Compromised accounts within just 25 companies account for nearly half of the identity theft complaints filed with the U.S. Federal Trade Commission, according to recently released FTC data compiled by the University of California, Berkeley.

In data culled from three months' worth of 2006 FTC complaints, Sprint and AT&T averaged more identity theft events than any other institution except Bank of America, the largest consumer bank in the United States.

The FTC encourages victims of identity theft to file complaint forms in order to help the commission, as well as law enforcement organizations, get a picture of criminal trends. It publishes a survey on identity theft, but until now it has not broken down its data on complaints by institution.

That work was done by Berkeley's Center for Law and Technology, which used the Freedom of Information Act to obtain FTC data on more than 88,000 complaints filed in January, March, and September 2006.

The data show that a handful of companies account for the lion's share of identity theft complaints.

Complaints mentioning just 25 companies account for 49.9 percent of all identity theft events in the FTC database, according to the report's author, Chris Hoofnagle, a senior fellow with the Berkeley center. About 7,500 companies are mentioned in the other 50.1 percent, he said.

Not surprisingly, banks dominate the top 25, with Bank of America, JP Morgan, Capital One, and Citibank topping the list. But there are many telecommunications and technology companies there too, including Verizon, T-Mobile, Dish Network, Dell, eBay, and DirectTV.

According to FTC data, about 8 percent of new account fraud comes from telecommunications companies, Hoofnagle said, calling that number "really astounding."

Often a phony telephone account is the first step toward a more complex identity theft scheme. Thieves can set up fake telephone accounts using real Social Security numbers but phony names, and then pay them for a few months to build up a credit history and apply for credit cards, Hoofnagle said.

AT&T said it is clear that many industries have a problem with identity theft. AT&T takes steps to educate customers about identity theft and what they can to do prevent it, and also works with law enforcement agencies when thefts occur, the company's public relations agency said in a statement

Because the FTC data are not comprehensive -- only crimes that get reported to the FTC are counted -- and since there are no reliable figures on the number of consumers who have accounts with these companies, it is impossible to get an accurate picture of how common identity theft really is at any of these institutions, Hoofnagle said.

Companies should make this information public so that consumers can see how bad the problem really is, he said.

In the meantime, the Berkeley study gave the government some ideas about how to tackle the identity theft problem, he said. For example, banks that send out a lot of preapproved credit card applications seem to pop up more frequently in FTC complaints.

It's also worth looking more closely at why these month-by-month complaint numbers change for some companies. For example, Dish Network saw its total number of complaints drop off after spiking dramatically in March. "Something happened in February, or just before March, that caused a huge number of complaints," Hoofnagle said. "I have no idea what it was."

"Regulators should know this, and their attention should be focused on these 25 companies. What is going wrong at these places?"

Dell reported revenue of nearly $16 billion for the fourth quarter of 2008, up 10 percent from a year ago but short of analyst estimates.

The company on Thursday reported revenue of $15.989 billion, short of the $16.265 billion estimate from analysts polled by Thomson Financial. Dell reported net income of $679 million, falling 6 percent year-over-year and short of analyst estimates of $810 million for the quarter that ended Feb. 1. Earnings per share were $0.31, down 3 percent from the same quarter of the previous year.

Earnings were affected by $83 million in charges taken by Dell related to the acquisitions of EqualLogic and Everdream. The company also took a $54 million charge related to severance costs and facility closures.

The company's sales grew globally. Dell reported a 17 percent increase in sales in the United States, which accounted for 49 percent of the company's revenue, and a 36 percent rise in combined sales in Brazil, Russia, India, and China.

Over the past eight months Dell reduced its headcount by 3,200, as it continues to address costs and productivity, the company said. The earnings growth puts Dell in a stronger position to address those issues, CEO and Chairman Michael Dell said in a statement.

Think you can get away with using e-mail and the Internet in violation of company policy? Think again.

A new survey found that more than a quarter of employers have fired workers for misusing e-mail, and one third have fired workers for misusing the Internet on the job. The study, conducted by the American Management Association (AMA) and The ePolicy Institute, surveyed 304 U.S. companies of all sizes.

The vast majority of bosses who fired workers for Internet misuse, 84 percent, said the employee was accessing porn or other inappropriate content. While looking at inappropriate content is an obvious no-no on company time, simply surfing the Web led to a surprising number of firings. As many as 34 percent of managers in the study said they let go of workers for excessive personal use of the Internet, according to the survey.

Among managers who fired workers for e-mail misuse, 64 percent did so because the employee violated company policy and 62 percent said the workers' e-mail contained inappropriate or offensive language. More than a quarter of bosses said they fired workers for excessive personal use of e-mail and 22 percent said their workers were fired for breaching confidentiality rules in e-mail.

Companies are worried about the inappropriate use of the Internet, and so 66 percent of those in the study said they monitor Internet connections. As many as 65 percent of them use software to block inappropriate Web sites. Eighteen percent of the companies block URLs to prevent workers from visiting external blogs.

Companies use different methods to monitor workers' computers, with 45 percent of those participating in the survey tracking content, keystrokes, and time spent at the keyboard. An additional 43 percent store and review computer files. Twelve percent monitor blogs to track content about the company, and 10 percent monitor social-networking sites.

Companies are keen to track employee e-mail and Internet behavior in part due to legal fears. According to research done by the AMA and ePolicy in 2006, 24 percent of companies in the study had e-mail subpoenaed by courts, and another 15 percent have faced lawsuits based on employee e-mails.

The researchers found that even though only two states require companies to notify their workers that they're monitoring them, most tell employees of their monitoring activities. Of the companies that monitor workers in the survey, 83 percent said they tell employees that they are monitoring content, keystrokes, and time spent at the keyboard. As many as 84 percent tell employees that they review computer activity, and 71 percent alert workers that they monitor their e-mails.

Intel's low-power processor code-named Diamondville will initially be available as a single-core processor, but the company is planning a dual-core version, said a source familiar with Intel's plans.

The dual-core Diamondville will deliver better performance than the single-core version and will be aimed at low-cost desktops, the source said.

The dual-core Diamondville chip takes Intel into the low-cost desktop market to compete with vendors such as Via Technologies, which is providing low-cost processors in desktops priced at less than $300 being sold by Everex.

The single-core Diamondville will initially be included in low-power notebooks that are fanless, the source said. The chips, which will be available around the middle of this year, will be manufactured using the 45-nanometer process and will likely contain 47 million transistors. It will include a 1.60GHz processor and 512KB cache.

Though processor pricing hasn't been set, the single-core Diamondville chip will be for laptops in the $250 to $300 price range, the source said.

Diamondville is based on the Silverthorne chip architecture, which has a small die size and is designed for ultramobile devices. Although they are for different product segments, the Diamondville and Silverthorne processors fall under a single processor family that will receive an official brand name soon, the source said.

Diamondville will most likely be included in Intel's next version of Classmate PC, the source said. Micro-Star International is already working to introduce an ultra-low-cost notebook PC based on Diamondville to compete against rival Asustek Computer's Eee PC.

Intel intends to include Diamondville processors in a new product category the company terms Netbooks, low-cost, low-power notebooks designed for basic computing such as Internet use. Classmate PC is an example of a Netbook, the source said.

This low end of the market is expected to grow, spurred by the success of Asustek's Eee PC ultramobile notebook, which has sold thousands of units so far, said Dean McCarron, founder of Mercury Research.

"Once the Eee PC happened and we saw the volumes associated with it, all of a sudden design activity really stepped up," McCarron said.

The Eee PC is powered by a specially made Intel Celeron ultra-low-voltage processor, which Diamondville will replace in the low-end notebook segment, McCarron said. The Celeron brand itself will not go away, but will instead focus on speedier processors to meet higher multitasking needs.

Diamondville could also have competition from Via Technologies' C7-M processor, which is included in Everex's Cloudbook ultraportable PC. Via Technologies is also designing a processor based on its Isaiah architecture to replace the C7-M processor. The new 64-bit Isaiah architecture will enable processors in notebooks and desktops to run at speeds from 400MHz to 2GHz and include 1MB of cache. The processors are set for release in the middle of the year, around the same time as Diamondville, McCarron said.

This is the first time Intel is making a purposefully designed chip that is low in cost, McCarron said. Via is the pioneer in that space and will continue to make low-cost products, so there will be some obvious overlap in the future that will lead to competition, he said.

Advanced Micro Devices will focus on hitting the low-cost market in 2009 with Fusion, which includes highly integrated components, McCarron said.

Sprint Nextel went one step further than rival U.S. mobile operators on Thursday by offering unlimited voice, data, and multimedia services for $99.99 per month.

The $99.99 Simply Everything plan, launching Friday, includes unlimited voice minutes, data services, e-mail, Web surfing, Sprint TV, Sprint Music, GPS navigation and push-to-talk services. It will be available to new and existing customers on both Sprint's CDMA and iDEN networks.

Last week, Verizon Wireless, AT&T Mobility, and T-Mobile USA all announced unlimited voice minutes for $99 per month. The stampede was good news for people who spend a lot of time talking on the phone because existing voice plans in that price range were limited to a few thousand minutes a month. But with those carriers, data services cost extra.

Sprint is under pressure to undercut its competitors because it is the underdog in the market. On Thursday, it posted a loss of $29.5 billion for the fourth quarter of 2007, counting a writedown of $29.7 billion for Sprint's 2005 acquisition of Nextel. It also suffered a net loss of 108,000 subscribers and forecast losing about 1.2 million post-paid customers in the current quarter, a trend it does not expect to improve in the second quarter of this year. Average revenue per user is also declining, Sprint said.

The carrier has had trouble integrating Nextel, which brought in a different network, customer base, and corporate culture, according to industry observers. Sprint also has struggled to differentiate itself from the nation's other big mobile operators. Chairman, President, and CEO Gary Forsee resigned last October and was replaced by a new CEO, Dan Hesse, in December.

Current Sprint customers will be able to switch to the Simply Everything plan without extending their contracts, according to Sprint. Every time a customer adds one more line using the plan, Sprint will cut another $5 off the monthly rate for that line, so for example, two lines would cost $194.99 per month.

MercExchange and eBay have settled a patent dispute that in 2006 was heard by the U.S. Supreme Court. In the case, the Supreme Court sided with the online auction house in what is considered to be an important ruling on intellectual property.

Under terms of the deal, eBay will purchase from MercExchange three patents that were part of a September 2001 lawsuit filed by MercExchange, along with additional technology and inventions related to the dispute. eBay will also license a search-related patent portfolio that wasn't part of the lawsuit, the company said Thursday.

Other terms of the agreement are not being disclosed, eBay said. The company does not expect that settlement terms will affect its 2007 financial results or its 2008 financial guidance.

The dispute included eBay's "buy it now" Web site feature, which MercExchange contended infringed one of its patents. A jury found in May 2003 that eBay had infringed a patent held by MercExchange, which then asked the U.S. District Court for the Eastern District of Virginia to issue an injunction against eBay's use of the feature. The U.S. Court of Appeals for the Federal Circuit followed long-standing practice of granting injunctions in intellectual-property cases -- action that is nearly automatic in such lawsuits -- and that paved the way for the Supreme Court to weigh in.

The Supreme Court unanimously rejected the appellate court position, but it also said that the District Court had used flawed judgment in its decision.

The Supreme Court decision ended the long-standing practice of near-automatic injunctions in such cases, clarifying that lower courts must use a four-factor test when considering patent injunctions.

Google shed more light on the health care service it is developing, showing off a couple of screenshots of what it will look like.

Google has been talking about its health initiative for some time now, slowly revealing more aspects of the project. Last week it announced a pilot of the service with the Cleveland Clinic but was short on details.

On Thursday, Google said that Google Health aims to offer users a central place to store their medical records. They will be able to import and share records from multiple institutions, provided the organizations already allow customers to digitally access their records.

A user's profile lists important information, such as conditions, medications, test results, allergies, and past operations. It also lists current doctors with their contact information.

Through the Cleveland Clinic pilot, Google has already discovered that the service is particularly useful to people who may live part of the year in Ohio and part of the year in Florida, said Marissa Mayer, vice president of search and user products for Google, in a blog post. Those people have historically carried paper health records back and forth between the locations. Now they can import their data from each medical facility and share it electronically with the other facility.

Mayer stressed the privacy and security that Google will offer around customers' health data. Unless users give explicit permission, Google won't share or sell their data, she said. It has developed its privacy policy in collaboration with the Google Health Advisory Council, a group of medical professionals that offers feedback to Google on its health care product ideas and development.

Google is working on a directory of third-party services that will be accessible from Google Health. For now, that simply allows users to import records into their profiles. In the future, Mayer wrote, it will let users schedule appointments and refill prescriptions online.

Despite Mayer's blog post and a speech on Thursday about Google Health by CEO Eric Schmidt at the Healthcare Information and Management Systems Society conference in Orlando, the service still isn't available beyond the Cleveland Clinic pilot. It should become publicly available in the "coming months," Mayer wrote.

In September, the lead for the Google Health project, Adam Bosworth, left the company. At the time, Google said that Mayer would run the project until a permanent replacement was found.

Bosworth was blogging about issues related to health care and how online tools might help as far back as 2006. The Cleveland Clinic pilot, which will be available to between 1,500 and 10,000 participants, is the first tangible offering of a Google Health service.

Google isn't alone among companies tackling the problem of organizing health care information. Archrival Microsoft last year launched an online health care service, HealthVault, to allow users to store and share health records online. Users can also feed data from devices like diabetes meters and heart rate monitors into their HealthVault accounts.

Both services are limited to institutions that have customer-accessible electronic records and to people interested in using them. Between 1 percent and 3 percent of U.S. residents have used e-health records, according to Lynne Dunbrack, program director at Health Industry Insights, a market research firm.

Announced during Macworld Conference & Expo in January, Apple confirmed on Thursday the company began shipping its hardware backup tool, Time Capsule. Notifications of the shipments began reaching customers that pre-ordered the device early this morning.

Time Capsule is the hardware companion to Time Machine, Apple's automatic backup tool that was introduced as part of Mac OS X Leopard. Time Capsule combines an 802.11n network access point and a hard disk drive -- in fact, the device is a full AirPort Extreme base station.

Time Capsule features dual-band antennas for 2.4GHz or 5GHz frequencies. It has one USB 2.0, one Gigabit Ethernet, and three Gigabit LAN ports. The device also has a built-in power supply and can connect to print wirelessly from a USB printer, according to Apple.

In addition, Time Machine offers Wi-Fi Protected Access (WPA/WPA-2), 128-bit WEP encryption and a built-in NAT firewall that support NAT-PMP for Leopard's Back to My Mac feature.

Time Capsule ships in two capacities: a 500GB model for $299, and a 1TB version for $499.

Macworld is an InfoWorld affiliate.

A growing number of privacy and civil rights advocates are calling on a federal court to reconsider its decision two weeks ago ordering the controversial Wikileaks.org whistleblower Web site to be disabled.

In a motion filed Wednesday in the U.S. District Court for the Northern District of California, the Electronic Frontier Foundation, the American Civil Liberties Union, the Project on Government Oversight (POGO), and a Wikileaks user asked the court for permission to intervene in the case.

In a 20-page brief, the groups said they were asking to intervene in a bid asking the court to dissolve its permanent injunction disabling the Wikileaks.org Web site. They claimed that the court's action violated their First Amendment right to access the contents of the Wikileaks Web site.

"The First Amendment encompasses the right to receive information and ideas," the groups said in the brief. "The documents and materials posted on the Wikileaks website concern matters of great public interest" which each of the parties filing the motion had regularly accessed, they said.

Expressing similar support was Harvard Law School's Berkman Center for Internet & Society's Citizen Media Law Project (CMLP). On Wednesday, the center filed a brief opposing the court's injunctions against Wikileaks and its domain registrar Dynadot. The amici curiae (friend of the court) brief, which was developed in collaboration with several media and public interest organizations, asked the court to take back its decision and cited First Amendment concerns.

"Under established First Amendment law, prior restraints, if constitutional at all, are permissible only in the most extraordinary circumstances," David Ardia, director of the CMLP said in a statement. "In this case, you have court orders that effectively shut down a website that has been at the forefront of exposing corruption in governments and corporations around the world," he said.

The groundswell of support for Wikileaks comes in the wake of two injunctions issued by U.S. District Court Judge Jeffrey White on Feb 15. The injunctions were in response to a lawsuit filed by the Julius Baer Group, a Swiss bank that, according to documents on Wikileaks, was involved in offshore money laundering and tax evasion in the Cayman Islands for customers in several countries, including the U.S.

Wikileaks claimed the documents had been leaked by a bank employee. In its complaint, the Swiss bank claimed that Wikileaks published hundreds of illegally obtained documents and confidential and copyrighted information belonging to the bank. The bank sued both Wikileaks and its domain registrar Dynadot.

In response, White issued a permanent injunction ordering Dynadot to immediately disable the wikileaks.org domain name and lock it to prevent the domain from being transferred to another registrar. The injunction also required Dynadot to immediately remove all DNS hosting records for the wikileaks.org domain name. The court asked Dynadot to prevent the domain name from resolving to the wikileaks Web site or any other Web site or server "other than a blank park page."

The judge also issued a temporary restraining order that forbade Wikileaks from displaying, posting, publishing, or distributing any material pertaining to the bank on any site that it directly owned or over which it had any control. The order instructed Wikileaks to ensure that all of the bank's information was removed from all Web sites it owned or controlled, to disable links to the material on such sites, and to provide the court with proof that it had complied with the orders. The judge's order even enjoined everyone who read the order or received notice of it from publishing or even linking to the documents.

The rulings drew scathing criticism from privacy and civil rights groups who saw it as an unprecedented violation of First Amendment rights. Several felt the court had overreacted in ordering the entire domain shut down, just because a relatively small number of documents it hosted were being disputed.

This week's friends-of-the-court briefs and the move to intervene by the EFF and the ACLU have been the most visible manifestations of that concern.

Matt Zimmerman, senior staff attorney at the EFF said his organization decided to file a motion to intervene because the case raises several troubling issues. For instance, the Swiss bank's strategy of getting Dynadot to disable the Wikileaks domain and the court's endorsement of that tactic could set a dangerous precedent if allowed to stand, he said.

"The strategy of going after the registrar is an attempt in a collateral way to get at the remedy," he said. "It shouldn't be a remedy that plaintiffs think is acceptable or that the courts think is acceptable. It's overkill, to say the least," he said. It should serve as a warning to others of how vulnerable their Web presence can be if their domain registrars or service providers are unable or unwilling to stand up to legal pressure, he said.

Similarly, Julius Baer's attempt to block access to all materials on Wikileaks because it wanted to protect its own documents, and the court's acceding to that strategy, is unwarranted, Zimmerman said. For one thing, it violates Wikileaks' First Amendment rights, he said. The court's action also violates the First Amendment rights of Web users who might have had a legitimate interest in reading all of the other material posted on Wikileaks, he said.

A hearing on the case is scheduled for Friday.

Computerworld is an InfoWorld affiliate.

On-demand ERP vendor NetSuite is rolling out the NetSuite Business Operating System (NS-BOS), a package of existing and new tools, in the hopes of enticing more ISVs to build vertical offerings on top of its core platform.

NS-BOS consists of NetSuite's hosted infrastructure; its core set of business applications; the SuiteFlex development framework; and SuiteScript D-Bug, a hosted debugging environment. However, only D-Bug is new.

While NetSuite customers are free to use the tools as well as partners, the company expects most of the interest to come from the latter camp. "Even the midmarket companies, they don't have large IT shops," said Mini Peiris, vice president of product management. "They also don't want a vanilla solution. ... There is definitely a huge potential for partners to come in and fill that gap."

"A lot of ISVs already have these best practices in these verticals," added Mei Li, senior vice president of corporate communications.

While about 600 partners have signed up with NetSuite, only about 20 to 30 have built complete offerings so far, according to Peiris.

ISVs that develop and sell vertical applications leveraging the NetSuite ERP/CRM/Ecommerce Suite won't be charged for using NS-BOS, but will have to share revenue with NetSuite for the base suite. However, "anything [partners] build on top of NetSuite is their IP," Peiris said.

NetSuite's rival Salesforce.com has a different goal with its Force.com development platform, Peiris argued. "They're looking to encourage people to develop discrete applications and moving away from extending Salesforce."

One observer offered a measured response to NetSuite's news.

"I see it more as kind of their flag in the sand, you know, 'We've got a platform too,'" said China Martens an analyst with The 451 Group. "I don't think it's a really big announcement in any sense, but its really kind of reiterating who they are."

Next month, national standards bodies will vote for the second time on whether to adopt the Office Open XML (OOXML) document format as an international standard.

Whether the International Organization for Standardization (ISO) should adopt OOXML is a question that has fueled a blog battle between supporters and opponents, ahead of this week's meeting in Geneva to finalize the text that will be put to the vote.

[ The OOXML question is one of several that Microsoft faces in charting its new course, as InfoWorld's Bill Snyder explains. ]

But will the final decision even matter?

Definitely not, according to Andy Updegrove, a Boston lawyer who works with industry standards bodies.

"It really doesn't matter which way the vote goes," he said at the "Standards and the future of the Internet" conference in Geneva on Wednesday.

The event, organized by OpenForum Europe, took place in Geneva's International Conference Center -- just a few floors down from the room where Joint Technical Committee 1 was holding its Ballot Resolution Meeting (BRM) to debate OOXML's future as a standard.

How OOXML came to be there provides some of the explanation for Updegrove's answer.

Microsoft offered the specification for OOXML, based on Microsoft Office 2007's .docx default file format, to ECMA International, an industry consortium that also hosts the standards for the C# programming language and for ECMAScript, the "standard" version of JavaScript.

ECMA duly adopted OOXML in December 2006 as Standard ECMA-376 and submitted it to the ISO for fast-track approval as an international standard for office document formats.

An initial ISO vote rejected OOXML, with national standards bodies making 3,500 comments on areas needing further work. This week's meeting is attempting to resolve those comments to produce a new draft, which ISO members will vote whether to adopt next month.

However, the ISO already has a standard for office documents: Open Document Format for Office Applications, or ODF, submitted by the Organization for the Advancement of Structured Information Standards and adopted as ISO/IEC 26300 in November 2006.

Whichever way the OOXML vote goes next month, some European governments are likely to specify ODF for their office and archival systems, according to Updegrove.

That, he thinks, will ultimately lead to the merging of OOXML with ODF through "soft persuasion: a small percentage of the government market saying, 'This is something we think you should do. We aren't going to make you do it, but if you don't we're going to take our business elsewhere.'"

If OOXML is not adopted, it will simply ratchet the pressure to merge up a little as a few more governments specify ODF.

One who thinks the vote does matter is Vint Cerf, co-designer of the TCP/IP technology that underpin the Internet, and now chief Internet evangelist at Google.

"If OOXML is adopted, it leads to a problem of duplicate formats for document exchange," he said.

That duplication is bad for interoperability: In the Internet world, standards makers work hard on agreeing "one way to do things, and then evolving it," he said. "We don't reinvent the wheel."

IBM vice president of standards and open source Bob Sutor has an interest in the outcome of the vote, but there is one thing the BRM has already changed, he said: "OOXML has caused a crisis in the standards system."

Although "this is a BRM unlike any other," according to Sutor, there is one way in which it is just like all the others: it is held behind closed doors.

Whatever the outcome of the vote, that secrecy is one of the things that should change in the way IT standards are developed, Sutor said.

"Minutes should be published. This secrecy ... has to end," he said.

Sprint Nextel took a battering Thursday, reporting a $29.5 billion loss for its fourth fiscal quarter, caused by a write-down from its 2005 acquisition of Nextel and a shrinking number of mobile subscribers.

The dour results contrast with the profit of $261 million the company reported in the same quarter a year earlier.

Sprint Nextel's net operating revenue came in at $9.8 billion, down from $10.4 billion a year prior. The lower revenue and write-down meant the company's stock lost $10.36 per diluted share.

[ InfoWorld's Ephraim Schwartz uncovers  the battle brewing between emerging 4G technology and the WiMax standard that Sprint is betting on. ]

Excluding the Nextel write-down, the company said it would have earned $0.21 cents per share, compared to $0.29 per share a year prior.

CEO Dan Hesse cited "deteriorating business conditions" and warned that it would take time before Sprint Nextel could improve its performance. No dividend will be paid "for the foreseeable future," Hesse said.

Sprint Nextel has struggled to digest the acquisition of Nextel. The merger was intended to drive up the average revenue per user (ARPU) of its subscribers, but fierce competition among wireless companies has quashed those hopes.

Post-paid ARPU fell to $58 for the fourth quarter, down from $59 in the third quarter and more than $60 in the fourth quarter of 2006, Sprint Nextel said. The loss was caused in part by lower voice revenues, but further losses were offset by increased data services revenue, the company said.

Last month, Sprint Nextel said it will lay off about 4,000 employees and close about 125 retail outlets. The layoffs and other cost-cutting measures are expected to save the company $700 million to $800 million a year.

During Wednesday's launch of Windows Server 2008, storage vendors turned out in full force, including CA, FalconStor Software, Emulex, EMC, Network Appliance, and QLogic.

Like others, Symantec wants to take advantage of the sales opportunity presented by Microsoft's Windows Server 2008, of which IDC forecasts 3.5 million copies will be sold this year.

[  Get the whole scoop on the Windows Server 2008 family in InfoWorld's special report. ]

"We have to have a solution from day one," said Roger Blomqvist, senior principal technical product manager at Symantec. "That's an opportunity we can't afford to miss."

Symantec Backup Exec, CA ARCserve, and FalconStor Message Recovery for Exchange have all been certified for the new operating system.

"If you want to backup Windows Server 2008 you have to use Volume Shadow Copy Service, VSS. It's something Microsoft has changed to improve stability, but I don't think it will lead to big improvements. The technology we used before was very mature," said Blomqvist.

But one change he really likes is drivers running in user instead of kernel mode. "If the driver crashes, the file system won't go down with it," said Blomqvist.

A Microsoft representative confirmed Blomqvist's technical explanations.

To get access to the SAN (storage area network) from servers, companies can use HBA's from Emulex or QLogic. Emulex touts support for Message-Signaled Interrupts and Message-Signaled Interrupts Extended, two standards that improve performance by giving each card its own set of interrupts.

CA has also certified its Storage Resource Manager product. "It's a product that you use to keep your storage in check, you can for example monitor growth and search for duplicate files," said Peter Merkert, technology specialist at CA.

EMC has chosen a different approach, instead of bragging about products, it says 600 consultants are ready to help deploy and leverage new capabilities in Windows Server 2008.

Storage vendors are also starting to tout support for Microsoft's upcoming hypervisor Hyper-V, although the product won't reach market until up to 180 days from now. Emulex, QLogic, and Network Appliance say they will support the virtualization technology.

Health care organizations feel under increasing attack from the Internet, while security incidents involving insiders and disappearing laptops with sensitive data are piling up. On top of that, there's now the prospect of a surprise audit from the federal government agency in charge of overseeing the HIPAA security and privacy rules.

Health care organizations are stepping up efforts to protect electronic patient information as they witness increased attacks against hospital networks, mindful how a data breach could hurt patients and their own reputations.

"There is definitely an uptick in attacks," says Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area. "Privacy is the foundation of everything we do. We don't want to be the TJX of healthcare." TJX is the Framingham, Mass-based retailer which last year disclosed a massive data breach involving customer records.

Dr. Halamka, who this week announced a project in electronic health records as an online service to the 300 doctors in the Beth Israel Deaconess Physicians Organization, acknowledges computers in health care are sometimes compromised as spam relays or to host unauthorized content such as porn.

"It gives attackers a means to distribute it," says Halamka. While he has seen no evidence of attackers targeting health care networks to steal patient data for financial gain, other security experts say that dangerous trend is well under way.

"Health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information," says Don Jackson, researcher at Atlanta-based security services firm SecureWorks.

SecureWorks has recorded an 85 percent increase in the number of attempted attacks directed toward its health care clientele by Internet hackers, with these attempts jumping from 11,146 per health care client per day in the first half of 2007 to an average of 20,630 per day in the last half of last year through January of this year.

SecureWorks believes that some of the most sought-after information is from patients who are members of preferred medical network plans, which hackers turn around and sell as credentials to criminals specializing in illegal immigration.

"Credentials information is usually stolen via targeted cyberattacks," says Jackson, adding he's seen several cases where health insurance credentials were sold to criminals in the counterfeit document racket, especially in Central and South America.

Insider attacks are also a worry. Tenet Healthcare, which owns more than 50 hospitals in a dozen states, last month disclosed a security breach involving a former billing center employee in Texas who pled guilty to stealing patient personal information. He got nine months in jail.

And in an identity fraud case in Sarasota, Fla., last month, an office cleaner who gained access to the patient files of an anesthesiologist who rented an office at HealthSouth Ridgelake Hospital pled guilty to fraud for ordering credit cards on the Internet with stolen patient personal information. He got two years' jail time.

Lost and stolen laptops have also been a problem, with disclosure of missing personal information related to patients or employees at Duluth, Minn.-based Memorial Blood Center, Mountain View, Calif.-based Health Net, Sutter Lakeside Hospital at Lakeside, Calif., and the West Penn Allegheny Health System revealed just within the last three months.

The HIPAA surprise audit Besides the loss of confidence such security incidents provoke, the specter of government regulatory probes is looming related to the federal security and privacy rules in the Health Insurance Portability and Accountability Act (HIPAA).

The U.S. Department of Health and Human Services (HHS), which oversees HIPAA compliance, has contracted with the firm PricewaterhouseCoopers (PWC) to conduct surprise audits of hospitals this year, says Gartner analyst Barry Runyon.

"It's complaint-driven," says Runyon, noting that Tony Trenkle, director of the Centers for Medicare & Medicaid Services at HHS, last month publicly said the first 10 or so reviews will be at hospitals where CMS received complaints about security. In visiting the health care organization, the government regulatory probe will focus on security risks associated with remote access to data and portable storage concerns, with security managers expected to answer a lot of questions.

CMS plans to publish the results of these audits on its Web site but not the organization's name, unless it uncovers major lapses, which could result in fines or other penalties as defined under the HIPAA guidelines. Last month, Atlanta's Piedmont Hospital was revealed by HHS to be the first unannounced HIPAA security audit.

Health care, heal thyself IT managers indicated they're taking proactive steps to secure external network access while also ensuring that authorized network users are limited to seeing only what they rightfully should.

At Mount Sinai Medical Center in New York City, the policy there is very strict about employees even looking at patient records without reason. "It's the curiosity factor," says Jack Nelson, CIO at Mt. Sinai, who notes that employees are told when hired they can be fired for online peeking -- and some have been.

"It's one strike and you're out -- and that's [for] clinicians as well," says Nelson, noting that the hospital's systems are generally role-based and keep track of every single access to a record.

Nelson says his biggest concern is not hackers trying to break in but sensitive data flying out over the network, including Mt. Sinai's voluminous clinical-lab test documentation. So Mt. Sinai recently installed Symantec data-loss prevention software on client computers to monitor outbound traffic.

HIPAA isn't the only set of security and privacy regulations that Mt. Sinai cares about. "When you have a data loss of about the magnitude of 10 patient records, you have to report that to the New York State Dept. of Health," says Nelson. "That's a serious violation."

Like Mt. Sinai Medical Center, Miami-based health benefits company AvMed Health Plans is also making use of data-loss prevention monitoring equipment to make sure sensitive data related to health claims is transferred appropriately.

Some e-mail communications with physicians' offices and hospitals must be encrypted under the HIPAA guidelines, notes Charles Hibnick, chief systems security architect at AvMed. The Palisades PacketSure monitoring equipment deployed since last October provides a way to determine that policy is being followed since it flags errors that might occasionally occur, such as someone forgetting to encrypt an e-mail's content.

"People sometimes say thank you when we catch this," says Hibnick. The monitoring is increasingly important since about 80 percent of health claims at AvMed are electronic, rather than predominantly fax, as they were just five years ago.

The prospect of an unannounced HIPAA audit by the government is an event that could shake anyone up, but in the final analysis, the federal probes are probably good for the health care industry, says Mark Jacobs, director of technology services in the datacenter operations at Pennsylvania-based WellSpan Health.

"HIPAA did help in some regard, getting the health information community to do audit, logging, and secure messaging and encryption," Jacobs notes, adding HIPAA has propelled his health care organization into new practices, such as adopting a security governance framework, single sign-on, and password provisioning.

A December decision against Qualcomm's bid to keep some Nokia phones out of the U.S. will stand, Nokia said Wednesday.

Administrative Law Judge Paul Luckern of the U.S. International Trade Commission (ITC) made an initial determination in Nokia's favor on Dec. 12, in a case involving alleged patent infringement. The ITC has decided it doesn't need to review that decision, Nokia said in a statement.

Qualcomm will now decide whether to appeal the decision to the U.S. Court of Appeals for the Federal Circuit, according to a statement from the chip maker on Wednesday.

Qualcomm brought the ITC complaint against Nokia in June 2006, alleging patent infringement in handsets that use GSM/GPRS/EDGE (Global System for Mobile Communications/General Packet Radio Service/Enhanced Data Rates for GSM Evolution). The allegations involved power control systems. As part of the suit, it asked the ITC to ban importation of the phones.

In the Dec. 12 initial determination, an ITC judge found no infringement and ruled one of Qualcomm's patents invalid, according to Nokia. Afterward, Qualcomm said it planned to petition the ITC to review the finding. A final decision had not been scheduled to occur until April 14.

In an ongoing legal battle that Nokia claims is connected to the expiration of a cross-licensing agreement last year, Qualcomm has filed 11 patent infringement suits against Nokia over the past few years, according to Nokia. In December, Nokia CFO Rick Simonson said talks on the cross-licensing agreement were continuing.