Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'government'
New FTC Spam & Phishing Report
On December 28 the U.S. Federal Trade Commission (FTC) made a new report available to the public, "Spam Summit: The Next Generation of Threats and Solutions." The report describes the findings from a July 2007 workshop the FTC hosted, and...
Judge Rules University Policy & FERPA Allow Student PII To Be Released
Here's a case I found interesting...the U.S. District Court for the Eastern District of Tennessee ruled on October 24th that providing a group of record company plaintiffs with student personally identifiable information (PII) does not violate the U.S. Family Educational...
Do Something To Change Information Security, Privacy and Compliance...Contact Congress!
I, along with a very large number of other bloggers, writers and instructors, often pick apart data protection and privacy laws and regulations, and point out how certain portions of them are infeasible for most organizations to implement, and talk...
Judge Rules USA PATRIOT Act Breaks Separation of Powers Requirements
There was some very interesting news in the Kansas City Star today; "Judge strikes down part of Patriot Act"...
International PII Data Transfers: New Requirements from Spain
In this global economy it is important for you to know, understand and follow the data protection laws in all the countries where you have offices, have customers, store personally identifiable information (PII) and from where PII is accessed. Each...
PCI DSS and Identity Theft
Over the past month or so I've been discussing the Payment Card Industry (PCI) Data Security Standards (DSS) with some of my information assurance practitioner friends and colleagues and what they've been doing to meet the requirements and accompanying challenges....
Did You Know This About U.S. Bank Check Processing Compliance?
I'm thankful to be able to have my own company of one to do what I enjoy so much with information security, privacy and compliance. I am also an active part of managing the farm business for my family. With...
UK Annual Privacy Report: Businesses Need To Give Individuals Access to Their PII, and More Awareness and Training Is Needed
Monday I talked about France's 2006/2007 CNIL privacy report. The United Kingdom (UK) also recently released their 2006/2007 data protection report....
Data Protection & Privacy Noncompliance Fines Increasing in France
The French Data Protection Authority (CNIL) made some interesting statements last week in their annual report, covering June 2006 through June 2007, about some fines they've given during the past 12 months for non-compliance with their data protection laws....
HIPAA Violation in Divorce Proceeding?
During a divorce case in Illinios, K.S. Kim claimed a hospital violated HIPAA by sending her health records to her ex-husband's attorney....
OMB Sets Security Configuration Contracts Language for Acquisitions
On June 1 the U.S. Office of Management and Budget (OMB) released recommended language for all federal government chief information officers for required common security configurations for Windows computer operating systems that should be included in acquisitions solicitations to information...
"Getting Tough" With Information Security Is Really Just Getting Smart
Today I saw the headline, "Energy gets tough on laptop use" in Government Computer News and I was curious to see that the story was about how the U.S. Department of Energy (DOE) is going to start actually enforcing their...
New Tennessee Law Prohibits Using Federal Individual Taxpayer ID as Proof of Immigration Status
I recently did a very interesting project doing a data flow analysis and risk assessment of I-9 documents processing for a large multi-national company....
It's Hard to Keep Secrets When You Entrust Them To Others
When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and...
Outsourced Company's Unsecure Application Makes U.K. Passport Applicant PII Available to Everyone On the Internet
On May 18 the U.K. Data Protection Commissioner said in a Channel 4 news report he's going to investigate why an online visa application system allowed the personally identifiable information (PII) of around 50,000 applicants from India who had applied...
A Twist Within a New State Breach Notice Law: Maryland's Also Requires Information Security Safeguards
Here's something that you don't see in other states... On May 17, Maryland Governor Martin O'Malley signed into law two identical bills, one from the House and one from the Senate, that require businesses to notify state residents if their...
More Reason to Strengthen Information Security: New MN Law Restricts How Long Merchants Can Retain Purchase Information
To date we have at least 37 U.S. states that have enacted breach notice laws, (Maryland's new breach notice law was signed May 17th), but these address how to react AFTER personally identifiable information (PII) has been compromised. Multiple federal-level...
Emergency and Disaster Planning: Government Establishes a Limited Time Pandemic Flu "Blog Summit"
Ever since talk of the bird flu pandemic started making the news in 2005, information assurace folks have talked about how this could affect them and their efforts. There have been some very interesting viewpoints and insights. Most related to...
Many New U.S. State and Federal Privacy Bills Introduced, and Some New State Data Protection Laws Signed
Boy oh boy, do we ever need a comprehensive federal data protection law in the U.S.! Each week more and more state level laws are introduced, many of them passed, all dealing with different aspects of data protection, and all...
Two U.S. Federal Data Protection Bills Approved: One May Actually Make It Through
It looks like we make actually get a federal data protection law, that includes breach notice requirements, this year. Such a law is long overdue; not only to protect personally identifiable information (PII), but also to help businesses to resolve...
Deadline is Today for Submitting Comments to the DHS About Draft REAL ID Rules
The Department of Homeland Security (DHS) published draft rules regarding REAL ID. Comments are due by 5:00 PM Eastern Time *TODAY*....
France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws
In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII)....
Data Security: OECD Publishes New Privacy Guidelines for Accessing Data From Publicly Funded Research Projects
On May 3 the Organization for Economic and Cooperation and Development (OECD) released a new 24-page guideline,"Principles and Guidelines for Access to Research Data from Public Funding" for organizations in governments throughout the world regarding access to data from publicly...
Employee Privacy & New Credit Check Law In Washington State Impacts Employers: Joins Similar Laws In 4 Other States
Doing background checks on potential employees, and regularly for certain positions with significant access to personally identifiable information (PII) or managemen capabilities, has been a growing trend in recent years. Such checks are viewed as ways to help prevent putting...
HIPAA: More Changes and Initiatives by HHS
I've been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives. Two more I read about recently:...
HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations
The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who...
Free Information Security Training Workshops from FISSEA
The information security and privacy incidents tally continues to grow every day, the threats and vulnerabilities continue to appear every day, and information security and privacy professionals have a hard time keeping up with them all, not to mention keeping...
Privacy Act: FTC Proposes Allowing Disclosure of PII Records to Third Parties To Assist Data Breach Response Within Gov't Agencies
On March 29 the FTC published a proposed new routine use, (72 Fed. Reg. 14814, 3/29/07), that would allow FTC records governed by the Privacy Act to be disclosed to "appropriate" persons and entities when reasonably necessary to respond and...
U.S. ONDI and DOD Standardizing Security Policies
The Office of the National Director of National Intelligence (ONDI) and the Department of Defense (DoD) announced they are going to standardize their information security policies. The work on the standardization started 8 months ago....
Government Compliance: FBI Director Says USA PATRIOT Act Doesn't Need Changes; That FBI Is To Blame for Associated Problems
Today U.S. FBI Director Robert Mueller appeared before the Senate Judiciary Committee and testified that there are no problems with the USA PATRIOT Act, but that the FBI did not implement the Act appropriately....
U.S. Dept of Homeland Security Creates National Computer Forensic Institute
On March 9 the U.S. Department of Homeland Security (DHS) announced the creation of a National Computer Forensic Institute....
Most U.S. Government Agencies Still Not E-FOIA Compliant 10 Years Following Enactment; Disregard for Laws Also Leads to Disregard for Security Requirements
On March 12 the National Security Archive at George Washington University issued their report, "The Knight Open Government Survey 2007." Basically the study looked at how many of the 149 U.S. government agencies they surveyed were in compliance with the...
Identity Theft Example: It's Not All About Going On Spending Sprees; And A Really Bad Texas Bill
In January I blogged about how at least 220 illegal immigrants working for Swift and Company were charged with identity theft. As a follow-up to that story, last Friday the first of the convictions was handed down....
USA PATRIOT Act: FBI Is Underreporting Their Use Of This Law To Order Businesses to Monitor Email, Phone Calls and Financial Information
CNN reported today that a U.S. Department of Justice (DoJ) audit finds the FBI is has not kept good track of how many times they have ordered businesses monitoring of emails, telephone records and financial information. The report has not...
Office Email Systems Are Not For Personal Use: Common Sense Reminders For Your Employees
Sunday the New York Times printed a nice article about email privacy and monitoring, "The Risk Is All Yours in Office E-Mail"...
Addressing Web-Based Access and Authentication Challenges
Many incidents occur through access control and authentication vulnerabilities. Just consider the recently reported Fruit of a Loom incident that allowed easy access to 1,006 names and Social Security numbers of former employees. It is likely poorly constructed and inadequately...
U.S. Federal CIOs More Concerned About Information Security and Privacy Than In the Past
Monday (2/26) the ITAA issued a press release reporting the resuults of a survey of 47 government CIOs. They found that:...
Legislation Passed to Strengthen Bush's Privacy and Civil Liberties Oversight Board
On February 15 the Senate Homeland Security and Governmental Affairs Committee approved legislation with provisions to strengthen President Bush's Privacy and Civil Liberties Oversight Board. The provisions were part of a bill, the "Improving America's Security Act of 2007" (S....
U.S. Privacy Related Bills Introduced February 15 & 16
Before the U.S. House adjourned Febuary 16 and the Senate adjourned February 17 for a week-long recess, they submitted some bills with privacy impacts....
Exploring Identity Verification Solutions and Identity Theft Prevention
Earlier this week the FTC announced in a press release an identity theft prevention workshop they are hosting April 23 - 24....
Audit Reveals Poor Computer & Data Disposal Practices At Idaho National Laboratory
Yesterday Government Computer News reported bad computer disposal methods at the Idaho National Laboratory that leaves confidential and restricted data, including nuclear details, vulnerable....
Laptop Theft: Financial Company Given $1.9 Million Penalty Following Incident for Inadequate Security Program
For the first time, the United Kingdom financial regulators, the U.K. Financial Services Authority (FSA), gave a financial institution, the Nationwide Building Society, the U.K.'s largest "building society" (a member-owned mortgage lending and banking services institution) a penalty for poor...
VA Suspends Medical Research Following Most Recent Breach Until Security Certification Is Obtained
Saturday, 2/17/07, it was widely reported that the U.S. Veterans Affairs (VA) was suspending "activities at seven specialized research centers across the country after an unprotected computer hard drive disappeared from one of the facilities in Alabama last month."...
Privacy: How to handle individual access requests in the UK in compliance with the Data Protection Act
In many countries, such as in all 25 of the European Union states and within Canada, just to name a few, individuals have the legal right to request from organizations a verification of whether or not the organization has information...
Privacy Breach, Hackers and Lawsuits: Iowa Department of Education, Microsoft and Perkins Omelettes; Oh My!
There's been enough interesting information security and privacy news here in my own frigid (subzero) snowy back yard in central Iowa to keep me from looking beyond the state for discussion material. Well yes, I did look beyond anyway...what I...
HSPD-12 and U.S. Government Agency Authentication and Access Controls
Creating technologies that authenticate users with a high degree of confidence has always been a challenge, not only because of the typical complexity of the systems, but also because of the amount of confidence that must be placed within the...
Privacy Breach: FBI Loses Laptops Each Month Despite 2002 Audit Telling Them To Improve Practices
Today the U.S. Department of Justice (DOJ) released the "The Federal Bureau of Investigation's Control Over Weapons and Laptop Computers Follow-Up Audit" report. As you can tell by my post title, this should be a very embarrassing report for the...
Privacy Law: Leahy & Specter File Personal Data Privacy Act of 2007 Bill
On Tuesday, February 6, U.S. Sen. Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., filed legislation,the Personal Data Privacy Act of 2007, that would, among other things, require organizations to notify consumers of security breaches as well as mandate the...
Privacy Breach: Bank in UK Sends Personal Data of 75,000 Customers to 1 Customer Requesting Her Own Statement
The Halifax Bank of Scotland sent the complete account information for 75,000 of their customers to one customer who had requested a copy of her own statement....
HIPAA: Congressional and GAO Reports Say HHS Needs To Make Changes To Protect Patient Privacy
According to a congressional testimony report posted February 1, "Private Health Records: Privacy Implications of the Federal Government's Health Information Technology Initiative," the Department of Health and Human Services (HHS) needs to do more to address privacy and security concerns...
PCI DSS and GLBA Compliance & Privacy Breach: Lawsuits Filed Against TJX
Let's look at the events that have occurred with the recent TJX computer hack and resulting privacy breach and identity thefts:...
CAN-SPAM Violation: TJ Web Productions Must Pay $465,000 Fine And Perform Additional Actions for 5 Years
Yesterday the U.S. FTC and Department of Justice jointly announced a $465,000 penalty against TJ Web Productions for violating the CAN-SPAM Act....
Puget Sound Energy Ordered to Pay $995,000 For Selling Customer Personal Information
Puget Sound Energy, Washington state's largest electricity and natural gas utility, with over 1 million customers in 11 western Washington counties, was ordered to pay a total of $995,000 in fines for selling their customer information to marketing companies over...
Routine Personal Information Posting in the U.S. State Government Agencies
NBC news ran a story about how many state government agencies post sensitive personally identifiable information (PII) on their websites. In this case an Ohio county court "routinely posted traffic tickets and other public records on its Web site."...
Info Sec and Privacy Pros Need Ongoing Training
I write a lot about the need for a comprehensive and ongoing information security and privacy education program within organizations. Many people do. More is needed. However, something that I don't see written about much is the need for information...
U.S. Commerce Dept's CISO Leaves for the GAO Asst. Director of Security Position
There was an interesting short article from the Government Computer News today, "CISO leaving Commerce for GAO."...
Awareness and Training Example: Privacy Impacts Throughout the Day
There was a very interesting article in the Washington Post today, "Enjoying Technology's Conveniences But Not Escaping Its Watchful Eyes" This documentary of the day in the life of a woman shows how privacy issues are encountered throughout the day,...
PIPEDA Action: Canadian Airline Refuses to Make Changes After Customer Complains
The Office of the Privacy Commissioner of Canada published findings last week for a PIPEDA case in which an individual complained that a Canadian airline refused to give him access to his personal information. It is interesting that the names...
Laptop Incident: N.C. Dept of Revenue Laptop Theft Puts 30,000 Residents At Risk
Today the North Carolina Charlotte Observer reported a laptop was stolen from the car of an N.C. Department of Revenue employee in December. They mailed letters to all 30,000 individuals this week. According to the report this is the first...
RFID Silliness: Is The Eagle on Your Coin Watching You?
I saw an article on Yahoo news yesterday, "U.S. warns about Canadian spy coins," that pointed out a warning issued by the U.S. Defense Security Service about Canadian coins being used to track U.S. government contractors. The CIA has information...
Outsourcing: Dubai Strengthens Data Protection Law
On Monday (1/8) the Dubai International Financial Centre (DIFC) implemented a stronger Data Protection Law and appointed a Data Protection Commission to oversee the DIFC. "The Data Protection Law, which has been amended following a period of public consultation, ensures...
HIPAA Mobile and Remote Computing Security Guidance from CMS
Today I received notice that the Centers for Medicare & Medicaid Services (CMS) just issued a new publication, "Security Guidance for Remote Use” which is actually dated 12/28/2006. "This document is intended to provide HIPAA covered entities with general information...
12 Privacy-Impacting U.S. Federal Bills Introduced on January 4
On January 4th the 110th U.S. congress convened for the first time, and they did not waste any time introducing many new bills. 12 of them have privacy impacts. You can find more information about each of these at the...
Identity Theft Examples: Used for Illegal Immigrants
In the past month around 1,300 employees of Swift & Company were detained during immigrations raids in Iowa, Nebraska, texas, Utah, Minnesota and Colorado. As many as 220 of those detained face identity theft charges....
Regulatory Compliance Actions Must Include Effective, ongoing Awareness and Training Efforts
A great article was published on Law.com today written by Ryan Sulkin, "First Line of Defense Against Data Security Breaches: Employees." There are several points made that I hope business leaders read and take to heart....
Psychotherapy Notes Fiasco and HIPAA: Bad Legislation, Bad Enforcement, or Bad Covered Entity?
The Pittsburgh Post-Gazette ran an interesting story today, "Spread of records stirs fears of privacy erosion." Basically this describes the trials and tribulations of a woman was denied disability benefits from her insurer following a car accident because of notes...
US SAFE WEB Act Signed Into Law Today
Today the FTC announced President G.W. Bush signed the US SAFE WEB Act into law. "Statement by Federal Trade Commission Chairman Deborah Platt Majoras On US SAFE WEB Act Being Signed Into Law by President George W. Bush I am...
Medical Identity Theft and HIPAA
On Wednesday the Queens Gazette ran a report on medical identity theft. This certainly is an issue of concern. I blogged about medical identity theft earlier this year. Combining identity theft with unauthorized access to medical information certainly can lead...
Six U.S. Bills Related To Data Protection Introduced Dec. 5 - 7
Last week was a busy one for data protection bills for the end of the 109th U.S. Congress. Prior to adjourning, they introduced at least six bills related to data protection....
Demystifying Privacy Laws: What You Need to Know to Protect Your Business
We are undergoing a data protection renaissance. New laws have considerably expanded corporate obligations regarding security and privacy for information in all forms. A significant obligation of the laws is applicable to basically all organizations; the duty to provide reasonable...