Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'IT compliance'
Smart Grid Privacy: Possible Privacy Standards To Address Concerns
Sorry to be so tardy in getting a blog post out. As many of you know I've been working with the NIST Smart Grid Privacy Subgroup since late June. The work done for this group is through time volunteered by...
15 Smart Grid Privacy Concerns + Other Smart Grid Thoughts
I've had about half a dozen folks ask me how things are going with the work I'm doing with the NIST Smart Grid privacy group, and if I could provide an update since my last couple of posts on the...
HIPAA And Surveillance In Hospitals
Over the years there have been many...too many...instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients......
CEs and BAs: Be HIPAA/HITECH Compliant Or Pay A Hefty Penalty
The HHS released HITECH Act Enforcement Interim Final Rule today......
Smart Grid Privacy: Laws and Implications
I was recently asked several questions about my work with the NIST Smart Grid privacy group and associated issues. Here are a couple of those questions, and my answers to them......
6 Critical Factors for Effective Information Security & Privacy Policies
I've been feeling bad about not posting to my blog as often as I have historically......
Who Are Your Business Associates?
Since just before HIPAA went actively into effect I've done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I've done around 200 business associate (BA) information security and program reviews for just one...
HIPAA/HITECH Etc. Retention: Does Your Reality = Your Requirements?
Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon's MyTechnologyLawyer.com radio show for a segment entitled, "Is encryption enough to achieve privacy?" I was pleasantly surprised to see a large number of...
Proposed HIPAA Privacy Rule Change Explicitly Makes Genetic Info PHI
An important element of data protection compliance is knowing, identifying and inventorying the applicable information......
Privacy For The Deceased
Late last month I posted, "HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element" and since then I've had around half a dozen or so folks ask me to write about privacy for the...
10 Smart Grid Consumer-to-Utility Privacy Concerns; Are There More?
I have had the great opportunity to participate in the NIST Smart Grid privacy standards group since July......
Don't Throw Your Privacy Out The Window; Know How Your PII Is Used
A couple of week's ago I had the great opportunity and pleasure to speak with the both equally delightful and brilliant Anyck Turgeon and Scott Draughon on MyTechnologyLawyer.com about "Is encryption enough to achieve privacy?" The feedback and followup to...
How To Do Privacy Impact Assessments
Last week I was very fortunate to be able to speak at the IAPP Privacy Academy in Boston......
What Happens To Privacy During Pandemics?
I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the...
Is Encryption Enough to Achieve Privacy?
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy....
HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities
The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: "Breach Notification for Unsecured Protected Health Information; Interim Final Rule" (Breach Notice Rule) has been written about a lot. But much of what is written overlooks...
HITECH Act Virtual ToC
This was another very busy week, and I didn't have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email......
HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced
The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all...
Fired Because Photo of Surgery Room Was A "HIPAA Violation"
I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I've removed the identifying information, and...
8,918 HIPAA Violation Investigations Have Required Corrective Actions
Here are some important websites to bookmark for you to reference when you need help...beyond what I have on my blog and at my website :)...if you are a US Health Insurance Portability and Accountability Act (HIPAA) Covered Entity (CE)...
HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element
After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I'm happy to resume my posting! Today I want to offer a few thoughts about the breach...
Hidden Privacy & Security Risks of Web 2.0
There's been a lot in the news lately about "Web 2.0" security and privacy problems. A lot of folks, though, don't know what that term really means. Do your personnel know what it means? Probably not. This is certainly understandable...
You Need These Things When You Get HIPAA Audited!
I get a bit irritated when I see a vendor touting their "compliance solution" products as making organizations "HIPAA Compliant" or "PCI DSS Compliant" or whatever your regulation of choice happens to be, and then, upon inspection of their products,...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
HIPAA Enforcement Will Improve With OCR Responsible for Both Privacy Rule & Security Rule
Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule. Perhaps this is an indicator of more enforcement to come. As a...
(Lack Of) Encryption Is A Basis For Notification Under The HITECH Act
This week one of my tweeps asked me the following: "What's your interpretation of encryption obligations for PHI data-at-rest under HITECH? Many parties are sweating this now." Great question!...
HITECH Act: Breach Notification Is Necessary Based Upon Items Used In De-Identification
Continuing along the discussion of the HITECH Act this week, I want to consider a couple of questions I recently discussed with a CISO at a healthcare insurer about when breach notification is necessary......
Is This A Breach Under The HITECH Act Definition?
This week I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)......
New MO Breach Notice Law: Encryption Safe Harbor? Yes. Encryption Def Good? No!
On July 9, 2009 the Missouri governor signed House Bill No. 62 into law, and it included section 407.1500, which is the requirement for giving privacy breach notice. Since I'm focusing this week on encryption laws, I want to take...
Has Massachusetts Encryption Law Stopped It's Evolution?
This week I want to take a look at encryption laws. Only a few short years ago no law or regulation really had explicit encryption requirements. HIPAA, passed in 1996 with effective compliance deadline requirements in 2003 (Privacy Rule) and...
What is PII? How About "Publicly Available" Info?
There is much debate about what specific types of items should be considered as personally identifiable information (PII). A common topic of debate is; if information can be found publicly does that mean it is not PII?...
What is PII? How About Groups Of Otherwise Non-PII?
I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
What is PII? How About IP Addresses?
This week I want to look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
Crooks Don't Need to Steal SSNs If They Can Create Valid SSNs Themselves
I've had some very interesting discussions about the CMU SSN study throughout the week, and, before moving on to other topics next week, I wanted to wrap up the week and discussion with some final thoughts on the CMU SSN...
Implications Of The CMU SSN Study: What Business Leaders Need To Understand
Following the release of the CMU SNN report on Monday, I've had some very interesting discussions with privacy and information security folks, and I've been pretty amazed at some of the reactions to the study. I also posted about this...
Study Proves SSNs Are Easily Guessed; Don't Use SSNs To Verify Identity Or As Passwords!
It is nice to have scientific evidence of what we've been telling business leaders ever since they wanted to start using SSNs as identifiers and passwords! Today Carnegie Mellon University (CMU) released a very revealing report, "Predicting Social Security numbers...
Nevada's New Encryption Law; Made Moot By Its Own Data Breach Law?
On May 30, 2009, Nevada enacted a new law, SB 227, which will basically replace NRS 597.970 in January 2010. In many ways the new law is an improvement over the much more vague, and brief, NRS 597.970. I want...
Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen
Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students' names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus....
Hear Common, Dumb and Dangerous Privacy Assumptions On The Radio!
Today I will be on MyTechnologyLawyer.com radio show to an hour program talking about the common privacy mistakes and assumptions made by businesses. This will be a more in-depth look at the issues from my post from a couple of...
South Carolina & Alaska Privacy Breach Notice Laws Go Into Effect July 1
This week two more U.S. breach notice laws go into effect......
Voice Recognition Software Puts Top Cop In Hot Water
Yesterday I read a fascinating story from Australia......
Movies and TV Shows to Use for Infosec and Privacy Training and Awareness
After many long hours, I've finally submitted the draft manuscript for the 2nd edition of my "Managing an Information Security and Privacy Awareness and Training Program" book. However, I will still have one more chance to make changes. One of...
Don't Manage Employee Online Activities By Requiring Their IDs & Passwords!
I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in......
5 Common, Dumb and Dangerous Privacy Assumptions
Today Kevin Beaver posted a nice article, "Dumb things IT consultants do" that included more than one warning about making assumptions. Kevin's nice post made me think about all the dangerous assumptions consulants and practitioners often make when it comes...
FTC Issued Consent Order for GLBA Privacy Rule and Safeguards Rule Violations
Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other...
Info Sec & Privacy Days/Weeks/Months
As I've mentioned a few times before, I'm in the final lap of finishing the 2nd edition of my book, "Managing an Information Security and Privacy Awareness and Training Program." Woo hoo! Over the weekend I updated "Appendix N -...
FTC's New Red Flags Rules FAQ
Today the US FTC released "Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies." Here are a couple important things to take away from this FAQ......
Healthcare Worker Gets 1 Year In Prison For Posting HIV Victim's Medical Records On Internet
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet......
Privacy Enhancing Technologies (PETs) & Privacy Threatening Technologies
I'm doing research while working on the 2nd edition of my book, "Managing an Information Security and Privacy Awareness and Training Program"......
Audits Show Things At a Moment in Time; Silly To Sue For Breaches That Happen 1 Year After Audit Conclusion?
There has been much written in the past week about Merrick Bank suing the audit firm, Savvis, because a breach occurred at CardSystems in 2005 even though Savvis had given passing marks for the CardSystems audit that Merrick Bank hired...
Great InfoSec and Privacy Info and Resources This Week On Twitter
I got my week's issue of Time magazine in the mail today, and lo-and-behold the cover and feature story was about Twitter!...
Not Providing Training and Awareness Is The Dumbest Idea For Information Security
As time goes on, and more and more information security incidents and privacy breaches occur, I continue to hear otherwise smart people say silly and completely wrong statements about the need (or lack of) for information security and privacy training...
Rights for Privacy Breach Victims
I received a provacative question on Twitter last week from idExperts, "If you had a wish list of rights for identity theft victims, what would that be?" Sounds like a great blog topic! :) Here are my thoughts......
Common InfoSec & Privacy Training Mistakes
I've been reviewing some of the information security and privacy training and awareness content for some organizations; some large and some small. Most of the training is ineffective......
Insider Threat: Horrible Tragedy Highlights Need For Policies & Training
I got the June 1 issue of Newsweek today, and something that's bothered me ever since I first heard about it was on page 4......
HIPAA, HITECH Act and Disposal Problems
Here's yet another incident that provides very good lessons that could be incorporated into information security and privacy training sessions as a case study, particularly for HIPAA compliance as well as secure disposal training......
The World's Largest (and BEST!) Cyber Defense Competition for Teens...In Ames Iowa!
Last month Iowa State University, in Ames, held a unique type of IT Olympics for teens......
Effectively Explaining the Purpose of Information Classification to Employees
The topic for my Q2 2009 issue of Protecting Information was helping employees to understand why different types of information need different levels of security. Yes, this is information classification, but I describe it in a way that employees of...
HITECH Act does *NOT* make HIPAA, or HIPAA advice, "obsolete"!
A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance......
Secure360 Starts Tomorrow!
I drove up to St. Paul, MN, today and will be speaking, and look forward to attending the sessions, at Secure360....
Regulatory Requirements for Training and Awareness
Today I had a great conversation with a CISO about the regulatory and legal requirements for organizations to provide information security and privacy training and awareness activities......
Podcast: HITECH Act adds new compliance requirements, penalties
Last week I had the pleasure of speaking with Alexander B. Howard at SearchCompliance.com for a 26 minute podcast......
Understanding Data Protection from 4 Critical Perspectives
Today I gave a webcast (27 minutes) about "Understanding Data Protection from 4 Critical Perspectives" and it is now available online through this link......
IP Addresses Are Considered PII By Some Countries No Matter If U.S. Orgs Like It Or Not
Today on Twitter, @clarinette02 posted a link to an interesting article, "IP Addresses Are Personal Data, E.U. Regulator Says," from a little over a year ago......
Red Flags Rule Enforcement Delayed to August 1, 2009; FTC Providing a Compliance "Template"
The FTC has once more announced a delayed enforcement of the Red Flags Rule to August 1, 2009......
Employee Rights to PII When You Leave Your Employer or Lose Your Job
I often get emails from my blog and Twitter readers, many of whom I have never met before; sometimes several in a day. Many often ask for help that really is a call for free consulting help. Others are quick,...
HIPAA & HITECH Act Sanctions & Penalties
Today I had the great pleasure and opportunity to do a podcast with Alexander Howard over at TechTarget discussing HIPAA and the HITECH Act......
Community Information Security and Privacy Awareness
Today I read a nice article describing a presentation about information security, "Cyber safety tips shared"......
My Son Caught A "Hacker"!
NOTE: Just realized today is Take Your Child To Work Day so this is timely! :) My sons, 12-years-old and 9-years-old, have been with me a lot while I work in my home office over the years, and they have...
2 More Things In History That Could Have Improved Infosec & Privacy
Late last week I blogged about a question I got while at InfoTec in Omaha last week, "2 Things In Computing History That Could Have Improved Information Security and Privacy"......
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and...
HIPAA Requirements Changes & Business Associates Impacts From HITECH Act
Last week I engaged in a very interesting tweetversation with David Mortman about when the U.S. Department of Health and Human Services (HHS) needs to get their guidance documents and rules published for the various HITECH Act requirements......
2 Things In Computing History That Could Have Improved Information Security and Privacy
This past Wednesday I gave a session at Infosec09 in Omaha, Nebraska. What a great event and venue! If you get a chance to attend next year, I highly encourage you to do so....
"Secure Your ID Day" is April 18
I'm in Omaha to speak tomorrow at the Infotec09 conference and I heard on the local news that "Secure Your ID Day" is April 18......
Pointers to interesting & useful information security, privacy & compliance info
I've been using Twitter for a couple of months now. I never saw the value of using Twitter before this time, and in fact had a completely different view of what it was "all about" until I actually started using...
You aren't in Kansas anymore, ToTo...you're in virtual Kansas!
Oh; and, by the way, what the heck are virtual worlds? Aren't they something that only kids use?...
Measuring The Effectiveness of Information Security & Privacy Awareness & Training
I'm a longtime advocate of creating a wide range of metrics to determine the effectiveness of the various components of information security, privacy and compliance programs....
Privacy Breach Lesson: Encrypt Mobile Digital PII!
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach......
What Corporate Business Leaders Need To Know About Data Protection
The first chapter of my new ebook, "Understanding Data Protection from Four Critical Perspectives" has been published! The first chapter is "What Corporate Business Leaders Need To Know About Data Protection" and is written to an audience of CEOs and...
Pros & Cons Of Surveillance Cameras For Compliance
We had a very interesting discussion on Twitter this morning about the practice of automatically photographing license plates to use for parking, tickets, etc......
Ongoing Awareness Communications and Regular Training Are Necessary For Effective Information Security & Privacy Programs
Scott Wright over at Streetwise Security Zone graciously invited me to do a podcast interview with him to discuss information security, privacy and compliance training and awareness issues. In the last half of February I had the pleasure of taking...
HIPAA Sanctions and Convictions Will Increase with HITECH Act & New Administration
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee...
Don't let differing authority levels damage info sec, privacy & compliance collaboration
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990's while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+...
Carnegie Mellon's CyLab Is A Great Resource
I was very happy to be invited to Carnegie Mellon University (CMU) to speak about information security and privacy convergence last month at their CyLab research and education center. It was a great experience!...
Many Motivators For Identity Theft
I've heard far too many business leaders in lesser-regulated industries, of organizations of all sizes, say something to the effect of, "Oh, we don't have any information that hackers would find of any value."...
There Are 47 US State & Territory Breach Notice Laws: 1-Page Listing
Over the weekend I did some research to make sure I am up to date with all the current U.S. state and U.S. territories breach notice laws......
Avoid Information Overload In Your Information Security & Privacy Training!
I've been reviewing some "canned" information security and privacy training offerings in the past few months, and I'm seeing that many of them are trying to dump TOO MUCH information on those taking them; learners can only absorb so much...
Cautionary Tales for Tweeting About Work
I've been using Twitter now (http://www.twitter.com/privacyprof) for three going on four weeks. I've found it to be a very great way to be in touch with the latest news and happenings, and also to get in touch with other folks...
Encryption Solution Reviews
Here are some encryption solution reviews, from David Strom at PC World, that anyone who wants to protect their laptop data, as well as information security, and yes privacy, practitioners should find useful......
Computer Fraud Criminal Sentenced To 4 1/2 Yrs Jailtime + US$1.6 Million
Would you notice a $20 - $30 fraudulent charge mixed in with a lot of other charges...most people have more than 10 according to a financial fraud expert friend...on your credit card statement? It looks like in Bulgaria they really...
Business Continuity Awareness Week is 3/23 - 3/27
Here's another awareness raising opportunity......
68 Info Sec & Privacy Tweets Digest Back Through March 7
Once more I'm providing a digest of the Twitter tweets I put out (PrivacyProf) over the past week that provided pointers to interesting and useful news reports and pieces of information that I do not want to have lost in...
1746 Organizations In The U.S.'s EU Safe Harbor Program
A type of project I really love to do is a privacy impact assessment (PIA). For companies who collect or otherwise handle the personally identifiable information (PII) of individuals from multiple countries, typically doing a cross border data flow analysis...
Court Decision on FACTA Credit Card Transaction Receipt Violations
I was doing a bit of research around the Fair and Accurate Credit Transactions Act (FACTA), and ran across an interesting recent court decision......
Here's the link for Web 2.0 Privacy and Security Considerations
I forgot the link to my article yesterday!! Here it is... "Web 2.0 Privacy and Security Considerations"...
Web 2.0 Privacy and Security Considerations
I've been having a lot of conversations in the past few weeks about Web 2.0 privacy and security issues. Web 2.0 certainly has greatly enhanced how the Internet can be used. Posting information on blogs, social networking sites, microblogs (such...
Most Laws Are Flawed, But It Is Up To Us To Make Them Better & Make Them Work
Rafal Los makes some very good points in his post "Analysis of the Stimulus Bill and Healthcare Privacy" from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work...
UK Company Caught Selling Their Employees' & Job Applicants' PII
Here's an interesting shocking story about some bad...make that VERY BAD...business decisions in the UK to make money by selling employees', and job applicants', personally identifiable information (PII) as a revenue stream......
A Cornucopia Of Audit, Information Security and GRC Information
It was great to see Dan Swanson include some of my resources in his Security Insider blog posting today!...