Tom Considine & Associates
"Information Privacy Professionals"

Your Subtitle text



Our Information Protection Managers (IPM's) are well-versed in many specialized areas.  We bring a diverse background to the table, allowing us to quickly assess risks to your organization and instill confidence to your clients and customers.   This gives Tom Considine & Associates an edge when dealing with complex federal and state compliance matters.  Most often, more than one area of expertise is required.  Whether you're a Fortune 500 company or small/mid-sized business, you both must comply with the same information protection laws and Payment Card Industry (PCI) mandates.  Now there's no longer need to hire a full time privacy/protection officer.  We can provide you with ongoing comprehensive and affordable support, or train your current staff to develop and provide for your own compliance needs.  

Tom Considine & Associates offers free initial consultations.

Our services include:

  • EMERGENCY SERVICES - Visit our Crisis Management page
  • Development of Written Information Security Programs (WISP)
  • Development of FTC Red Flags guidelines, policies and audits
  • Data Flow analysis to identify: Risks, Permissions and Covered Accounts
  • Information Assurance (IA) assessments and audits
  • Payment Card Industry Data Security Standards (PCI-DSS) development, internal assessments and audits 
  • Internal and external risk assessments 
  • Online interactive employee security training programs and progress reports 
  • Third-party risk assessments on business mergers, current and prospective service providers/vendors 
  • Information Protection Manager Training Program    "NEW SERVICE"   

Information security programs and policies are needed to:

  • Inform staff of their information protection duties and responsibilities.  Provide guidance on approved safeguarding, handling, release and destruction of sensitive information.
  • Defines how staff are permitted to represent the organization, what they may disclose publicly, and how they may use organizational resources for personal purposes.
  • The existence of a written security program may be a decisive factor in a court of law, or administrative action demonstrating the organization took a proactive stance to protect sensitive information.
  • Defines both acceptable and unacceptable staff behavior while reducing nonproductive work hours. For example; staff spending hours during the workday surfing the internet and playing fantasy football, or downloading pornography is generally unacceptable workplace behavior. However, written policies are necessary to establish the basis of unacceptable behavior for disciplinary actions, up to and including lawful termination.

Real World Problems Caused by Missing Information Security Policies:

The following are specific case problems designed to give you an idea of how adopting specific security policies can help you avoid problems in various industries:

At a Government Agency...
A clerk spent a great deal of time surfing the internet while on the job. Because there was no policy specifying what constituted excessive personal use, management could not discipline this employee. Management later discovered the clerk had downloaded a great deal of pornography. Using this as a reason, management fired him. The clerk chose to appeal the termination with the Civil Service Board, claiming that he couldn't be fired because he had never been told that he couldn't download pornography. After a Civil Service hearing, the Board ordered him to be reinstated with back pay.

At a Law Firm...
The manager of data processing took a job with a competing law firm. Because his former employer had nobody who could do the job that he did, they kept him on as a contractor. On a part-time basis, he would perform systems management tasks. In order to do these tasks he needed full privileges on the former employer's network. One day the former employer learned that the manager's new employer was opposing them in a high-visibility lawsuit. Could the former data processing manager gain access to the shared legal strategy files for this case on the network? The answer was yes, but nobody knew whether the manager had exploited these capabilities because no data access logs were being kept. This situation could have been avoided if the former employer had policies about conflicts of interest, system access privileges, and keeping logs.

At an Oil Company...
An oil company computer technician compiled a list of jokes about sex. Proud of his list, he broadcast this list on the internet, appending his company electronic mail address to the end, just in case the recipients happened to have heard any new ones. Management was able to have the posting deleted from several discussion groups, but was not able to control copies that had been made. Around the same time the same technician had printed a copy of his list, and when distracted by something else, had left it in the hopper of a departmental printer. Women in the department objected that they had been subjected to sexual jokes via email that they didn't want to read. They pointed to the internet postings and the printer output as examples. The pending sexual harassment lawsuit was settled for an undisclosed sum. A policy about permissible use of the internet, as well as a policy about representations made using the company name on the internet were noticeably lacking.

At a Local Newspaper...
A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left. A senior reporter left the newspaper, and shortly thereafter, the newspaper had trouble because the competition consistently picked-up on their exclusive stories (scoops). An investigation of the logs revealed that the former employee had been consistently accessing their computer to get ideas for stories at his new employer.

At a Midwest Manufacturing Company...
A virus hoax sent by email through the internet indicated that if people receive a message with the heading "Join the Crew" they should not read it. The hoax went on to state that this email would erase a hard drive if ever it should be displayed. Thinking that they were doing others a favor, 10% of the staff at a large manufacturing company broadcast the hoax to all the people they knew. Because no policy defined how they should handle these warnings, they flooded the company's internal networks with email and caused a great deal of unnecessary technical staff time to be wasted.

At a West Coast Manufacturing Company...
Because it had no policy requiring employee private data to be encrypted when held in storage, a large manufacturing company found itself facing a public relations problem. A thief made off with a computer disk containing personal details and bank account information on more than 20,000 current and former employees. The press speculated that this could be used to facilitate identity theft, including application for credit cards in the names of other people. The event precipitated a massive notification process including recommendations on changes to bank account numbers.  The notification process and identity theft protection services to employees cost the company over $2, 000, 000 for the loss of one unencrypted disk.  

At a Major Online Service Company...
A Navy enlisted man registered with an internet online service company and filled out a profile form which indicated that he was gay. An employee at the service company, after an inquiry from the Navy, shared this profile information with the Navy's "top brass." Based on this information, the enlisted man was given a dishonorable discharge. The enlisted man sued the Navy for violating its own "don't ask, don't tell" policy, and won an honorable discharge with retirement benefits as a result. The online service company publicly stated that its employee had violated "the privacy policy," but this policy had been violated on multiple occasions before including top management's publicly stated intention to sell customer home telephone numbers to telephone marketers. At least the service firm now admits that it has a policy.

                                                           Tom Considine & Associates
                                                 Information Privacy Professionals

                                                                Ph:        (702)   722-3492