Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'privacy'
Security and Privacy: Trends, Tools and Techniques
I'm in Houston this week giving my class "Security and Privacy: Trends, Tools and Techniques."...
Study Proves SSNs Are Easily Guessed; Don't Use SSNs To Verify Identity Or As Passwords!
It is nice to have scientific evidence of what we've been telling business leaders ever since they wanted to start using SSNs as identifiers and passwords! Today Carnegie Mellon University (CMU) released a very revealing report, "Predicting Social Security numbers...
New Online Behavioral Advertising Principles: Self Regulation Does Not Mean Less Scrutiny By The FTC!
On February 12 the U.S. Federal Trade Commission (FTC), the most actively aggressive oversight agency in the U.S. with regard to enforcing privacy protections, released new behavioral advertising principles......
Cloudy Privacy Computing
Cloud computing is an attractive, low-cost means of collaboration. But have you considered the risks involvd with placing documents with PII "in the cloud"? The monthly column I wrote for the December 2008 CSI Alert was, "Cloudy Privacy Computing." Here's...
Shred Those Documents Finely!
With the new technologies being used to piece paper documents back together, be sure to shred your documents containing confidential information into bits too tiny to do anything with......
HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files
I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy...
Santa Sees All; But Puts The U.S. On Naughty List For Poor Privacy Practices...?
Here's a great article for Christmas Eve that covers a wide range of surveillance tools and techniques that are increasingly used by governments, law enforcement, employers, suspicious spouses, etc, etc, etc......
FTC Publishes Report On SSNs and Identity Theft
Today the U.S. Federal Trade Commission (FTC) released a new report about social security numbers (SSNs), identity theft, and recommended 5 ways to help prevend having SSNs being used for identity theft......
Blackberry Disposal Lessons From McCain & Palin
Another real-life example to show the importance of having effective policies and procedures in place for not only information disposal, but also for the disposal of computers and storage media......
Miscellaneous Cybercrime & Privacy Tidbits
For the last day of Global Security Week (GSW) I'm providing a few items that relate to cybercrime that I find interesting......
A Privacy Song About...Ăśberveillance!
I was delighted to get a message this morning from my friends down-under, Dr. M. G. Michael and Dr. Katina Michael from the University of Wollongong. If you'll recall, a few months ago I made a couple of blog postings...
Think and Look Before You Send that Quick Message!
Every month, and sometimes weekly, I see a privacy breach that is a result of a messaging mistake. People need to be more careful about all the types of electronic messages they are sending and not so quick to hit...
Let Your Personnel Know Their Messaging Boundaries
Here is the third part of the first article within the June issue of my "IT Compliance in Realtime" journal, "What to Tell Personnel: Messaging Security and Privacy"......
Sending Clear Text Customer Information Is Not Okay Just Because the Customer Says It's "Okay"
As a follow-up to my blog post from last Friday, here is the second part of the first article within the June issue of my "IT Compliance in Realtime" journal, "What to Tell Personnel: Messaging Security and Privacy"......
Something To Tell Your Personnel: Messaging Includes More Than Email
My June issue of "IT Compliance in Realtime" journal is hot off the press! I've heard from some of you that when I post the articles from my journal that the posts are too long. So, what I will do...
HIPAA Humor: Dumb Robber
Here's a story that gave me a bit of a chuckle, "Note leads police to robbery arrest"......
Locational Privacy...And Nonconsenting Research Subjects
Here's an interesting, relatively new, privacy (with regard to publicity any way) issue that was reported today: locational privacy......
Insider Threat Example: Coworkers Accessing Other Coworkers' Email Messages
Back in the mid-1990's, a middle manager knew that the print queue messages for all the emails in the large organization were viewable in clear text; all you had to know was which printer queue to open. He would lurk...
How To Create Information Security & Privacy Case Studies
Over the years I've done a lot of information security, privacy and compliance training and awareness activities; content creation, delivery, tools, and a large variety of other related activities. I've found doing case studies to be one of the most...
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Last month (May 2008...yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer's personally identifiable information (PII) and other confidential information. The suit charges that Lending Tree did...
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched? There are many phishing scams going on right now, and they are widely reported and talked about. I...
Business Leader Primer for Effective Information Disposal
I've been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security...
BONY Loss Of Backup Tape With Unencrypted PII Is Disappointing...But Not Surprising
Late last week I communicated with Linda McGlasson about a story she was putting together for bankinfosecurity that was published today, "Bank of New York Mellon Investigated for Lost Data Tape: 4.5 Million Customers Potentially Exposed." It's a good and...
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
I've been doing some research for insider threat training content I'm creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make...
More On The HHS HIPAA Compliance Activities
Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, "Proliferating HIPAA complaints and medical record breaches" She had seen my blog posting from yesterday, "HIPAA Complaints And Associated Resolutions Since 2003" and...
HIPAA Complaints And Associated Resolutions Since 2003
The U.S. Health Insurance Portability and Accountability Act (HIPAA) has required compliance from covered entities (CEs) since 2003. The Department of Health and Human Services (HHS) is the Federal agency with regulatory oversight for compliance; with the Office of Civil...
45 U.S. Breach Notice Laws...And Still Counting
Yesterday I posted a link to my quick reference list of breach notice laws. I created that document at the beginning of this month, and Doug Markiewicz told me today in a comment to that post that there are two...
43 U.S. Breach Notice Laws...And Counting
There are currently 43 breach response laws in the U.S.; this includes the District of Columbia and Puerto Rico....
Do Your Terms Of Use Try To Gut Your Privacy Policy Promises?
I see a growing trend in organizations trying to gut the promises made in their website privacy policies through sneaky wording they place in their rarely read "Terms of Use" statements. Over the past few months I have heard from...
SEC Regulation S-P Proposals To Improve The Security Of Customer Information Within Brokerage Shops
Do you work for a brokage house, have a subsidiary that is a brokerage house, or do any type of work with a brokerage house? If so, then you should be aware of the Securities and Exchange Commission (SEC) proposed...
CAN-SPAM: Record Judgment Along With Updated Rules
I was at the Secure360 conference (a fabulous event, btw) this week, and I'm just getting to an important current topic: CAN-SPAM. On Monday (5/12) the FTC announced an update to the Controlling the Assault of Non-Solicited Pornography and Marketing...
Addressing the Insider Threat
My May issue of "IT Compliance in Realtime" is now available! The first article I have within this issue is, "Addressing the Insider Threat." Here is the unformatted text of the article; download the PDF to get the much nicer,...
At the Secure 360 Conference
Tomorrow and Wednesday I'm doing some sessions at the Secure 360 conference in St. Paul, Minnesota. I'm really looking forward to also seeing the other sessions while here (yes, I've arrived and getting some work done in my room)!...
Happy Mother's Day!
Happy Mother's Day! It was a gorgeous day here in central Iowa! I did business work all morning, but then took off at 3:00pm, went out with my family to a restaurant we all love, and then did some gardening;...
A Couple Of Little Known HIPAA Facts
Last week I was contacted by Corey Goodman, a reporter for HCPro, about a story he is doing that sounds like it will be quite interesting! He is collecting examples and anecdotes about "little know HIPAA facts" and asked me...
Another Example Of How Internet Information Impacts Employment Decisions
I've blogged several times about how employers are inreasingly using information found on the Internet to make hiring, and firing, decisions, such as here and here. I've also written about it several times, such as here. Here's another example to...
Revisiting Two Viewpoints Of Outsourcing Vendor Security
While at CSI SX last week, we covered the need to ensure business partners, to whom we outsource information processing and handling, have good security and privacy programs in place within the class I provide with Chris Grillo, "Executive Summit:...
Click Wrap Contracts: Creating Them And Agreeing To Them
There was an interesting article in this week's issue of Privacy and Security Law, "Clickwrap Notifying Software Recipients Of Pop-Up Installation Is Valid, Enforceable" (a subscription site)....
What Business Leaders Need To Know About Employee Privacy
Here it is May, and I'm just now getting all of my April IT Compliance in Realtime Journal articles blogged about! Being in Las Vegas for a week at CSI SX / Interop really put a monkey wrench in my...
Using DNA Of Family Members To Catch Criminals
I just read an interesting article, "Using kin's DNA to track suspects."...
Corporate Communications Officers Tying The Hands Of Information Security and Privacy Pros
I've been here at the CSI SX conference for the past few days, and I've had the great opportunity and pleasure of speaking with a large number of folks while here. I was finally able to meet Ron Woerner in...
P2P Security Study Released
The results of an interesting study, "The Ignored Crisis in Data Security: P2P File Sharing," performed by the Ponoman Institute and sponsored by Tiversa, were recently released on April 21. Here are a few interesting tidbits from the report......
Do We REALLY Need Doctors To Do Consultations Via Email?
A few months ago I had some lively back-and-forth blog postings with a doctor who used email and instant messaging (IM) a lot in his practice; here, here and here. Today my good friend Alec forwarded me another interesting news...
Smart Business Leaders Support Effective Log Management Practices and Necessary Resources
The second article in this month's IT Compliance in Realtime Journal is, "Smart Business Leaders Support Log Management." I wrote this with an audience of information security and privacy personnel, along with IT managers, in mind. Download the formatted PDF...
My Information Security and Privacy Convergence Webcast Now Available
Yesterday the ISSA posted on their website a free webcast I did, "Information Security and Privacy Convergence" Here is the synopsis......
Improve Program Change Controls To Reduce Incidents
Recently in my Norwich MSIA class we were discussing the importance of program change controls, and I wanted to continue the discussion here because as important as it is, it typically does not get the attention it deserves in most...
Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law
Last fall I blogged about Microsoft's HealthVault, "Why Would You Trust Microsoft To Store Your Sensitive Health Information?" It didn't take long before Google got in on the game. Today an interesting story ran in the New York Times, "Warning...
Privacy and Security Lost And Found
Today I've been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site. Part of the discussion led to the possibility that one...
Phisherthieves Like Banks Best
Here's a pretty good mainstream news story from CNN to give to your business leaders to raise their awareness and understanding about phishing......
$54 Million Lawsuit Against Best Buy For Losing Laptop
I knew the civil suits for lost laptops would start soon. Thanks so much to my buddy Alec for pointing out this story to me! Raelyn Campbell took a laptop computer to Best Buy to get fixed, and three months...
Give a Hoot, Don't Privacy Pollute!
I just saw a term that can be used really well with non-technical folks, "data pollution." I wish I had thought of that term!...
Potty Pics Poo-Poo Privacy
This is a sad example of how others take it upon themselves to invade the privacy of others and don't understand that they're doing anything wrong......
U.S. DoD Workers Give Military Secrets To China
Here are two more insider threat incident examples to put into your files and use within your information security and privacy training curriculum and awareness communications:...
Blog Info OK'd To Use To Make Medical Insurance Coverage Decision
Hopefully most people know by now that whatever you post on the Internet is not private, and that basically anyone can read it. Hopefully most people know by now that it is a growing trend for employers to use information...
New Information Technology Crime Law in Saudi Arabia
Here's an interesting new law in Saudi Arabia... "New Law to Combat Information Technology Crimes...
Two Types Of Young Hackers
Here's an interesting juxtaposition of hacker-related news articles... When scanning today's news I saw the headline, "Teen Is World's Youngest 'Ethical Hacker'"...
More Info Security & Privacy Education Will Reduce The Numbers Of Incidents
Here's a good article for all information security and privacy pros to read and show their business leaders. If nothing else show them the last paragraph:...
Today Google Provides Another Path For Data Leakage
Here's one more thing for IT, Information Security and Privacy folks to put on their list of things to worry about......
Did You Know February 12 is "Safer Internet Day"?
I got a nice message from Brian Honan yesterday letting me know that February 12 is "Safer Internet Day," or SID for short; (Thanks Brian!)...
Encryption So Easy Even A Terrorist Can Use It
It seems all business leaders would understand by now, after literally thousands of privacy incidents in recent years, that they need to encrypt personally identifiable information (PII) stored on mobile computers and mobile storage devices, and when sending PII through...
FBI Plans to Catalog Everyone's Physical Characteristics, and Bush Does Away With Privacy Oversight Board
Here's something scary... I just saw a new CNN report that made me go, "Huh?!" "FBI wants palm prints, eye scans, tattoo mapping"...
What Companies Do You Trust With Your Privacy?
For the past few years the Ponemon Institute has done surveys to determine the U.S. companies most trusted to protect privacy....
Don't Let Your Folks Fall For This Scary Spam
Today I got a death threat email message. This particular type of spam is not really new, but because they will be very scary for most people to get, many recipients will fall for them. The address header and text...
A New Privacy/Security Breach Notice Law Soon In The Land Down Under?
Another country appears to be on the verge of passing a privacy breach notice law......
Blog Changes...More Papers, Less Daily Opinions
When I started blogging a couple of years ago (actually in January 2006...just realized I passed my anniversary!), I would not only post daily to my blog, but I would also publish 3 - 4 research papers or white papers...
Were You Taken Offline?
Today, "Internet failure hits two continents" Were you impacted? If you were, then you probably aren't reading this right now... :)...
A Stolen Health Insurer's Laptop With PII Is Not Necessarily A HIPAA Violation
While scanning the news blurb summaries today, the statement, "This is a violation of HIPAA." caught my eye. Hmm...let's see what this is about... This statement was actually within the reader comments to the story, "Blue Cross reports theft of...
AccuSearch Fined ~$200,000 For Pretexting & Selling Phone Numbers
Yesterday the U.S. Federal Trade Commission (FTC) announced AccuSearch, Inc., was guilty of violating federal law by selling consumer phone records to third parties without consumers’ knowledge or authorization....
Cell Phone Text Messages Are Private...NOT!
Uh oh...talk about a couple of folks who were caught with their hand in the cookie jar (so to speak)...and caught lying under oath. CNN recently ran a story about how Christine Beatty resigned from her position as chief of...
Some more information and ideas for Data Privacy Day, January 28
Last Thursday I posted about how tomorrow (1/28) is International Data Privacy Day. I was delighfully surprised to receive an email in response to my blog post from Leonardo Cervera, the coordinator of Data Privacy Day 2008! Be sure to...
Insider Threat: Worker Deletes 7 Years of Files; Lesson? Make Backups!!
Here is another example of what a worker, entrusted with access to business files, can do...and also provides a lesson about business continuity... I just watched a CNN clip, "Cyber Sabotage" that provides a very good example of how costly...
January 28 is International Data Privacy Day
Did you know that International Data Privacy Day is fast approaching? On Monday, January 28 the United States joins 27 European countries to celebrate Data Privacy Day 2008. "The day will feature several efforts to promote the importance of data...
Improve Information Security And Privacy By Engaging Your Personnel And Their Children...Our Future Information Security and Privacy Leaders
Personnel will understand information security and privacy issues better if they can relate to the issues within their own lives. If they can see how the issues impact their family members and friends, that helps to raise awareness even more....
Social Engineering Schemes Increase: Great Case Study From An Actual Event
Last month I finished the second issue of my Protecting Information publication and the topic couldn't be more timely: social engineering. Just today I have already read in my daily news items 5 articles about social engineering! One in particular,...
CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance
The U.S. Centers for Medicare and Medicaid Services (CMS) announced last week that they plan to audit 10 - 20 hospitals for HIPAA compliance in the next 9 months according to a Government Health IT article....
Insider Threat Example: Former Cox Employee Sent To Jail (And More) For Hacking System
It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization's sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and...
FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security
Yesterday the U.S. Federal Trade Commission (FTC) handed down yet another penalty against an online retailer, Life is good, Inc., for not properly safeguarding their online ecommerce applications. The FTC charged they were in violation of the FTC Act because...
Clearly Justify Your Information Security and Privacy Policies
I'm helping one of my clients with updating their information security and privacy policies, aligning them with ISO 27002, and creating new policies to fill gaps as necessary based upon the organization's risks. I was speaking with the CISO this...
CMS Hires A Fox To Guard The HIPAA Henhouse
I just read a very interesting article, "CMS' HIPAA watchdog presents potential conflict" that made me go Hmmm!! The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the...
Man Pleads Guilty To Loading Keylogger Software On Public Computers Worldwide To Collect PII and Commit Fraud
Here's another good example of an actual cybercrime that was allowed to occur because poor of safeguards on computers provided for public use. On January 9, 2008, Mario Simbaqueba Bonilla plead guilty to installing keylogger software on hotel business center...
Insider Threat Example: Programmer Sentenced To 30 Months In Jail And $81,200 Fine
Here's a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven't already, put this in your file of...
Terrorists Over 50 Don't Fly According To The DHS
I just read this and found the implication that folks over 50 years of age are not terrorist threats rather odd. Today the U.S. Department of Homeland Security released some new rules related to READ ID....
13 Minnesota Students Disciplined For Facebook Photos
I've blogged several times, such as here, here and here, about how information posted to the Internet, such as on Facebook and other social networking sites, cannot be considered as being private or secure, have been used to make hiring...
Egregious Privacy Infringment: Fire Chief Emails Photo Of Topless Crash Victim
Here is an example of how personnel can take photos and videos and completely invade the privacy of others, particularly those who have no voice to say stop. A Central Florida fire chief will likely lose his job for widely...
E-Discovery Decision Demonstrates Need For Effective Retention Practices: A Great Case Study For E-Discovery Training
I'm still catching up on December news...and I ran across a significant e-discovery ruling. The U.S. District Court for the Central District of California ruled December 13, 2007, that Justin Bunnell/www.TorrentSpy.com was guilty of "willful spoliation of evidence" violating the...
Privacy, The 5th Amendment And PGP Passwords
While doing some encryption research I ran across this Vermont ruling made on November 29, 2007. It provides some good lessons about computer forensics and investigation and password management....
The Iowa Caucus Experience in Madison County: Cameras Not a Factor
Well, after over a year of fervent campaigning by many presidential hopefuls, the Iowa caucuses are over! As I mentioned a couple of days ago I have never declared a party before, but this year I wanted to be part...
More On Ăśberveillance And Privacy
I recently blogged about "6 "Scary Stuff" Privacy Terms IT, Info Sec and Privacy Folks Should Know." I was very pleasantly surprised to hear from Dr. Michael G. Michael and his wife Dr. Katina Michael a couple of days ago...
Don't Expect Privacy At The Iowa Caucuses
I am happy to live in Iowa. I've enjoyed getting to see the presidential hopefuls in the state for the past 1+ years. I always vote during presidential elections, but I've never yet declared a party; I really don't want...
FTC Behavioral Advertising Privacy Principles: Give Them Your Feedback!
On December 10 the U.S. Federal Trade Commission (FTC) announced that the FTC commissioners voted unanimously to have principles to govern online behavioral advertising. At the same time they released their proposed principles to guide the development of self-regulation in...
FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations
On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster. Under the terms of...
Be Prepared For Privacy Breaches!
This morning I did a podcast interview with bankinfosecurity and they already have it posted! During the interview I answered and expanded upon five questions and issues:...
The 12 Threats of Chistmas
It is time for some humorous entertainment to complement the holiday season, and PGP Corporation has provided it! Kevin Beaver pointed me to a great YouTube clip, "The 12 Threats of Christmas."...
New Wireless = New Vulnerabilities = More Incidents?
Most folks are looking at what's coming in 2008. Heck, let's go a bit further and look at some potentially big changes slated for 2009! I just read an interesting Business Week story, "Just Ahead: A Wider Wireless World." In...
Information Security Survey for Financials
I just learned about a new survey that's going on, "The State of Information Security Survey 2008." Bankinfosecurity is using it to try to get the best picture of how financial institutions are doing when it comes to information security...
Responding To Customers Asking About Your Company's Use of SSNs
For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don't really worry about driving an "it" kind of car). However, it is getting a bit rattly, and my friends...
Supporting Compliance With ITIL
Organizations have faced legal and regulatory requirements for literally decades. However, IT compliance is relatively young. U.S. healthcare organizations reacted with alarm over the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The U.S. financial organizations...
18 IT Compliance, Info Sec & Privacy Links to Fortune's 101 Dumbest Business Moments in 2007
Tis the season for lists upon lists upon lists. However, Fortune's "101 Dumbest Moments in Business" for 2007 caught my eye for being rather unique-sounding. There were *MANY* dumb information security and privacy business moments in 2007; I wondered, did...
2 Years Following Major Privacy Breach, Bahamas Puts Up Data Protection Web Site
A couple of years ago I finally took my family on a vacation to the Bahamas after not going on any type of vacation for several years. Five months later I learned...from my friends and not from the hotel...that a...
"Awards" Given For E-Commerce Site Privacy Policies...The Best And The Worst
I ran across some interesting e-commerce site "awards" recently published by CyberStreetSmart.org. They identified the recipients of their "screen door" (the award retailers DON'T want) and "steel door" (retailers want this) awards based upon the privacy protections the sites had...