NEW ORLEANS – At 57 years old, Alton Simpson is a watchful eye in his quiet St. Bernard neighborhood. 

For more than three decades, he also helped watch over New Orleans public schools as a maintenance worker. That is, up until Hurricane Katrina.

"We weren't laid off, and we never were notified on what happened with us,” Simpson said.  “We tried to get answers but they just let everyone go."

Simpson said after he was forced to retire, he assumed his personnel records would be let go too.

"Well, you would think it would all be discarded, shredded," he said.

But his social security number was one of dozens, if not hundreds, that Eyewitness News discovered inside an old New Orleans public school warehouse, a facility seemingly untouched since the storm.

The water line is still clear nearly four years later, and a WWL-TV news crew found the gate leading to the complex unlocked, and the entrance wide open.

Inside were countless boxes filled with confidential information, not to mention stacks of other documents lying on the ground, listing payroll information, worker evaluations, notices of personnel action, and investigations into employee discrimination.

Full names, home addresses, and social security numbers can be seen on document after document.

“Well, it's a little shocking,” said Wade Rathke, the leader of Local 100, Service Employees International Union, the workers union that represents maintenance employees for the Orleans Parish school district.

Eyewitness News showed him video of the warehouse.

"This is a standard story of ‘out of sight, out of mind,’ and to forget your own workers, many of whom may have been there 10, 20, 30 years, and the value of their privacy and the confidentiality of their records, is really sort of unheard of in personnel management,” Rathke said.

Some experts said it could create a very real risk for identity theft, with innocent public-school workers left vulnerable to would-be crooks.

"A lot of times what they'll do is get credit cards in your name, and other lines of credit and could even open a bank account,” said Will Hatcher, an FBI special agent specializing in cyber crime.

At the warehouse, Eyewitness News found no security guards to speak of, or signs to keep people away – just old textbooks and toilets.

It was hard enough to stand, let alone walk, in most parts of the building.  The floor was completely covered, with everything from old finger paint to forgotten American flags, and one could actually sense the water damage well before seeing it on the ground. 

"We're the owner of the building, so I guess we ultimately have to say, we can only point our fingers at ourselves,” said Stan Smith, chief financial officer for the Orleans Parish school board.

Smith said the school district had no idea the building was unlocked, or that it was still home to confidential documents.

"I'd say that's a lot of bull," said Simpson, the former maintenance worker.  After the storm, he says he told lawyers for the school board that personnel files were left inside the building. 

School officials say steps were taken soon after Hurricane Katrina to remove what they thought were all of the records, but Smith now acknowledges they clearly were mistaken.

As for the future of the warehouse, the school board says its waiting on FEMA to declare the facility more than 50 percent damaged.

"That would allow us to demolish it,” Smith said.

According to FEMA, $13.7 million have already been obligated for the warehouse.  The agency said it approved over $12 million to replace the contents and nearby school buses and nearly $1.5 million to repair the building.

FEMA said the last of the money was approved on April 4, 2008, more than one year ago.

Smith said those millions aren't really available to spend.

"Right now it's paper, it’s sitting on a project worksheet," Smith said.

He said the school district wants to use the money to build more schools, rather than reconstruct a warehouse that's now too big for what the shrunken New Orleans school system currently needs. But that change can't happen until FEMA gives the okay. Even then, the school board will have to shell out the cash first.

"FEMA is a reimbursable program,” Smith said.  “You have to spend the money before you get it."

In the meantime, Smith says he also hopes to increase the amount the federal government is willing to give the district for the worn out warehouse. 

But progress is slow. In fact, Smith said the process hasn't even started.

"We think it should be able to be done within the next six months,” he said.

FEMA officials denied WWL-TV’s request for an on-camera interview. 

What remains certain is that countless confidential records were left unsecured.

“This is going to lead to a number of phone calls and lines of people out at the personnel office for Orleans public schools, to find out what the impact may have been on their records and looking for assurances that they're getting protection,” Rathke said.

Alton Simpson said he'll be one of them.

"I think it's criminal,” he said. “I think it's very foolish of them to handle our documents like that, our numbers, our lives."

The man who helped look after the well-being of New Orleans schools for nearly 32 years, said he's disappointed his employer didn't return the favor.

"I guess you could say everything was washed away with the storm.  They just forgot about everybody there and just pushed it aside, didn't care about the employees."

After Eyewitness News notified the school board about the abandoned building, the district hired a moving company to relocate the confidential documents, and another company to shred files. They've been working since last Friday and said they hope to be done by the end of the week. 

The doors of the warehouse have also been secured, but the non-confidential materials and garbage inside are not being moved The school board said it is all needed as evidence for when they can get FEMA to reevaluate the damages, in hope of locking in more money to build new schools. 

Since Katrina, the Orleans School Board has spent $42.7 million building and renovating schools. FEMA has reimbursed them for about $4 million, but the school board believes they're entitled to at least six times that.

Police: Man Encourages Dumpster-Diving For Credit-Card Info

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and 
entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements,www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and a Web site with more resources to help covered entities design and implement identity theft prevention programs,www.ftc.gov/redflagsrule. The compliance template will be available on this Web site.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics. 

MEDIA CONTACT:

FTC Office of Public Affairs
202-326-2180

ARMA International Information Management Newswire, June 2008

According to Fortune Small Business and other sources, the IRS has increased its audits of small companies. The rise in tax audits has implications for records management in small firms because records that document tax deductions often come under scrutiny during audits and must be held from destruction while an audit is in progress. Inability to destroy records on hold can add to costs for records storage and maintenance.

A study by the Transactional Records Access Clearinghouse (TRAC) at Syracuse University showed that small companies were audited 41 percent more often in 2007 than in 2005. TRAC's report also noted that companies with $10 million to $50 million in assets were 29 percent more likely to be audited. In contrast, major corporations – those with assets of $250 million or more – had only a one-in-four chance of being audited in 2007 compared with a three-in-four chance in 1990.

The IRS believes that small businesses are a big reason for the tax gap, which is the difference between the amount of taxes paid and what the government is actually owed. But the TRAC study shows that, on average, large company audits turn up about $7,500 per hour in additional taxes owed compared with $474 per audit hour in small firms.

Reasons given for the focus on small businesses vary. A spokesperson for the National Treasury Employees union told of reports from IRS employees who said they were under pressure to increase productivity by limiting the scope of audits. The theory is that, under such pressure, auditors will pursue smaller, easier audit targets. The IRS has responded that it is actually focusing on the use of partnerships and other entities that companies of all sizes use to minimize taxes. A deputy IRS commissioner told The New York Times that the IRS is focusing on private partnerships that some large corporations use to avoid paying taxes.

The Kiplinger Business Resource Center notes the areas most likely to be examined during IRS audits of small businesses are:

    * Worker classification – documentation that distinguishes independent contractors from employees

    * Retirement plans – particularly documentations showing mistakes made in administering simplified employee pensions plans

    * Tip reporting – forms used by restaurants and other service businesses that require them to allocate tips according to a percentage of sales

Small business owners who believe that they are "under the radar" for tax audits because of their size should take heed. One small business owner estimates that he spent $50,000 on the tax audit process that lasted 18 months. Ironically, the IRS has instituted a CAP program for large corporations that results in tax audits closing within six months of filing returns, allowing major savings for records whose retention is designated as "close of tax audit."

SDB News 6/9/2008 3:18:43 PM 

Indiana Attorney General Steve Carter has created an Identity Theft Unit to help ID theft victims and to provide additional resources to local law enforcement investigating and prosecuting such crimes.

"Our new unit is designed to reduce the frustration felt by victims and to provide expertise and resources to local law enforcement authorities in investigating and prosecuting this crime," Carter says. "We work with entities regularly on compliance with Indiana’s security breach notification law."

The ID Theft Unit is a part of the Consumer Protection Division of the Attorney General’s Office and is staffed by a team of attorneys, investigators and support staff.

The unit actively investigates alleged fraud and provides hands-on assistance to consumers to help them address and correct the problems caused by the identity theft. The unit offers assistance, expertise and resources to local law enforcement and prosecutors in criminal prosecution efforts that may result.

The ID Theft Unit also advocates educational efforts with the assistance of J. Michelle Sybesma, an identity theft survivor and creator of www.GetIDSmart.com, a Web site designed to educate the public on protecting personal information from thieves.

Indiana’s Security Breach Notification Law took effect July 1, 2006, and requires companies and individuals who hold personal information in an electronic format to notify those people affected if the data has been left unsecured and available for unauthorized access. More than 23 private sector breaches have been reported to the attorney general’s office since the law took effect.

An Identity Theft Victim Kit, tips for protecting against ID theft, instructions for placing a security freeze and information on how to file a complaint with the ID Theft Unit can be found at www.IndianaConsumer.com.

By Bill Steigerwald

Pittsburgh TRIBUNE-REVIEW

Sunday, June 15, 2008

Something else to think about next time you're feeding your Ford Mini-brontosaurus $80 worth of regular gasoline:

According to the federal Minerals Management Service, about 86 billion barrels of oil and 420 trillion cubic feet of natural gas are locked up and untouchable just off our shores.

"Locked up"? By whom? Who could be so stupid? So diabolical? So un-American?

Big Oil? The U.N? Those evil Exxon Republicans who took us to war for oil in Iraq?

Close. It's our cracked-up Congress -- mainly liberal Democrats who are beholden beyond reason to the religious left's most dangerous fundamentalist sect, wacko environmentalism.

For 27 years Democrats and Republicans have used a two-sentence rider in annual Interior Department appropriations bills to outlaw development of the vast oil and gas fields that we know exist within 200 miles of our coasts.

But Rep. John Peterson, a Republican from upstate Pennsylvania whose crusade to fix America's broken energy policy has brought him the interplanetary enmity of environmentalists, has made it his mission to slay that foolish rider.

All Peterson wants to do is get Congress to allow America to do what every other sensible modern country on Earth from Norway to New Zealand has been doing for decades -- open our deep-sea energy reserves to safe, environmentally sensitive development.

Peterson's latest attempt to kill the foolish rider was Wednesday at a subcommittee hearing when he offered an amendment to the Interior Department appropriations bill that would allow oil and gas drilling rigs to operate between 50 and 200 miles offshore -- so that no liberal's tender eyes can ever see them.

Given $140-a-barrel oil, Peterson thought he could win over two Democrats. But the final tally was 9-6 against him on straight party lines, Peterson said after the vote Wednesday from his office in Washington.

Despite his setback, Peterson remains an unabashed cheerleader of the increasingly popular "Drill Now, Drill Here, Pay Less" movement.

Most Democrats cling to shortsighted, economically fallacious arguments against offshore drilling, but Peterson says Canada is solidly on his side.

Canada, which he said thinks we are "crazy for locking up all our good stuff," is mad at us for not tapping our vast natural gas supplies. By not producing enough of our own natural gas, we drive up the North American price.

In fact, he said, for the last eight years the United States has paid the highest price in the world for natural gas -- about $12.50 per million Btu. Canada pays the second-highest price. South America, by the way, pays about $1.50.

Peterson will try again this week to lift the congressional moratorium on offshore drilling when the full 66-member House appropriations committee meets. All he needs is a majority of one -- and since his similar effort last year lost by only eight votes, he has hope.

"Americans are upset. If we can have a public discussion, if the press does its job -- not picking sides, just putting the facts our there -- and if we just have a factual debate, we will produce more energy.

"The American public is approaching 60 percent now in favor of drilling. If they understood this issue, they'd be 80 or 90 percent for drilling."

Only the enviro-radicals would still be opposed, he said. "And they don't want coal and gas. They don't want oil. They don't want nuclear -- and some don't want wind offshore if it's near their home."

Bill Steigerwald is the Tribune-Review's associate editor. He can be reached at bsteigerwald@tribweb.com or 412-320-7983.

Computerworld/IDG News Service - Oslo,Norway - May 23, 2008

The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands-and the number of documents produced daily-continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.

The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands-and the number of documents produced daily-continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.

Get the policy right

The first step is making sure that the right items are covered in your document management policies. For this, CIOs can rely on business peers, outside counsel and special regulatory tool kits.

"Initiating a high-level review of our document retention policies had to be a joint effort between myself and the general counsel. If we weren't both involved, I don't know how the effort could succeed," says George Washington University CIO Ron Bonig. For instance, GWU receives subpoenas and e-discovery requests around contracting and personnel questions. To ensure colleagues' participation and buy-in, Bonig stresses the fiscal importance of good policies and compliance. "The cost to the university in a federal lawsuit could be huge if we don't properly address retention," he says. "I put it in dollars, which really woke people up."

Strict HIPAA regulations govern patient medical information security in healthcare organizations. To create policies consistent with those rules, Michael Gaskin, director of information services at Sequoia Community Health Centers, purchased a HIPAA security toolkit. "The toolkit made it easy for me to review documents and know what I must include in my plan, " says Gaskin. The kit's workflow examples continue to inform Gaskin about compliance needs and how to refine his document retention policies.

Balance stakeholder interests

For ArcelorMittal Americas CIO Leon Schumacher, the challenge is making sure the interests of different stakeholders-users, legal, IT-are considered when developing a retention policy. "Each has specific issues that they want to address. Good communication before and during such definition phases is critical for success," he says.

The delicate balance between users' storage needs and retention guidelines is hard to strike. For example, Schumacher's team created management policies for personal storage limits, including how much e-mail people can maintain. But the team heard complaints that users weren't getting enough space. Schumacher responded by introducing policies at two levels: one for management, which gets 500MB of storage, and one for general users, which get 250MB. The team is working on newer archiving solutions to further ease these constraints.

Plan for the long term

Policies must cover document retention over a long period. For a university, this is a huge issue given the length of time it must keep student loan data, transcripts and other federally mandated data. "One of the issues is to make sure that the documents in their electronic form can be upgraded and transitioned from one technology to the next over decades," says GWU's Bonig. So his team watches the storage landscape to stay abreast of any technology that would necessitate a business decision about whether to transfer retained documents.

Make it pay

A good document retention policy can do more than avoid legal fines. At American Greetings Interactive, Senior VP and CTO Rajiv Jain has policies to archive everything on the desktop and retain all executive e-mails indefinitely. "Our e-mail retention policy has definitely come in handy. There was a disagreement over the fees associated with vendor negotiation. We were able to find the original archived e-mail from the vendor, which proved that we were right and did not owe the amount of money they claimed," says Jain.

The effort to build and enforce good document polices can provide a strategic advantage.

Most of GWU's back-office staff work at its Virginia campus 30 miles away. Only representatives for financial aid, undergrad admissions and other student offices sit in the D.C.-based Student Union. If a student has a difficult question, the rep may consult a staff expert in Virginia. Now they can look at the same document simultaneously, since Bonig and his team are digitizing documents for retention. "We improved our business process dramatically and can confidently say that we offer student services from anywhere," says Bonig.

Sidebar: Tips for crafting a policy that works offered by Ron Bonig of George Washington University, and Rajiv Jain of American Greetings Interactive

Properly define "document" to include information of all types-electronic or paper, historical or transient business record.

Clearly state who and what function is the relevant retention authority for the most widely used categories of documents.

Indicate the specific duration of retaining different types of documents.

Identify specific staff or functions that have appropriate read, write and edit access.

Clearly state the reasons that retention is necessary (e.g. Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made.

State that if a file or folder contains multiple types of documents necessary for a coherent record, then the whole file or folder must be retained for the duration of the longest-held item.

Except when absolutely necessary, do not allow (or at least strongly discourage) the mixing of digital documents in storage. If document A needs to be retained for five years and document B needs to be retained for 20 years, keep them separate. You will reduce the cost of long-term storage and will avoid legal risks inherent in a failure to follow retention policies.

Give individual divisions or offices the authority to set retention policies for their own operational documents if approved by or coordinated with the General Counsel or Compliance Office.

-C.M.

For Immediate Release

UTAH VALLEY RECORDS MANAGEMENT REPRESENTATIVE BECOMES AUTHORIZED COMPLIANCE TOOLKIT PROVIDER

June 11 2008

Orem, Utah  – Utah Valley Records Management is proud to announce that Kent L Curtis is one of a limited number of information security professionals nationwide to be authorized as a distributor for a new Information Destruction Policy Compliance Toolkit.   The “Toolkit,” available free-of charge, is designed to help organizations develop the written information destruction procedures now required by law.  According to the National Association for Information Destruction (NAID), most organizations in the US report that they currently do not comply with this requirement and, therefore, are at risk.  The Toolkit is the first and only publication to specifically address information destruction policy development with a goal of making compliance with the laws easy and understandable.

And, the timing could not be better.   

The Federal Trade Commission recently reached a settlement with an Illinois-based mortgage company for discarding personal information without first destroying it, resulting in a fine of $50,000.  In the settlement, the FTC cited the absence of the required written policies and procedures as a basis for the penalty.  Similarly, the Attorney General of Texas recently announced two settlements with retailers for improper disposal of personal information, also citing the failure to have written policies and procedures.  In each of the settlements, the resulting fines amounted to hundreds of thousands of dollars.

According to NAID’s executive director Robert Johnson, “It is obvious that law enforcement agencies are becoming more aggressive in requiring compliance with the information destruction regulations as they continue to struggle with the growing ID Theft epidemic. Since last summer alone, there have been more fines, charges and penalties for improper disposal of personal information than there have been in the prior 10 years.”

“For some organizations, the policy on information destruction amounts to a single sentence, advising employees to destroy sensitive information properly before it is discarded,” Johnson adds. “In today’s social and business climate, that simply does not provide sufficient direction to employees who are dealing with many forms of media from any number of sources. Regulators, auditors, courts of law, the media and public sentiment are insisting on a more thorough approach to information disposal because of the potentially devastating consequences of improper disposal on people’s lives.”

Prior to authorizing a NAID Member representative to distribute the Toolkit, NAID requires that they become oriented in its use.  Only individuals who have completed the orientation are permitted to distribute it.

The Toolkit contains sample policies and procedures for training, authorization and destruction for the full range of conventional media forms, including paper records, computers, magnetic tapes, optical and micro media.  In addition, the Toolkit includes sample forms, templates and other resources useful in implementing the policy. And, while the Toolkit offers information destruction procedures for in-house information destruction, it also contains sample policies and procedures for selecting competent service providers.

Alan Andolsen, a highly regarded records management consultant who contributed to the Toolkit, says, “To my knowledge, this is the most thorough examination of proper information destruction available to date. It is something that can be integrated into almost any existing information management or security program or it can stand on its own.” 

The NAID Information Destruction Policy Compliance Toolkit, which runs over 70 pages and includes a CD, containing electronic versions of all templates and sample forms, is available free-of-charge.  

For more information on the NAID Information Destruction Policy Compliance Toolkit, contact Kent L Curtis at Utah Valley Records Management by telephone at 801-225-8876 or by email at kent@utahvalleyrecords.com.

About Utah Valley Records Management

Utah Valley Records Management (UVRM) is Utah County's first local company specializing in records management and storage, records scanning, digital media storage, and secure document destruction.  UVRM was voted by Utah Valley BusinessQ Magazine as one of 2008's top ten start-up’s to watch and plans to quickly grow into Utah County business’s top choice for the care and destruction of sensitive documents.  UVRM is dedicated to helping you keep your records up to date, organized and in compliance with current laws and regulations.

Utah Valley Records Management offers a secure off-site shredding service for all of Utah Valley, and can shred individual files or entire boxes.  All of UVRM's shredding is done securely and professionally.  UVRM provides a certificate of destruction if needed.  The high capacity shredder at UVRM's secure facility enables them to shred at a lower cost than is possible with a mobile on-site shredder.  Those savings get passed on to their customers without compromising document security. 

For more information please contact:

Kent L Curtis

Utah Valley Records Management

1042 S Geneva Road

Orem Ut 84058

801-225-8876

Kent@utahvalleyrecords.com

www.utahvalleyrecords.com