the importance of protecting confidential information.

The other is that you can make a lot of money running a losing baseball team.

The Pirates made nearly $29.4 million in 2007 and 2008, according to team financial documents, years that were part of a streak of futility that has now reached 18 straight losing seasons. The team's ownership also paid its partners $20.4 million in 2008 .

The data leak is illustrative of the value of good Data Loss Prevention (DLP) technology, like PacketSure and ComplianceSafe from Palisade Systems, combined with business practices that protect private information.

The leak of this internal document -- assuming it is an internal document; the Pirates disputes its authenticity -- surely embarrassed the company and alienated vital business partners. The AP article alleges that the Pirates cut costs at the expense of winning games. That's not what the Pirates' fans, the city of Pittsburgh, Major League Baseball, and other business partners, are paying for. They want a team that wins, or at least does everything it can to win. This document leak has the potential to be potentially extremely damaging to the Pirates' future business.

We don't know how this do

cument got out, whether it was over the Internet or printed out and hand-carried. But Palisade's PacketSure™ solution is designed to protect proprietary documents like this one from getting out over the Internet. PacketSure monitors outgoing Internet traffic from an organization, to protect against leaks of proprietary documents, as well as customer information protected by federal regulations including HIPAA, PCI, and privacy laws in Massachusetts and other states.

This isn't the first time a lesson in the importance of DLP has come from an unlikely source. Earlier this month, Paramount Pictures leaked its roadmap for upcoming movies.

SC Magazine's Angela Moscaritolo sat down with Palisde CEO Christian Renaud to tell the magazine's readers about security best practices for small and medium-sized businesses.

SMBs have many of the same concerns as larger organizations for operational integrity, and making sure confidential data doesn't get out, Christian told SC Magazine. The smaller businesses have fewer IT resources with which to deploy security solutions, but the small size of their organizations also works to their advantage, giving them simpler problems.

Smaller organizations are often ill-served by the solutions used by big businesses, which don't scale down in size effectively.

SMBs are subject to many of the same regulations as big businesses requiring them to protect customer data. These include Payment Card Industry (PCI) regulations, HIPAA, and HITECH in the healthcare industry, and privacy laws in Massachusetts and California.

Christian and Angela also discussed how the economic downturn is effecting SMB security, and best practices for securing SMBs.

Watch the whole video at SC Magazine.

On today's LeakWeek, some hard examples of how data loss leads to lost customer trust, financial expense, embarrassment, and increased scrutiny from investigators. Haven't we been telling you this all along?

Loss of credit card information and merchant data breach cited as priority concerns to consumers. Some 87 percent of consumers who made a purchase or bank transaction online in the past month are worried about the safety of the personally identifying information and financial information they transmit, according to a survey by the Identity Theft Resource Center. (Dark Reading)

The University of Connecticut notified 10,174 applicants of laptop theft. The purloined computer contained names and Social Security numbers of the applicants. Notifying affected people in a situation like that is embarrassing and costly. (Office of Inadequate Security)

Connecticut Attorney General Probes Yale Data Breach. Attorney General Richard Blumenthal is looking into a data breach after Yale Medical School reported the theft of a laptop containing personal health information involving up to 1,000 people. (Press release)

Leaked Hollywood Deal Memo Teaches A Lesson On Email Security A lesson in security from an unlikely source, as Paramount Studios' movie plans for the next year get out to bloggers through leaky email. (On the blog of our parent company, Palisade Systems)

How ComplianceSafe protects the privacy of your business information We simplify the complex job of protecting your confidential email. (On our blog.)

Tiger team clarifies consent rules for HIEs A federal privacy and security team advised on new, tighter restrictions on the ways that health information exchanges can share sensitive patient information. (Government Health IT)

FIFA Ticketing Partner in Security Breach The soccer league compromised details of 80,000 of its customers, including Sweden's former Prime Minister and the head of Norway's national bank. (World Football Insider)

VA Officials To Post Reports of Security, Data Breaches on Website The Department of Veterans Affairs will post the details on its Web site of the security breach reports it delivers to Congress each month. (iHealthBeat)

Five Ways Law Firms Can Immediately Improve Their E-mail Security Vaccinate against viruses, encrypt, beware of phishers and spam, and more. (LawPracticeToday)

For daily updates on the latest news on data leaks, compliance with privacy regulations, and Data Loss Prevention (DLP), follow @PalisadeDLP on Twitter.

The last time Hollywood taught us anything about computer security was in Independence Day, when we learned that if you fail to install antivirus on your starship, your alien invasion will fail.

A leaked memo from Paramount Pictures details plans for the studio's upcoming slate of pictures in production this year and next, according to a report on the Hollywood news site The Wrap. The memo dishesthe scoop on upcoming movies with Will Smith, Barbra Streisand, and a tidbit about the upcoming Star Trek movie.

Why are we telling you about this here? Well, one reason is that we're excited that there's a new Star Trek movie in progress, and we want to share the good news.

But more importantly: The Wrap says it got its story from a "leaked email."

Hollywood is a business that thrives on secrecy, with big projects kept under wraps until they're announced with great fanfare. In other words, it's a business with trade secrets -- just like your business. Paramount may have had confidentiality agreements in place with its business partners, such as the directors, writers, and actors named in the memo, and could therefore find itself liable for breaches of those agreements.

The Paramount incident underscores the need for businesses to protect their outgoing email against leaks.

Stopping email leaks is Palisade Systems' business. Our PacketSure™ solution can easily be configured to scan outgoing email for trade secrets. Like details about upcoming movies. Or your customer list, upcoming product plans, and anything else you want to be sure doesn't get leaked in email.

PacketSure™ also scans outgoing emails for customer credit card numbers, Social Security numbers, Protected Health Information, personal financial information, and other violations of regulations including HIPAA, PCI-DSS, and state privacy laws.

And PacketSure™ doesn't stop at email. We scan all types of outbound Internet traffic, including Web, instant messaging, file transfers, and interactions with social media sites like Facebook and Twitter.

Find out more: View a video demo, or get a live demo, or get a free Secure Assessment.

ComplianceSafe is a complex and powerful product, but we’ve hidden all the complexity so it’s easy for you to use. Let’s take a look under the hood and we’ll show you how we do what we do.

But first, let’s take a look at the surface for a second — or, more specifically, the user interface. A main design goal for ComplianceSafe was to make it easy for the non-technical user. You don’t have to know anything about how e-mail works, or how we do what we do, to configure ComplianceSafe. Read about that here: “Getting started with ComplianceSafe is easy.”

So now you’ve got yourself set up on ComplianceSafe — then what?

ComplianceSafe gets to work as soon as one of your users sends an email message. Before it goes on to its recipient, the message spends a fraction of a second with ComplianceSafe, which runs tests on the message to be sure it doesn’t contain any privacy violations. We’re looking for Social Security numbers, credit card numbers, and private health and financial information traceable back to an individual, perhaps one of your patients or customers. Sending that kind of information in unencrypted email runs afoul of HIPAA, GLBA, PCI-DSS and a variety of other rules and regulations.

One way to find that information would be keyword filtering. Using keyword filtering, we would search email messages for simple text that indicates violations. We’d block email containing numbers with the correct number of digits to be Social Security numbers or credit card numbers. We’d block email containing medical terms like “diabetes” or “coronary heart disease.”

But the problem with simple keyword filtering is that it’s frequently wrong. It frequently blocks email that is, in fact, harmless. In other words, it generates “false positives.” What if the numbers aren’t credit card numbers or Social Security numbers, even if they do contain the same number of digits? And healthcare providers might have email discussions of diabetes or coronary heart disease, and those discussions would be perfectly legitimate, so long as they don’t disclose confidential patient information.

What’s wrong with a few false positives, you might ask. After all, isn’t it better to be safe than sorry?

The problem is that false positives waste people’s time. Users can’t use email in the ways they need to get their jobs done. Email managers have to waste time dealing with the false positives reports. It’s ineffective security. And ineffective security breeds contempt. Users who find the company e-mail difficult to use will just go to their personal email accounts, which you don’t control.

So we use sophisticated algorithms to make sure that data leaks are what they appear to be.

For example, when we come across numbers that appear to be Social Security numbers, we make sure that they are. We know that there are no legitimate Social Security numbers starting with 888. We know what a legitimate Social Security number looks like.

For numbers that might be credit card numbers, we use a tool called the Luhn algorithm to verify that a number that looks like it might be a credit card number actually is one. If the number fails the Luhn test, then it doesn’t trigger an alarm with ComplianceSafe.

For Protected Health Information (PHI) and private financial information, we use lexicons — lists of keywords — but that’s just the beginning. We look for those words in conjunction with other patterns of text. For example if we see language that’s associated with a cardiac condition, preceded by a Social Security number, the letters “DOB,” and something that looks like a date, we know there’s a high risk someone is emailing out personal health information associated with identifiers for a particular person. That’s a potential HIPAA violation, and we flag it.

The algorithms we’re using with our new product have been tested for years with our existing PacketSure appliance and managed service.

Once we’ve found a potential violation, we act on it based on the instructions you gave ComplianceSafe when you configured it. We can keep a record for your later review, warn the sender, send you a notification, or we can block the email outright.

Finally, we make a priority out of providing very personal customer service. ComplianceSafe is designed for small businesses. We know if you have a problem, you need help right away, and we’ll do that for you.

To find out more about how ComplianceSafe works, watch the introductory video on our home page.  Or just go ahead and sign up.

We got a lot of coverage for the launch of our ComplianceSafe service last week. The attention demonstrates the industry focus being given to protecting the privacy of customer data. That's the problem that ComplianceSafe solves, by monitoring outgoing email to be sure employees aren't leaking protected data.

Coverage includes:

Des Moines Register: Palisade rolls out data-loss service (blog).

Des Moines Register: Product prevents data leaks in e-mails (article).

eWeek: Palisade Systems Offers ComplianceSafe DLP Solution.

Geek O Pedia: Palisade Systems Offers ComplianceSafe DLP Solution.

ICT Magazine: Palisade Systems Offers ComplianceSafe DLP Solution.

PC Magazine: Palisade Offers Data Leak Prevention for the SMB.

SearchDisasterRecovery.com: Palisade Systems introduces new data loss prevention service (brief).

SecurityWeek: Palisade Systems Targets SMBs with New Data Loss Prevention Solution.

Silicon Prairie News: Palisade Systems (Des Moines) launched ComplianceSafe, a Data Loss Prevention product optimized for small businesses (brief).

Wii Zeels: Palisade Systems Offers ComplianceSafe DLP Solution.

Thanks to our friends in the media for helping to pass the word about what we're doing.

In data leaks and data privacy news this week, the US government is working on broader privacy regulations, healthcare providers are grappling with social media breaches, and Palisade launches its new ComplianceSafe service.

Massachusetts town email mistake highlights need for outbound content filtering. Officials in Hingham, Mass., sent a letter warning residents about an email breach that could make the Social Security numbers of 1,700 town employees available. The Social Security numbers were included in a spreadsheet attached to an email. "The town does not have any outbound content filtering capability in place, which could have helped prevent the leak." (Messaging Architects.)

Palisade Systems' new ComplianceSafe service offers exactly the kind of email protection Messaging Architects describes here.

Senate Democrats reveal details of data-leak prevention legislation. Companies experiencing a data breach would have to inform every individual potentially affected within 60 days. The law also sets security standards companies would be required to implement. (Messaging Architects)

Fort Worth medical clinic spends $15,000 notifying patients of theft. Employees at a Texas allergy clinic discovered the office door had been kicked in and four computers containing patients' personal information, including Social Security numbers and birth dates, had been stolen. Fort Worth Allergy and Asthma Associates spent $15,000 mailing letters notifying the clinic's 25,000 patients of the burglary. (Star-Telegram)

At Palisade, we can't stop a physical B&E, but our PacketSure™ solution can identify where sensitive data resides on your network. So if your PCs are stolen, you'll be able to tell if the theft compromised private data on those machines, and how bad the problem is.

N.Y. man is charged with stealing identities from pediatric cancer centers, hospitals. Steve Nelson, a 29-year-old former tax preparer, is charged in Newark, N.J. court with using Social Security numbers and other information stolen from New York City hospitals, doctors' offices, and pediatric cancer centers to submit more than 100 false tax returns. He filed under the names of adult victims, and added young cancer patients as bogus dependents, netting more than $200,000. (NJ.com)

When Facebook goes to the hospital, patients may suffer. Four staff members at a Long Beach, Calif., hospital were fired and three disciplined after they snapped pictures of a dying stabbing victim and posted them to Facebook. Social media is becoming a vector for patient privacy violations. (LA Times)

Health Care Providers Grapple With Concerns of Using Social Media. Health care providers are embracing YouTube, Facebook, Twitter and blogs to officially represent their organizations, but face risks of employees sending out information that should be private. (iHealthBeat)

Research Slideshow: 2010 Data Breach Report: 10 Tips To Secure Your Enterprise. (CIO Insight)

What To Do When Your Database Gets Breached. (Dark Reading)

Thousands of ‘Subcontractors’ May Soon Have to Comply With HIPAA. Rules proposed by the US Department of Health and Human Services on July 14 would broaden the confidentiality requirements of HIPAA to include subcontractors who work with business associates of healthcare providers. Many more organizations would have to comply with HIPAA, who didn't have to before. (AIS Health.com)

126,000 college students and employees notified of breach. A database of information on students, faculty, and staff at six Florida colleges was inadvertently open to online access. (Office of Inadequate Security)

Walgreens being investigated for HIPAA violations. The Department of Health and Human Services is looking into allegations that Walgreens improperly disposed of discarded prescription pill bottle labels containing health information of its customers. The report comes about a month after Rite Aid agreed to pay $1 million to settle widespread HIPAA violations. (PCIHIPAA)

On our blog: Announcing the best Data Loss Prevention solution optimized for small business. Palisade Systems launches ComplianceSafe, a data privacy protection service for small business.

And for all the latest news and links about data breaches and privacy regulation, follow @PalisadeDLP on Twitter. We post links to relevant, interesting articles every business day between 9 am and noon CT.

One of our most important goals when we created our new ComplianceSafe product was to make sure that it's easy to set up for small business managers with minimal IT support. Read about how easy it is at the ComplianceSafe blog.

Your small business is subject to the same privacy needs and regulations as faced by the biggest companies. You have to protect customer information, such as credit card numbers and Social Security numbers. In the case of medical practices, you’re also entrusted with patient health information.

Easy-to-read reports let you track potential violations.

Medium-sized and large businesses have sophisticated technology and IT staff to handle the problem of Data Loss Prevention (DLP). But what about the smallest healthcare providers, financial institutions, and retail businesses? They have to manage the same complicated privacy rules with little or no in-house IT support.

Now, there’s a DLP solution for just those kinds of businesses: ComplianceSafe.

ComplianceSafe, from Palisade Systems, uses a Software as a Service (SaaS) model for DLP. What that means for you, the small business, is that there’s nothing you need to install: No expensive hardware or complicated software. We run ComplianceSafe on our servers, and you connect to the service over the Internet. If you can set up a Facebook page or configure your e-mail desktop, you can get up and running on ComplianceSafe.

Getting started is easy:

1. Sign up at ComplianceSafe.com.

2. Point your company’s outbound e-mail at our ComplianceSafe servers.

3. Using simple wizards, tell ComplianceSafe how you want us to handle email containing sensitive information. Do you want us to block it? Notify the user? Notify an administrator inside your company? We can do any and all of that — just let us know.

4. Give us your credit card number so we can bill you.

Once you’re up and running, ComplianceSafe analyzes each outgoing message to look for sensitive data, including credit card numbers, Social Security numbers, private health information, and financial information. We don’t just search for keywords — we use sophisticated algorithms to test each e-mail, based on years of experience with our PacketSure appliances, which provide the same sort of protection as ComplianceSafe but are designed for medium-sized companies.

ComplianceSafe will help you comply with regulations requiring you to protect customer privacy, including HIPAA, GLBA, the PCI-DSS, and state privacy laws in California, Massachusetts, and elsewhere.

Pricing starts at $10 per user per month, with volume discounts available.

Get help with compliance. Get ComplianceSafe.

Sign up now or take the ComplianceSafe tour on our home page for more information.