Now Available:
Featured Resources:
Newsletter
Email Address:
Monthly Archives
Ask the Expert
Have a question for our resident expert? Email your questions to Rebecca.
March 2, 2008
Digg it!
Sphere it!
Del.icio.us
Reddit!
NewsvineJanuary 29, 2008
AccuSearch Fined ~$200,000 For Pretexting & Selling Phone Numbers
January 20, 2008
Insider Threat Example: Former Cox Employee Sent To Jail (And More) For Hacking System
It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization's sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and that there is no negative consequence for not properly safeguarding information and systems, it becomes easy for personnel to not follow policies when it is inconvenient or time-consuming to do so. It is also easier for personnel to do bad things as vendettas when they get upset.
January 18, 2008
FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security
Yesterday the U.S. Federal Trade Commission (FTC) handed down yet another penalty against an online retailer, Life is good, Inc., for not properly safeguarding their online ecommerce applications.
The FTC charged they were in violation of the FTC Act because they promised in their online privacy statement that they would safeguard their customer data, but yet a hacker "was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers."
January 7, 2008
E-Discovery Decision Demonstrates Need For Effective Retention Practices: A Great Case Study For E-Discovery Training
I'm still catching up on December news...and I ran across a significant e-discovery ruling. The U.S. District Court for the Central District of California ruled December 13, 2007, that Justin Bunnell/www.TorrentSpy.com was guilty of "willful spoliation of evidence" violating the E-Discovery Rule in the suit Columbia Pictures, Inc. brought against them for copyright infringement.
Reading through the court records, it is really amazing how blatantly the defendent violated what seemed to be almost every e-discovery rule possible in this situation. They...
December 30, 2007
UK Imposes Record Fine of $2.54 Million Against Life Insurance Company For Poor Information Security & Privacy Practices
December 26, 2007
FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations
Under the terms of the penalty, American United Mortgage Company must:
November 10, 2007
FTC Continues Active Compliance Enforcement: Applies $7.7 Million In Fines To 6 Do-Not-Call Violators
This week the FTC once again demonstrated that they aggressively enforce compliance with those regulations for which they have responsibility.
In their press release, "FTC Announces Law Enforcement Crackdown on Do Not Call Violators" they detail their recent actions against six organizations for non-compliance with the Do Not Call (DNC) registry requirements. The involved settlements totaled close to $7.7 million in civil penalties. In addition to the following, actions against Global Mortgage Funding are pending.
Here is an overview of the non-compliance activities and associated fines/penalties:
October 15, 2007
Trending Towards More Business Applied Employee Sanctions For Security Incidents
I've been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10 about another hospital sanctioning employees for noncompliance, then again on October 11, and then again just yesterday.
Continue reading Trending Towards More Business Applied Employee Sanctions For Security Incidents...
October 14, 2007
Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a "Resignation"
The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an un-encrypted backup tape containing the personally identifiable information (PII) of 1.3 million individuals, is the loss of 40 hours of vacation time.
Continue reading Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a "Resignation"...
Search
Library Resources
Categories
Rebecca Herold's Bio:
Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.