Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'PII'
Smart Grid Privacy: Possible Privacy Standards To Address Concerns
Sorry to be so tardy in getting a blog post out. As many of you know I've been working with the NIST Smart Grid Privacy Subgroup since late June. The work done for this group is through time volunteered by...
15 Smart Grid Privacy Concerns + Other Smart Grid Thoughts
I've had about half a dozen folks ask me how things are going with the work I'm doing with the NIST Smart Grid privacy group, and if I could provide an update since my last couple of posts on the...
HIPAA And Surveillance In Hospitals
Over the years there have been many...too many...instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients......
CEs and BAs: Be HIPAA/HITECH Compliant Or Pay A Hefty Penalty
The HHS released HITECH Act Enforcement Interim Final Rule today......
Smart Grid Privacy: Laws and Implications
I was recently asked several questions about my work with the NIST Smart Grid privacy group and associated issues. Here are a couple of those questions, and my answers to them......
Who Are Your Business Associates?
Since just before HIPAA went actively into effect I've done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I've done around 200 business associate (BA) information security and program reviews for just one...
HIPAA/HITECH Etc. Retention: Does Your Reality = Your Requirements?
Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon's MyTechnologyLawyer.com radio show for a segment entitled, "Is encryption enough to achieve privacy?" I was pleasantly surprised to see a large number of...
Proposed HIPAA Privacy Rule Change Explicitly Makes Genetic Info PHI
An important element of data protection compliance is knowing, identifying and inventorying the applicable information......
Privacy For The Deceased
Late last month I posted, "HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element" and since then I've had around half a dozen or so folks ask me to write about privacy for the...
10 Smart Grid Consumer-to-Utility Privacy Concerns; Are There More?
I have had the great opportunity to participate in the NIST Smart Grid privacy standards group since July......
Don't Throw Your Privacy Out The Window; Know How Your PII Is Used
A couple of week's ago I had the great opportunity and pleasure to speak with the both equally delightful and brilliant Anyck Turgeon and Scott Draughon on MyTechnologyLawyer.com about "Is encryption enough to achieve privacy?" The feedback and followup to...
How To Do Privacy Impact Assessments
Last week I was very fortunate to be able to speak at the IAPP Privacy Academy in Boston......
What Happens To Privacy During Pandemics?
I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the...
Is Encryption Enough to Achieve Privacy?
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy....
HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities
The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: "Breach Notification for Unsecured Protected Health Information; Interim Final Rule" (Breach Notice Rule) has been written about a lot. But much of what is written overlooks...
HITECH Act Virtual ToC
This was another very busy week, and I didn't have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email......
HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced
The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all...
Fired Because Photo of Surgery Room Was A "HIPAA Violation"
I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I've removed the identifying information, and...
8,918 HIPAA Violation Investigations Have Required Corrective Actions
Here are some important websites to bookmark for you to reference when you need help...beyond what I have on my blog and at my website :)...if you are a US Health Insurance Portability and Accountability Act (HIPAA) Covered Entity (CE)...
HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element
After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I'm happy to resume my posting! Today I want to offer a few thoughts about the breach...
You Need These Things When You Get HIPAA Audited!
I get a bit irritated when I see a vendor touting their "compliance solution" products as making organizations "HIPAA Compliant" or "PCI DSS Compliant" or whatever your regulation of choice happens to be, and then, upon inspection of their products,...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
HIPAA Enforcement Will Improve With OCR Responsible for Both Privacy Rule & Security Rule
Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule. Perhaps this is an indicator of more enforcement to come. As a...
(Lack Of) Encryption Is A Basis For Notification Under The HITECH Act
This week one of my tweeps asked me the following: "What's your interpretation of encryption obligations for PHI data-at-rest under HITECH? Many parties are sweating this now." Great question!...
HITECH Act: Breach Notification Is Necessary Based Upon Items Used In De-Identification
Continuing along the discussion of the HITECH Act this week, I want to consider a couple of questions I recently discussed with a CISO at a healthcare insurer about when breach notification is necessary......
Is This A Breach Under The HITECH Act Definition?
This week I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)......
New MO Breach Notice Law: Encryption Safe Harbor? Yes. Encryption Def Good? No!
On July 9, 2009 the Missouri governor signed House Bill No. 62 into law, and it included section 407.1500, which is the requirement for giving privacy breach notice. Since I'm focusing this week on encryption laws, I want to take...
Has Massachusetts Encryption Law Stopped It's Evolution?
This week I want to take a look at encryption laws. Only a few short years ago no law or regulation really had explicit encryption requirements. HIPAA, passed in 1996 with effective compliance deadline requirements in 2003 (Privacy Rule) and...
What is PII? How About "Publicly Available" Info?
There is much debate about what specific types of items should be considered as personally identifiable information (PII). A common topic of debate is; if information can be found publicly does that mean it is not PII?...
What is PII? How About Groups Of Otherwise Non-PII?
I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
What is PII? How About IP Addresses?
This week I want to look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen
Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students' names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus....
South Carolina & Alaska Privacy Breach Notice Laws Go Into Effect July 1
This week two more U.S. breach notice laws go into effect......
5 Common, Dumb and Dangerous Privacy Assumptions
Today Kevin Beaver posted a nice article, "Dumb things IT consultants do" that included more than one warning about making assumptions. Kevin's nice post made me think about all the dangerous assumptions consulants and practitioners often make when it comes...
Rights for Privacy Breach Victims
I received a provacative question on Twitter last week from idExperts, "If you had a wish list of rights for identity theft victims, what would that be?" Sounds like a great blog topic! :) Here are my thoughts......
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and...
Most Laws Are Flawed, But It Is Up To Us To Make Them Better & Make Them Work
Rafal Los makes some very good points in his post "Analysis of the Stimulus Bill and Healthcare Privacy" from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work...
New Guidelines for Safeguarding Personal Data
Happy U.S. presidential inauguration day! :) Did you take off a few minutes of work to watch the inauguration? I wasn't going to, was planning to just catch videos on the news sites or YouTube later, but then I did,...
Business Info Fact Of The Day: Smart Business Leaders Encrypt PII
If you are a business leader you must know and understand that encrypting personally identifiable information (PII) protects that PII from being used for identity theft and other crimes should it fall into the hands of a crook. Business leaders...
Business Info Fact Of The Day: PII Sent Through The Mail Is Often Stolen Or Lost
Over the years I have heard many times by my various government friends, even following too many mis-deliveries and lost packages to enumerate here, that packages and letters sent via the US postal service, and even through other delivery organizations...
FEMA Records Of 16,000 Katrina Victims Posted Online
How did the following happen...there are many options...insider threat? Poor IT storage controls? Poor applications development controls? Perhaps using real personally identifiable information (PII) for test purposes? Hacker break-in? Through an outsourced company with access to the PII, but who...
New Family Educational Rights and Privacy Act (FERPA) Regulations
New FERPA Regulations were issued yesterday......
Cybercriminals Threaten To Post Millions Of PII Records For Express Scripts Customers
Just last month I blogged about the new Identity Theft Enforcement and Restitution Act of 2008. It covers extortion. I'm interested to see if it gets used for the latest extortion attempt......
State of New York Issues Guide For Protecting PII
The State of New York just released a general guide to the protection of personally identifiable information (PII)......
How Does Your Business Use Customer and Consumer Profiling?
So, do you know how your business may be using data mining for customer and consumer profiling? Have you talked with your marketing folks about it? Do you know how the stores you make your purchases from use your information...
Not All Privacy Issues Involve PII
There's been a lot in the news over the past few years about customer profiling. The term is used somewhat differently by different groups and the definition often debated. However, the mainstream news media generally uses the term to talk...
Iowa Land Records Association Posts SSNs...Including The Governor's...On Their Internet Site
Okay, here's another example of a ridiculously dumb privacy breach that occurred, in Iowa this time, through a government agency posting information on the Internet......
Laptop Containing PII of 1 Million+ People Sold On eBay for $141
I've been doing a lot of work with data retention and disposal policies and procedures lately, remembering the silly things I have read about with regard to organizations getting rid of their computers, such as selling their computers on eBay...
Company Uses Negotiated Checks For Packing Material!
Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk. However, I was surprised when I watched an ABC News report this morning......
Whose PII Is Covered Under the EU Data Protection Directive?
I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, "If...
17 Info Security & Privacy Topics Call Center Staff Must Understand
Okay...back to my continuing lecture on the need to provide targeted training on specific information security and privacy topics to the various responsibility groups throughout your enterprise. Consider this; what if you took a driver's education class and all they...
People Need Periodic, Effective, Training And Ongoing Awareness To Truly Safeguard Information
Imagine this; what if you were given training just one time, in a 1-hour session with no hands-on practice, for how to do first aid and give CPR and then were never given more training or reminders about how to...
Call Center Folks Have Huge Amounts Of Access TO PII
Need more reasons from my post from yesterday about why call centers need targeted training and ongoing awareness? If so, then here is the second part of the third article, "Providing Call Centers with Information Security and Privacy Education," in...
The Area With The Most Customer Contact Usually Has The Least Information Security and Privacy Training
Think for a few moments about the area in your company that has the most, or close to the most, direct contact with your customers and consumers......
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Last month (May 2008...yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer's personally identifiable information (PII) and other confidential information. The suit charges that Lending Tree did...
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched? There are many phishing scams going on right now, and they are widely reported and talked about. I...
Business Leader Primer for Effective Information Disposal
I've been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security...
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
I've been doing some research for insider threat training content I'm creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make...
Iowa Privacy Breach Bill Has Much Of Its Teeth Pulled
Iowa introduced a new bill, SSB 3200, on February 20 to establish a state privacy breach notification law. As originally worded it would have also required merchants to follow credit and debit card industry data security rules and make them...
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Will Bad News Come in 3's For Health Net?
In the past several days Health Net made the news...in ways they would rather not have... First this on 2/22:...
Great Information Security and Awareness Event Coming In April
There's a great information security and privacy awareness event coming up, Internet Safety Night on April 23, 2008, 6:30-8:30 p.m....
Have You Reviewed the FTC's Proposed Privacy Principles Yet?
If you are responsible for information security or privacy at your organization, and your organization does marketing, here is something you need to know about and discuss with your marketing folks. I blogged about this in December....
$54 Million Lawsuit Against Best Buy For Losing Laptop
I knew the civil suits for lost laptops would start soon. Thanks so much to my buddy Alec for pointing out this story to me! Raelyn Campbell took a laptop computer to Best Buy to get fixed, and three months...
Give a Hoot, Don't Privacy Pollute!
I just saw a term that can be used really well with non-technical folks, "data pollution." I wish I had thought of that term!...
Today Google Provides Another Path For Data Leakage
Here's one more thing for IT, Information Security and Privacy folks to put on their list of things to worry about......
Encryption So Easy Even A Terrorist Can Use It
It seems all business leaders would understand by now, after literally thousands of privacy incidents in recent years, that they need to encrypt personally identifiable information (PII) stored on mobile computers and mobile storage devices, and when sending PII through...
A Stolen Health Insurer's Laptop With PII Is Not Necessarily A HIPAA Violation
While scanning the news blurb summaries today, the statement, "This is a violation of HIPAA." caught my eye. Hmm...let's see what this is about... This statement was actually within the reader comments to the story, "Blue Cross reports theft of...
Social Engineering Schemes Increase: Great Case Study From An Actual Event
Last month I finished the second issue of my Protecting Information publication and the topic couldn't be more timely: social engineering. Just today I have already read in my daily news items 5 articles about social engineering! One in particular,...
CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance
The U.S. Centers for Medicare and Medicaid Services (CMS) announced last week that they plan to audit 10 - 20 hospitals for HIPAA compliance in the next 9 months according to a Government Health IT article....
CMS Hires A Fox To Guard The HIPAA Henhouse
I just read a very interesting article, "CMS' HIPAA watchdog presents potential conflict" that made me go Hmmm!! The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the...
Insider Threat Example: Programmer Sentenced To 30 Months In Jail And $81,200 Fine
Here's a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven't already, put this in your file of...
Terrorists Over 50 Don't Fly According To The DHS
I just read this and found the implication that folks over 50 years of age are not terrorist threats rather odd. Today the U.S. Department of Homeland Security released some new rules related to READ ID....
13 Minnesota Students Disciplined For Facebook Photos
I've blogged several times, such as here, here and here, about how information posted to the Internet, such as on Facebook and other social networking sites, cannot be considered as being private or secure, have been used to make hiring...
Egregious Privacy Infringment: Fire Chief Emails Photo Of Topless Crash Victim
Here is an example of how personnel can take photos and videos and completely invade the privacy of others, particularly those who have no voice to say stop. A Central Florida fire chief will likely lose his job for widely...
UK Imposes Record Fine of $2.54 Million Against Life Insurance Company For Poor Information Security & Privacy Practices
On December 17, 2007 the United Kingdom Financial Services Authority (FSA) fined Norwich Union Life ÂŁ1.26 million ($2.54 million) for poor information security, privacy and anti-fraud mitigation systems and controls....
Responding To Customers Asking About Your Company's Use of SSNs
For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don't really worry about driving an "it" kind of car). However, it is getting a bit rattly, and my friends...
FTC Settlement For Marketing Via Pop-up Ads: Lessons For All Marketers Regarding Consent & Consumer Complaints
I like to keep my eye on the FTC site; they are very active in catching businesses violating the U.S. FTC Act by practicing unfair and deceptive business practices, particularly via the Internet. They really demonstrate the need for privacy...
And The Award For Best Email Security Awareness Film of 2007 Goes To...
I've been seeing a ton of articles and blog postings for the "Best Security Whatever> of 2007," "Worst Security Exploits of 2007," "Security Projections for 2008" and so on in the past few weeks. Well, I've got my own "Best...
Be Aware: Court Ruling Allows Circumstantial Evidence In Court Case Against Company That Experienced Privacy Breach
So many times...actually almost every time...a privacy breach occurs the company that experienced the breach makes a public statement similar to, "We have no evidence that the personal information has been used fraudulently" or "We do not believe the information...
California Privacy Breach Law Changes Go Into Effect January 1, 2008: Redefines & Broadens "Personal Information" Definition
California's privacy breach notification law SB1386 started the ball rolling with regard to what is now at least 40 U.S. states, including the District of Columbia, that have breach notice laws. Most of the subsequent state laws largely based theirs...
Email is for "Old People": Do Lack of Laws Make IM and Texting Ripe for Exploiting Children & Teens?
My 13-year-old-niece wrote an article for me about social engineering, and I got a chuckle out of her writing, "Maybe I'm old-fashioned, but I only use email. I don't have my own FaceBook site." Can you imagine email being old-fashioned?!...
5 Things To Do Next Week To Improve Information Security & Privacy
It seems like my to-do list never gets shorter each day; only longer. This was even more true when I was responsible for the information security and privacy program within a large multi-national financial and insurance organization. It seemed the...
Judge Rules University Policy & FERPA Allow Student PII To Be Released
Here's a case I found interesting...the U.S. District Court for the Eastern District of Tennessee ruled on October 24th that providing a group of record company plaintiffs with student personally identifiable information (PII) does not violate the U.S. Family Educational...
Data Will Always Be Less Safe In The Future...I Don't Want To Get Gussied Up To Talk On The Phone
I have a blog problem...there are way too many things I want to blog about and not enough hours in the day to do it! Throughout each day I note news items from the TV, or website news articles, or...
Trending Towards More Business Applied Employee Sanctions For Security Incidents
I've been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10...
Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a "Resignation"
The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an...
Iowa Universities Provide Examples of Good and Bad Information Security and Privacy
In the past week the two largest universities in Iowa provided examples of both great and poor security practices. Let's see...how about the bad example first?...
Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items
I figured that since the PCI DSS compliance deadline for Level 1 merchants was this past Sunday that there would probably be a ton of published news reports about it on Monday. There were...and today as well! One that caught...
ABN Amro PII Breached Through P2P: Lessons Learned
Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the...
The Need to Partner Privacy and IT Efforts *FINALLY* Makes The News!
I have long been promoting the concept...more accurately, the NEED...of having IT/Information Security and Privacy (often in the legal area) work closely together in order to not only result in each area being the most effective and efficient in their...
A Hospital Actively Enforcing HIPAA Requirements!
It is great to see a story published about a hospital, actually any type of organization that is a covered entity (CE), that is actively and seriously trying to be in compliance with HIPAA requirements....
Canadian Privacy Commissioners Release TJX Investigation Report
Yesterday the Office of the Privacy Commissioner of Canada and the Office of the Information and Prrivacy Commissioner of Alberta released their "Report of an Investigation into the Security, Collection and Retention of Personal Information" concerning the TJX breach. The...
Security and Privacy Pros Believe...Yes! Privacy Still Does...Or At Least Can...Still Exist!
Last Friday I had the pleasure of discussing the question of, "Do We Have Privacy Anymore" with a group of highly regarded information security and privacy pros, including:...
New FTC Report Provides Organizations Good Guidance For Protecting PII
Today the U.S. Federal Trade Commission (FTC) released a report, "Combating Identity Theft: Implementing a Coordinated Plan."...
Would You Be More Inclined To Work For A Company That Gave You Identity Theft Insurance As A Benefit?
Last year I had a couple of different identity theft insurance vendors contact me wanting me to endorse their products as they were trying to sell the packages to employers to offer to their employees as part of their total...
PII for 60,000 Lost In Yet Another Incident: Know How To Address The Risks Involved With Entrusting PII To Business Partners
Yesterday yet another incident occurred where a business partner / vendor lost the personally identifiable information (PII) for which they had been entrusted. Americhoice sent a CD containing the PII of 67,000 individuals to TennCare via overnight UPS delivery....
The First Ever HIPAA Audit: Where's The Report? Does It Have Beef?
Gosh, I just had a flashback to the "Where's the Beef" commercial from years ago... :) The U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule went into effect in April, 2001, and gave covered entities (CEs) two years...
1st Day Of School; Another Example That Everyone Needs Ongoing Security and Privacy Awareness Communications
I've talked several times on this blog about my sons, and how they've really resonated with the information security and privacy discussions and information I've given them. They notice privacy risks and security problems when we're out in stores or...