Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'personally identifiable information'
Smart Grid Privacy: Possible Privacy Standards To Address Concerns
Sorry to be so tardy in getting a blog post out. As many of you know I've been working with the NIST Smart Grid Privacy Subgroup since late June. The work done for this group is through time volunteered by...
15 Smart Grid Privacy Concerns + Other Smart Grid Thoughts
I've had about half a dozen folks ask me how things are going with the work I'm doing with the NIST Smart Grid privacy group, and if I could provide an update since my last couple of posts on the...
HIPAA And Surveillance In Hospitals
Over the years there have been many...too many...instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients......
CEs and BAs: Be HIPAA/HITECH Compliant Or Pay A Hefty Penalty
The HHS released HITECH Act Enforcement Interim Final Rule today......
Smart Grid Privacy: Laws and Implications
I was recently asked several questions about my work with the NIST Smart Grid privacy group and associated issues. Here are a couple of those questions, and my answers to them......
Who Are Your Business Associates?
Since just before HIPAA went actively into effect I've done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I've done around 200 business associate (BA) information security and program reviews for just one...
HIPAA/HITECH Etc. Retention: Does Your Reality = Your Requirements?
Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon's MyTechnologyLawyer.com radio show for a segment entitled, "Is encryption enough to achieve privacy?" I was pleasantly surprised to see a large number of...
Proposed HIPAA Privacy Rule Change Explicitly Makes Genetic Info PHI
An important element of data protection compliance is knowing, identifying and inventorying the applicable information......
Privacy For The Deceased
Late last month I posted, "HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element" and since then I've had around half a dozen or so folks ask me to write about privacy for the...
10 Smart Grid Consumer-to-Utility Privacy Concerns; Are There More?
I have had the great opportunity to participate in the NIST Smart Grid privacy standards group since July......
Don't Throw Your Privacy Out The Window; Know How Your PII Is Used
A couple of week's ago I had the great opportunity and pleasure to speak with the both equally delightful and brilliant Anyck Turgeon and Scott Draughon on MyTechnologyLawyer.com about "Is encryption enough to achieve privacy?" The feedback and followup to...
How To Do Privacy Impact Assessments
Last week I was very fortunate to be able to speak at the IAPP Privacy Academy in Boston......
What Happens To Privacy During Pandemics?
I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the...
Is Encryption Enough to Achieve Privacy?
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy....
HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities
The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: "Breach Notification for Unsecured Protected Health Information; Interim Final Rule" (Breach Notice Rule) has been written about a lot. But much of what is written overlooks...
HITECH Act Virtual ToC
This was another very busy week, and I didn't have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email......
HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced
The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all...
Fired Because Photo of Surgery Room Was A "HIPAA Violation"
I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I've removed the identifying information, and...
8,918 HIPAA Violation Investigations Have Required Corrective Actions
Here are some important websites to bookmark for you to reference when you need help...beyond what I have on my blog and at my website :)...if you are a US Health Insurance Portability and Accountability Act (HIPAA) Covered Entity (CE)...
HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element
After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I'm happy to resume my posting! Today I want to offer a few thoughts about the breach...
You Need These Things When You Get HIPAA Audited!
I get a bit irritated when I see a vendor touting their "compliance solution" products as making organizations "HIPAA Compliant" or "PCI DSS Compliant" or whatever your regulation of choice happens to be, and then, upon inspection of their products,...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
HIPAA Enforcement Will Improve With OCR Responsible for Both Privacy Rule & Security Rule
Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule. Perhaps this is an indicator of more enforcement to come. As a...
(Lack Of) Encryption Is A Basis For Notification Under The HITECH Act
This week one of my tweeps asked me the following: "What's your interpretation of encryption obligations for PHI data-at-rest under HITECH? Many parties are sweating this now." Great question!...
HITECH Act: Breach Notification Is Necessary Based Upon Items Used In De-Identification
Continuing along the discussion of the HITECH Act this week, I want to consider a couple of questions I recently discussed with a CISO at a healthcare insurer about when breach notification is necessary......
Is This A Breach Under The HITECH Act Definition?
This week I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)......
New MO Breach Notice Law: Encryption Safe Harbor? Yes. Encryption Def Good? No!
On July 9, 2009 the Missouri governor signed House Bill No. 62 into law, and it included section 407.1500, which is the requirement for giving privacy breach notice. Since I'm focusing this week on encryption laws, I want to take...
Has Massachusetts Encryption Law Stopped It's Evolution?
This week I want to take a look at encryption laws. Only a few short years ago no law or regulation really had explicit encryption requirements. HIPAA, passed in 1996 with effective compliance deadline requirements in 2003 (Privacy Rule) and...
What is PII? How About "Publicly Available" Info?
There is much debate about what specific types of items should be considered as personally identifiable information (PII). A common topic of debate is; if information can be found publicly does that mean it is not PII?...
What is PII? How About Groups Of Otherwise Non-PII?
I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
What is PII? How About IP Addresses?
This week I want to look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen
Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students' names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus....
South Carolina & Alaska Privacy Breach Notice Laws Go Into Effect July 1
This week two more U.S. breach notice laws go into effect......
5 Common, Dumb and Dangerous Privacy Assumptions
Today Kevin Beaver posted a nice article, "Dumb things IT consultants do" that included more than one warning about making assumptions. Kevin's nice post made me think about all the dangerous assumptions consulants and practitioners often make when it comes...
Rights for Privacy Breach Victims
I received a provacative question on Twitter last week from idExperts, "If you had a wish list of rights for identity theft victims, what would that be?" Sounds like a great blog topic! :) Here are my thoughts......
New Guidelines for Safeguarding Personal Data
Happy U.S. presidential inauguration day! :) Did you take off a few minutes of work to watch the inauguration? I wasn't going to, was planning to just catch videos on the news sites or YouTube later, but then I did,...
Business Info Fact Of The Day: Smart Business Leaders Encrypt PII
If you are a business leader you must know and understand that encrypting personally identifiable information (PII) protects that PII from being used for identity theft and other crimes should it fall into the hands of a crook. Business leaders...
Business Info Fact Of The Day: PII Sent Through The Mail Is Often Stolen Or Lost
Over the years I have heard many times by my various government friends, even following too many mis-deliveries and lost packages to enumerate here, that packages and letters sent via the US postal service, and even through other delivery organizations...
FEMA Records Of 16,000 Katrina Victims Posted Online
How did the following happen...there are many options...insider threat? Poor IT storage controls? Poor applications development controls? Perhaps using real personally identifiable information (PII) for test purposes? Hacker break-in? Through an outsourced company with access to the PII, but who...
New Family Educational Rights and Privacy Act (FERPA) Regulations
New FERPA Regulations were issued yesterday......
Cybercriminals Threaten To Post Millions Of PII Records For Express Scripts Customers
Just last month I blogged about the new Identity Theft Enforcement and Restitution Act of 2008. It covers extortion. I'm interested to see if it gets used for the latest extortion attempt......
State of New York Issues Guide For Protecting PII
The State of New York just released a general guide to the protection of personally identifiable information (PII)......
Company Uses Negotiated Checks For Packing Material!
Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk. However, I was surprised when I watched an ABC News report this morning......
Whose PII Is Covered Under the EU Data Protection Directive?
I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, "If...
17 Info Security & Privacy Topics Call Center Staff Must Understand
Okay...back to my continuing lecture on the need to provide targeted training on specific information security and privacy topics to the various responsibility groups throughout your enterprise. Consider this; what if you took a driver's education class and all they...
People Need Periodic, Effective, Training And Ongoing Awareness To Truly Safeguard Information
Imagine this; what if you were given training just one time, in a 1-hour session with no hands-on practice, for how to do first aid and give CPR and then were never given more training or reminders about how to...
Call Center Folks Have Huge Amounts Of Access TO PII
Need more reasons from my post from yesterday about why call centers need targeted training and ongoing awareness? If so, then here is the second part of the third article, "Providing Call Centers with Information Security and Privacy Education," in...
The Area With The Most Customer Contact Usually Has The Least Information Security and Privacy Training
Think for a few moments about the area in your company that has the most, or close to the most, direct contact with your customers and consumers......
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Last month (May 2008...yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer's personally identifiable information (PII) and other confidential information. The suit charges that Lending Tree did...
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched? There are many phishing scams going on right now, and they are widely reported and talked about. I...
Business Leader Primer for Effective Information Disposal
I've been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security...
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
I've been doing some research for insider threat training content I'm creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make...
Iowa Privacy Breach Bill Has Much Of Its Teeth Pulled
Iowa introduced a new bill, SSB 3200, on February 20 to establish a state privacy breach notification law. As originally worded it would have also required merchants to follow credit and debit card industry data security rules and make them...
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Will Bad News Come in 3's For Health Net?
In the past several days Health Net made the news...in ways they would rather not have... First this on 2/22:...
Great Information Security and Awareness Event Coming In April
There's a great information security and privacy awareness event coming up, Internet Safety Night on April 23, 2008, 6:30-8:30 p.m....
Have You Reviewed the FTC's Proposed Privacy Principles Yet?
If you are responsible for information security or privacy at your organization, and your organization does marketing, here is something you need to know about and discuss with your marketing folks. I blogged about this in December....
$54 Million Lawsuit Against Best Buy For Losing Laptop
I knew the civil suits for lost laptops would start soon. Thanks so much to my buddy Alec for pointing out this story to me! Raelyn Campbell took a laptop computer to Best Buy to get fixed, and three months...
Give a Hoot, Don't Privacy Pollute!
I just saw a term that can be used really well with non-technical folks, "data pollution." I wish I had thought of that term!...
Today Google Provides Another Path For Data Leakage
Here's one more thing for IT, Information Security and Privacy folks to put on their list of things to worry about......
Encryption So Easy Even A Terrorist Can Use It
It seems all business leaders would understand by now, after literally thousands of privacy incidents in recent years, that they need to encrypt personally identifiable information (PII) stored on mobile computers and mobile storage devices, and when sending PII through...
Social Engineering Schemes Increase: Great Case Study From An Actual Event
Last month I finished the second issue of my Protecting Information publication and the topic couldn't be more timely: social engineering. Just today I have already read in my daily news items 5 articles about social engineering! One in particular,...
Insider Threat Example: Programmer Sentenced To 30 Months In Jail And $81,200 Fine
Here's a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven't already, put this in your file of...
Terrorists Over 50 Don't Fly According To The DHS
I just read this and found the implication that folks over 50 years of age are not terrorist threats rather odd. Today the U.S. Department of Homeland Security released some new rules related to READ ID....
13 Minnesota Students Disciplined For Facebook Photos
I've blogged several times, such as here, here and here, about how information posted to the Internet, such as on Facebook and other social networking sites, cannot be considered as being private or secure, have been used to make hiring...
Egregious Privacy Infringment: Fire Chief Emails Photo Of Topless Crash Victim
Here is an example of how personnel can take photos and videos and completely invade the privacy of others, particularly those who have no voice to say stop. A Central Florida fire chief will likely lose his job for widely...
UK Imposes Record Fine of $2.54 Million Against Life Insurance Company For Poor Information Security & Privacy Practices
On December 17, 2007 the United Kingdom Financial Services Authority (FSA) fined Norwich Union Life £1.26 million ($2.54 million) for poor information security, privacy and anti-fraud mitigation systems and controls....
Responding To Customers Asking About Your Company's Use of SSNs
For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don't really worry about driving an "it" kind of car). However, it is getting a bit rattly, and my friends...
FTC Settlement For Marketing Via Pop-up Ads: Lessons For All Marketers Regarding Consent & Consumer Complaints
I like to keep my eye on the FTC site; they are very active in catching businesses violating the U.S. FTC Act by practicing unfair and deceptive business practices, particularly via the Internet. They really demonstrate the need for privacy...
And The Award For Best Email Security Awareness Film of 2007 Goes To...
I've been seeing a ton of articles and blog postings for the "Best Security Whatever> of 2007," "Worst Security Exploits of 2007," "Security Projections for 2008" and so on in the past few weeks. Well, I've got my own "Best...
Be Aware: Court Ruling Allows Circumstantial Evidence In Court Case Against Company That Experienced Privacy Breach
So many times...actually almost every time...a privacy breach occurs the company that experienced the breach makes a public statement similar to, "We have no evidence that the personal information has been used fraudulently" or "We do not believe the information...
Email is for "Old People": Do Lack of Laws Make IM and Texting Ripe for Exploiting Children & Teens?
My 13-year-old-niece wrote an article for me about social engineering, and I got a chuckle out of her writing, "Maybe I'm old-fashioned, but I only use email. I don't have my own FaceBook site." Can you imagine email being old-fashioned?!...
5 Things To Do Next Week To Improve Information Security & Privacy
It seems like my to-do list never gets shorter each day; only longer. This was even more true when I was responsible for the information security and privacy program within a large multi-national financial and insurance organization. It seemed the...
Judge Rules University Policy & FERPA Allow Student PII To Be Released
Here's a case I found interesting...the U.S. District Court for the Eastern District of Tennessee ruled on October 24th that providing a group of record company plaintiffs with student personally identifiable information (PII) does not violate the U.S. Family Educational...
Data Will Always Be Less Safe In The Future...I Don't Want To Get Gussied Up To Talk On The Phone
I have a blog problem...there are way too many things I want to blog about and not enough hours in the day to do it! Throughout each day I note news items from the TV, or website news articles, or...
Trending Towards More Business Applied Employee Sanctions For Security Incidents
I've been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10...
Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a "Resignation"
The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an...
The Need to Partner Privacy and IT Efforts *FINALLY* Makes The News!
I have long been promoting the concept...more accurately, the NEED...of having IT/Information Security and Privacy (often in the legal area) work closely together in order to not only result in each area being the most effective and efficient in their...
Canadian Privacy Commissioners Release TJX Investigation Report
Yesterday the Office of the Privacy Commissioner of Canada and the Office of the Information and Prrivacy Commissioner of Alberta released their "Report of an Investigation into the Security, Collection and Retention of Personal Information" concerning the TJX breach. The...
Security and Privacy Pros Believe...Yes! Privacy Still Does...Or At Least Can...Still Exist!
Last Friday I had the pleasure of discussing the question of, "Do We Have Privacy Anymore" with a group of highly regarded information security and privacy pros, including:...
A Military Grade Encrypting Self-Destructing USB Drive Makes A Great Gift!
This morning I was doing some of my Christmas gift shopping...yes, I like to get mine done early! :) Any way, I'm thinking about getting an Ironkey encrypted USB drive for some of my relatives who are in dire need...
New FTC Report Provides Organizations Good Guidance For Protecting PII
Today the U.S. Federal Trade Commission (FTC) released a report, "Combating Identity Theft: Implementing a Coordinated Plan."...
Would You Be More Inclined To Work For A Company That Gave You Identity Theft Insurance As A Benefit?
Last year I had a couple of different identity theft insurance vendors contact me wanting me to endorse their products as they were trying to sell the packages to employers to offer to their employees as part of their total...
PII for 60,000 Lost In Yet Another Incident: Know How To Address The Risks Involved With Entrusting PII To Business Partners
Yesterday yet another incident occurred where a business partner / vendor lost the personally identifiable information (PII) for which they had been entrusted. Americhoice sent a CD containing the PII of 67,000 individuals to TennCare via overnight UPS delivery....
U.S. Attorney General Gonzales Resigns; Will New AG Support Privacy?
I just saw on CNN that U.S. Attorney General Alberto Gonzales just resigned today....
1st Day Of School; Another Example That Everyone Needs Ongoing Security and Privacy Awareness Communications
I've talked several times on this blog about my sons, and how they've really resonated with the information security and privacy discussions and information I've given them. They notice privacy risks and security problems when we're out in stores or...
Information Security Awareness in Europe...The Issues Are the Same Worldwide
on 8/22/2007 a very interesting and useful report was released by the European Network and Information Security Agency (ENISA), "Information security awareness initiatives: Current practice and the measurement of success."...
U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available
I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all...
You Will Be Judged By The Company You Keep: 4 Good Reasons (And More) To Ensure Your Business Partners Have Good Information Security Programs
Over the past few years I have done well over a hundred business partner security program reviews for organizations who wanted to ensure that the organizations to whom they were entrusting their sensitive data, or other business processing, had appropriate...
Boiling Down PCI DSS Compliance; It's Really Just Common Sense Information Security
I subscribe to many (sometimes I think too many) assorted email newsletters that cover a wide range of compliance issues. One came through today from the IT Compliance Institute with the subject line, "PCI fails, Fidelity breach, death by upgrade,...