Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'privacy breach'
Privacy For The Deceased
Late last month I posted, "HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element" and since then I've had around half a dozen or so folks ask me to write about privacy for the...
Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen
Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students' names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus....
Privacy Breach Lesson: Encrypt Mobile Digital PII!
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach......
HIPAA Sanctions and Convictions Will Increase with HITECH Act & New Administration
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee...
Don't let differing authority levels damage info sec, privacy & compliance collaboration
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990's while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+...
There Are 47 US State & Territory Breach Notice Laws: 1-Page Listing
Over the weekend I did some research to make sure I am up to date with all the current U.S. state and U.S. territories breach notice laws......
Business Info Fact of the Day: PII Increasingly Stored On MP3 Players
Over the past few months during some of my presentations I've discussed how easily PII can be stored on mobile storage devices that most business leaders and information security folks often do not think about or overlook. One of those...
Business Info Fact Of The Day: PII Sent Through The Mail Is Often Stolen Or Lost
Over the years I have heard many times by my various government friends, even following too many mis-deliveries and lost packages to enumerate here, that packages and letters sent via the US postal service, and even through other delivery organizations...
Business Info Fact Of The Day: Banks In Maine Spent $2.1 Million Responding To Breaches In 2007 & 2008
Maine's Bureau of Financial Institutions, a division of the Department of Professional and Financial Regulation, conducted the survey at the direction of the state legislature that revealed the costs of Maine's banks and credit unions when responding to breaches......
FEMA Records Of 16,000 Katrina Victims Posted Online
How did the following happen...there are many options...insider threat? Poor IT storage controls? Poor applications development controls? Perhaps using real personally identifiable information (PII) for test purposes? Hacker break-in? Through an outsourced company with access to the PII, but who...
Laws & Regulations Require Security & Privacy Training & Awareness
I'm in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach...
Texas EZPawn Throws Away Its Security Promises and Customers' Privacy and Gets A Handed A Significant Penalty
Well, here is yet another company that had a nasty habit of just throwing papers containing their customers' personally identifiable information (PII) into publicly accessible trash cans. On June 24 a Texas judge handed down a civil penalty of $600,000...
Where And How Do You Dispose Of Your Cell Phones and Paper Documents?
Something I'm planning to do this summer with my sons is to do some dumpster diving, with the advice of my police and security services company owner friends, to see just how much personal information is left out for just...
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
In the past few years I've performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer...
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Last month (May 2008...yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer's personally identifiable information (PII) and other confidential information. The suit charges that Lending Tree did...
Who Had The Brilliant Idea To Outsource U.S. Passports?
Okay, after the recent passport files snooping debacle I found today's news story, "Outsourcing passports 'profound liability'" very ironic and concerning. Not only for the reported huge waste of taxpayers' dollars, but also for the security risks......
The Benefits of a Privacy Ombudsman
The folks from Cutter just notified me that an excerpt from a recent article I wrote, "Learning from a Privacy Ombudsman: A Case Study to Establish a Healthcare Services Ombudsman," will soon be featured in the "Quote of the Day"...
Yet Another Stolen Laptop With Clear Text Patient PII
Yet another in a long procession of laptop thefs, "Stolen laptop contains personal info of 2,500 patients". Here are the first few paragraphs......
Passport Breach: Poor Security Practices Lead To Privacy Breaches
The breach of the presidential candidates' passport files were widely reported over the past few days, such as here and here, not to mention the many postings referencing it as "passport-gate" throughout the blogosphere and the political implications. However, based...
The Emperors' New Clothes Lack Privacy
Over the past few weeks I've talked to several privacy officers and information security officers about how things are going with their initiatives, funding, and so on. Many from the financial industry, but otherwise a wide range of businesses from...
Information Security and Privacy Areas MUST Collaborate For Their Initiatives To Be Effective
For the past several years I have written often, and given much training, to demonstrate and emphasize the need for information security and privacy areas to collaborate in their efforts. There are just too many topic overlaps between the two...
What Business Leaders Need to Know About Privacy Breach Notifications
The third article in my March e-journal issue of "IT Compliance in Realtime" is "What Business Leaders Need to Know About Privacy Breach Notifications." Here it is, unformatted:...
The "Reasonable Belief" of a Privacy Breach
The second article in my March e-journal issue of "IT Compliance in Realtime" is "The "Reasonable Belief" of a Privacy Breach." Here it is, unformatted:...
My New E-Journal For March Now Available!
Remember when I mentioned in January that I would be devoting more time in 2008 to writing papers to post to this site instead of spending as much time writing long blog postings? Well, the papers I wrote in February...
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Will Bad News Come in 3's For Health Net?
In the past several days Health Net made the news...in ways they would rather not have... First this on 2/22:...
Have You Reviewed the FTC's Proposed Privacy Principles Yet?
If you are responsible for information security or privacy at your organization, and your organization does marketing, here is something you need to know about and discuss with your marketing folks. I blogged about this in December....
Example privacy breach response plan
Too few organizations are prepared to respond to a privacy breach when it happens. Too many naively believe a privacy breach will not happen to them. It is helpful to look at existing privacy breach notice plans when creating your...
Educational Security Incidents Year in Review 2007
Since I'm talking about "The Anatomy of a Privacy Breach" at Berkeley today, I thought it would be timely to point out a great resource that details the very many privacy breaches that occur within colleges and universities....
The Anatomy of a Privacy Breach
Today I'm flying from the very frigid sub-zero temps of Iowa out to the University of California at Berkeley. I was invited to give a lecture, and considering the ongoing increase in privacy breaches, I chose to talk about "The...
Have You Looked In Your Trash Bins Lately?
It shouldn't still amaze me, but it does, how often so many organizations just dump huge amounts of printed paper containing tons of personally identifiable information (PII) right into their dumpster sitting behind their building, in the alley, or some...
Be Prepared For Privacy Breaches!
This morning I did a podcast interview with bankinfosecurity and they already have it posted! During the interview I answered and expanded upon five questions and issues:...
There Are MANY Software Licensing and Awareness Tools Available For All Business Sizes and Budgets
Earlier this week I posted about one of the Business Software Alliance (BSA) initiatives for enforcing software licensing compliance, "Another Approach To Licensing Compliance." There are *MANY* software licensing tools and awareness communications that businesses of all sizes, and with...
DHS IT Security EBK: Don't Complain After They Are Published...Comment On Them While You Can!
The Department of Homeland Security (DHS) recently released the draft "IT Security Essential Body of Knowledge (EBK)" for public comment and feedback. This 45-page document outlines the skill sets the groups working with the DHS have determined as being necessary...
Do Employers Need GPS And Logs When They Have YouTube and Facebook To Monitor Employees?
I don't know why I continue to be surprised at the stupid things some people do, but apparently some people will never realize how much of themselves they are giving away when they post their pictures and other personal information...
Email is for "Old People": Do Lack of Laws Make IM and Texting Ripe for Exploiting Children & Teens?
My 13-year-old-niece wrote an article for me about social engineering, and I got a chuckle out of her writing, "Maybe I'm old-fashioned, but I only use email. I don't have my own FaceBook site." Can you imagine email being old-fashioned?!...
6 "Scary Stuff" Privacy Terms IT, Info Sec and Privacy Folks Should Know
Robert Ellis Smith sent me an email yesterday to let me know about his most recent article in Forbes magazine, "Scary Stuff." It's a very interesting read and highlights some terms that, to date, I have not seen in print...
Information Security and Privacy Leaders, Get Your Elevator Speeches Ready For Your CxOs!
My father was the superintendent of the public school district where I grew up in Missouri. He was a very hands-on type of leader; when he was not filling out forms, writing reports, making plans, or in meetings he was...
Another Approach To Licensing Compliance
My blog posting from earlier talked about how the MPAA is trying to combat movie piracy. I just visited the LinkedIn site and was intrigued to find an ad from the Business Software Alliance (BSA) offering up to $1,000,000...yes, US...
Don't Throw Away The Privacy Of All And Jeopardize Network Security To Run A Compliance Tool
Many times software designed to enforce legal compliance, or find network users who are breaking laws, bring along with them greater risks to information security and privacy....
Show "Home Alone" To Raise Social Engineering Awareness
I hope those of you who celebrated Thanksgiving had a great one! I spent a very nice day with my family at my brother's house. After getting back home we decided to watch some Christmas movies, so we spent the...
Show Your CFO and CEO the Potential Financial Impact of a Privacy Breach
My central Iowa Infragard president, Tom Conley sent all our members a note on Wednesday with a link to a site that contains 9 variables to help demonstrate the range of financial impact to organizations that experience an incident involving...
Trending Towards More Business Applied Employee Sanctions For Security Incidents
I've been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10...
Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a "Resignation"
The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an...
Iowa Universities Provide Examples of Good and Bad Information Security and Privacy
In the past week the two largest universities in Iowa provided examples of both great and poor security practices. Let's see...how about the bad example first?...
ABN Amro PII Breached Through P2P: Lessons Learned
Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the...
New FTC Report Provides Organizations Good Guidance For Protecting PII
Today the U.S. Federal Trade Commission (FTC) released a report, "Combating Identity Theft: Implementing a Coordinated Plan."...
Would You Be More Inclined To Work For A Company That Gave You Identity Theft Insurance As A Benefit?
Last year I had a couple of different identity theft insurance vendors contact me wanting me to endorse their products as they were trying to sell the packages to employers to offer to their employees as part of their total...
Jailtime: for Teen Who Posted Nude Photo of His Ex-Girlfriend on MySpace & for Employee Caught with Illegal Porn
I've talked several times about some of the risks of using the social networking sites, such as here and here. Here is an example of how others can post information about you on these sites that will continue to haunt...
Compliance and Information Security: Common Sense Confirmed
So many times I've heard business leaders complain that the data protection requirements within the multiple laws and regulations only hurt business; that they are not necessary and have no true impact on really protecting data...they are just bureaucratic hoops...
On The Internet, If It Looks, Quacks and Walks Like a Duck, Is It *REALLY* a Duck?
I am a great believer of performing due diligence to ensure potential new hires have no deceptive or malicious skeletons in their past that may be reincarnated after they have been hired and entrusted with access to sensitive information and...
Medical Identity Theft and Bill Requiring Criminal Background Checks In LTC Facilities
I have had relatives very close to me who, because of degenerative diseases and medical problems, have had to go to long term care (LTC) facilities. I always worried about the care they were receiving when I was not around....
Avoid Some Common Email Pitfalls
There are increasing reports of email misuse, malicious use, mistaken use, and just plain bad implementations of email systems that allow the many outside threats and desperado insiders to exploit vulnerabilities. It is most common for information assurance pros to...
The Need to Build Security In: Poor Implementation of Indianapolis Public Schools Website Allows Viewing of PII For 7000+ Students and Teachers
Today Monsters and Critics reported, "Indianapolis Public Schools exposes thousands to risk of identity theft." Apparently the Indianapolis Public Schools (IPS) website "that allows teachers to post reviews, student-writing samples, grades, and other confidential material to the IPS network" was...
Great New Site for Data Loss Statistics
There is a great new site, etiolated.org, that takes the privacy breach data accumulated by attrition.org and parses it into some very interesting statistics, trends charts, provides areas for commentary, and lots of other interesting and useful information....
SMBs, Identity Theft & Insider Threat: Bad SMB Security Impacts Organizations of All Sizes
There are many articles written about the insider threat, several have been done, and often the focus is on large organizations where those employees with malicious intent are often either in positions of trust way down in the org chart,...
Obscure Email Security Issue: 5 Lessons About Re-using Email Addresses
Does your organization ever re-use email addresses whenever someone leaves the company? Do you know that some of your customers’ and personnel’s email service providers re-use email addresses when their subscribers leave? Probably more than you realize....
Insider Threat Example: Former Wal-Mart Employee Spied Because His Managers Told Him To
I have seen organizations where management and staff members were so fixated on protecting the company, to the disregard of observing laws and complying with policies, that they ended up doing completely inappropriate actions that involved infringing on privacy and...
Vulnerabilities of Transport Services & Privacy Incident Example: Wellpoint CD Containing PII of 75,000 People, Lost During UPS Transport, Found
A CD containing the clear text personal information of 75,000 WellPoint Empire Blue Cross and Blue Shield New York members that was reported lost on February 9 while being transported by UPS has been found. The CD was lost when...
Trying To Determine Actual Numbers of Privacy Breaches Since 1980; An Exercise in Futility?
Today a press release caught my eye, "Hackers get bum rap for corporate America's digital delinquency." Hmm...sounds interesting. Let's see what is behind this nicely-hooking title....
Preventing Data Leakage Through Email and Instant Messaging
Incidents continue to accumulate and hit the daily headlines. Many of them involve the loss of sensitive information through some type of messaging activity. The losses can have devastating impacts to business. The messaging-related incidents are sometimes technology-based, such as...
"Protecting Personal Information: A Guide for Business": Free from the FTC
Today the U.S. Federal Trade Commission (FTC) released a 24-page guide, "Protecting Personal Information: A Guide for Business" Within the guide the FTC advises businesses to protect personally identifiable information (PII) through the following actions:...
New Benchmark Research Report Released Today from IT Policy Compliance (ITPC): "Taking Action to Protect Sensitive Data"
Today IT Policy Compliance released a new benchmark research report, "Taking Action to Protect Sensitive Data." I had the great oppportunity to not only have a sneak peak at the report, but also to speak yesterday about the report with...
How Good are the Security Practices for "America's Most Admired Companies 2007"?
Yesterday CNN reported the results of the FORTUNE 2007 survey of business people for the companies, in any industry, they admired most. The rankings were based upon 8 key score areas:...
Insider Threat Example: Wal-Mart Fires "System Technician" for Snooping On Text Messages and Taping Phone Calls
Today CNN reported Wal-Mart fired a systems technician who was "intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization."...
Maine Seed Company Website Hacked: Demonstrates SMB Vulnerability & Questions Hacker Safe Seals
This is the time of the year that thoughts turn to gardening as seed catalogs start filling the mailboxes. I enjoy having fresh-grown vegetables from my garden; nothing is better than a deep red, ripe, juicy Big Boy Beefsteak tomato...
Vermont State Privacy Breach Follow-up: Penetration Testing Reveals No Additional Vulnerabilities
After the January Vermont State privacy breach through a remote attack that compromised Social Security numbers and bank account numbers for nearly 70,000 people, Governor Jim Douglas ordered a security review of the computer systems....
Addressing Web-Based Access and Authentication Challenges
Many incidents occur through access control and authentication vulnerabilities. Just consider the recently reported Fruit of a Loom incident that allowed easy access to 1,006 names and Social Security numbers of former employees. It is likely poorly constructed and inadequately...
Punitive Actions Pursued Against Professor in Japan Who Had PII About 8,800 on Disk That Was Stolen
The differences throughout the world with which personally identifiable information (PII) privacy breaches are penalized is always interesting to me. Today it was reported that the...
RINBOT/DELBOT Virus Running Rampant In the Wild: Exploits Anti-Virus Software Vulnerabilities Allowing Access to Business Networks
CNN reported today that Sophos was warning new strains of RINBOT, also known as DELBOT, could be stealthily be infecting business networks worldwide. What can this new version do?...
Audit Reveals Poor Computer & Data Disposal Practices At Idaho National Laboratory
Yesterday Government Computer News reported bad computer disposal methods at the Idaho National Laboratory that leaves confidential and restricted data, including nuclear details, vulnerable....
Laptop Theft: Financial Company Given $1.9 Million Penalty Following Incident for Inadequate Security Program
For the first time, the United Kingdom financial regulators, the U.K. Financial Services Authority (FSA), gave a financial institution, the Nationwide Building Society, the U.K.'s largest "building society" (a member-owned mortgage lending and banking services institution) a penalty for poor...
Identity Theft: Fraudulent Use of the CVC
An interesting article pointing out the way crooks use that 3-digit code on the back of your credit card was published in the Newark Advocate Saturday....
VA Suspends Medical Research Following Most Recent Breach Until Security Certification Is Obtained
Saturday, 2/17/07, it was widely reported that the U.S. Veterans Affairs (VA) was suspending "activities at seven specialized research centers across the country after an unprotected computer hard drive disappeared from one of the facilities in Alabama last month."...
Privacy Breach, Hackers and Lawsuits: Iowa Department of Education, Microsoft and Perkins Omelettes; Oh My!
There's been enough interesting information security and privacy news here in my own frigid (subzero) snowy back yard in central Iowa to keep me from looking beyond the state for discussion material. Well yes, I did look beyond anyway...what I...
Privacy Breach: FBI Loses Laptops Each Month Despite 2002 Audit Telling Them To Improve Practices
Today the U.S. Department of Justice (DOJ) released the "The Federal Bureau of Investigation's Control Over Weapons and Laptop Computers Follow-Up Audit" report. As you can tell by my post title, this should be a very embarrassing report for the...
Privacy Breach: Johns Hopkins University Lost Personal Information on 135,000 Individuals
There now seem to be so many privacy breaches that it is hard to choose which one to discuss... Last Wednesday, 2/7, Johns Hopkins University reported personal information on 135,000 employees and patients on nine backup tapes were missing that...
FTC: Speech Highlights Need for All Organizations To Address Information Security and Privacy & Education On These Topics
The transcript of FTC Chairman Deborah Platt Majoras' keynote on February 6 at the RSA conference, "ID Theft and Cyber-crime: Where Thieves Victims, Industry and Government Intersect" is available on the FTC site. I've often stressed how the FTC Act...
Privacy Law: Leahy & Specter File Personal Data Privacy Act of 2007 Bill
On Tuesday, February 6, U.S. Sen. Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., filed legislation,the Personal Data Privacy Act of 2007, that would, among other things, require organizations to notify consumers of security breaches as well as mandate the...
Privacy Breach: Bank in UK Sends Personal Data of 75,000 Customers to 1 Customer Requesting Her Own Statement
The Halifax Bank of Scotland sent the complete account information for 75,000 of their customers to one customer who had requested a copy of her own statement....
Privacy Incident: Ohio Board of Nursing Exposes Personal Information of 3,031 Individuals
The Columbus Dispatch reported today, "OHIO BOARD OF NURSING Error puts nurses’ personal data online." Reportedly over the past two months the "names and Social Security numbers of 3,031 newly licensed nurses were posted online twice."...
Laptop Incident: N.C. Dept of Revenue Laptop Theft Puts 30,000 Residents At Risk
Today the North Carolina Charlotte Observer reported a laptop was stolen from the car of an N.C. Department of Revenue employee in December. They mailed letters to all 30,000 individuals this week. According to the report this is the first...
UNI Computers Compromised: Is There a "Typical" Breach?
Today I read a story appearing in the Des Moines Register, "Computer breach at UNI exposes some personal data" about a breach that occurred at one my alma maters, the University of Northern Iowa. It bothered me the non-chalant way...
Michigan Inacts New Identity Theft and Breach Notice Law
Yesterday (January 3) Michigan's governor, Jennifer M. Granholm, signed a new identity theft and breach notification law, SB 309. "Today's technology has taken commerce and communication to new heights, but it also puts citizens at additional risk of identity theft...
Insider Threat Example: Medco Employee Indicted for Planting Computer Logic Bomb
On December 19, 2006, a computer systems administrator, Andy Lin, for Medco Health Solutions, Inc. was indicted by a federal grand jury in the U.S. District Court for the District of New Jersey for attempting to disable his employer's corporate...
Potential Personal Data Breach of 5.38 Million Individuals at Nissan in Japan
I ran across an interesting news report,"Nissan data leak puts 5 million at risk" I was surprised I did not see this report on any of U.S. news sites. The report is very vague. It just indicates a "leak" occurred...
Stolen Laptop: Laptop and Printouts with PII about 600 Students in Colorado
The Longmont, CO Daily Times reported December 14 that a nurse's laptop was stolen from her car whle she was parked at a restaurant, along with paper records containing personally identifiable information (PII): "students’ names and dates of birth; the...
Stolen Laptop: Cleartext Medical PII on 25,000 in Pennsylvania
On December 14 WCPO TV 9 News reported: "A break-in in Springdale, Ohio is affecting thousands of people in Pennsylvania. The office of Electronic Registry Systems on Northland Boulevard was broken into Thanksgiving weekend and a computer was stolen. That...
Stolen Laptop: 3rd Theft from Boeing Since November 2005; Clear Text PII of 382,000 On the Latest
It was reported December 15 that Boeing had the 3rd laptop stolen in just a little over a year. The laptop was stolen from an employee's car. PII included "names, home addresses, phone numbers, Social Security numbers and dates of...
Penalty Applied for Laptop Theft: More Significant Penalties Are Needed to Motivate Better Safeguards
The Boston Globe reported Tuesday that "Ameriprise Financial Services Inc. will pay $25,000 to settle a probe of how one of its laptop computers went missing with the personal data of thousands of Massachusetts residents." An Ameriprise Financial Services laptop...
Example of Need to Validate Business Partner Security: State of Vermont Privacy Breach Resulting from Contractor
An incident recently occurred where a contractor for the State of Vermont accidentally posted the Social Security numbers for hundreds of healthcare workers within Vermont. The data existed on the web site for approximately one month before it was removed....
PII About 800,000 Individuals Compromised at UCLA
Today CNN reported personally identifiable information (PII), Social Security numbers, home addresses and birth dates, about 800,000 current and former UCLA students, faculty and staff may have been compromised. Surprisingly, the unauthorized access reportedly was occurring from October, 2005 through...
FTC Provides Claims Forms for Individuals Impacted by the 2004 Choicepoint Incident
On December 6, 2006, the U.S. Federal Trace Commission (FTC) made claims form available for anyone who believes they had identity theft occur as a result of the Choicepoint security incident late in 2004 involving at least 163,000 individuals. Since...
Security OOPS! PII For School Employees Accidentally Mailed by School's Contractor
On November 27 the Chicago Tribune reported: "A printing contractor for the Chicago Public Schools said Sunday that it mistakenly mailed a list of names, Social Security numbers and home addresses of nearly 1,740 former school employees as part of...