Support forums are very popular on the Internet. Some help about any manufacturer or applications can be found for free and, often, performed by very competent people. But, when commercial products are involved), it can be dangerous to post official information coming from the manufacturer or the developer itself…

This is a bad story for an Orange employee. Orange (part of the France Telecom group) is a telecommunications operator (Internet, mobile and IPTV) which distributes the iPhone on the French market. This mobile phone is very popular and a lot of forums are dedicated to it. On one of them, iphonefr.com, an Orange employee was very active under the pseudo “Devax”. This guy was very helpful to the forum community and contributed to help a lot of users to fix issues or to choose the best offers. Of course, he made that for free, outside his work hours.

He was arrested by the Police and accused of disclosing confidential information! Why? He published on his blog the “new” communication rates not yet made publicly available by Orange (but already present on the Intranet).

The question which arise is: Is a document published on a company Intranet classified as non-confidential? Was the document correctly classified?

Here is a copy of an article in a French newspaper: Un salarié de France Telecom mis à pied pour ses indiscrétions sur un blog.

Click to enlarge

Nymity, global privacy and data protection research services firm specializing in compliance and operational risk management, published interesting maps which give a decent overview of the legislative landscapes regarding the data breaches for United States, Canada, and the EU.
arround

Source: nymity.com.

Communication! This is a key element in the incident management procedure when a data breach has been discovered by a company or organization. Soon, in the United States, it will become mandatory to report data breaches:

“It would make it illegal for a company to conceal a breach if it resulted in unauthorized access to sensitive personal information. Entities that experience the breach of such data would have to notify the affected victims and consumer reporting agencies if the breach involves more than 5,000 individuals. They would have to notify the U.S. Secret Service if the intrusion involves more than 10,000 individuals.”

Source: wired.com, govinfosecurity.com.