Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'risk management'
Crooks Don't Need to Steal SSNs If They Can Create Valid SSNs Themselves
I've had some very interesting discussions about the CMU SSN study throughout the week, and, before moving on to other topics next week, I wanted to wrap up the week and discussion with some final thoughts on the CMU SSN...
Implications Of The CMU SSN Study: What Business Leaders Need To Understand
Following the release of the CMU SNN report on Monday, I've had some very interesting discussions with privacy and information security folks, and I've been pretty amazed at some of the reactions to the study. I also posted about this...
Study Proves SSNs Are Easily Guessed; Don't Use SSNs To Verify Identity Or As Passwords!
It is nice to have scientific evidence of what we've been telling business leaders ever since they wanted to start using SSNs as identifiers and passwords! Today Carnegie Mellon University (CMU) released a very revealing report, "Predicting Social Security numbers...
Nevada's New Encryption Law; Made Moot By Its Own Data Breach Law?
On May 30, 2009, Nevada enacted a new law, SB 227, which will basically replace NRS 597.970 in January 2010. In many ways the new law is an improvement over the much more vague, and brief, NRS 597.970. I want...
Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen
Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students' names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus....
Hear Common, Dumb and Dangerous Privacy Assumptions On The Radio!
Today I will be on MyTechnologyLawyer.com radio show to an hour program talking about the common privacy mistakes and assumptions made by businesses. This will be a more in-depth look at the issues from my post from a couple of...
South Carolina & Alaska Privacy Breach Notice Laws Go Into Effect July 1
This week two more U.S. breach notice laws go into effect......
Voice Recognition Software Puts Top Cop In Hot Water
Yesterday I read a fascinating story from Australia......
Movies and TV Shows to Use for Infosec and Privacy Training and Awareness
After many long hours, I've finally submitted the draft manuscript for the 2nd edition of my "Managing an Information Security and Privacy Awareness and Training Program" book. However, I will still have one more chance to make changes. One of...
Don't Manage Employee Online Activities By Requiring Their IDs & Passwords!
I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in......
5 Common, Dumb and Dangerous Privacy Assumptions
Today Kevin Beaver posted a nice article, "Dumb things IT consultants do" that included more than one warning about making assumptions. Kevin's nice post made me think about all the dangerous assumptions consulants and practitioners often make when it comes...
FTC Issued Consent Order for GLBA Privacy Rule and Safeguards Rule Violations
Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other...
Info Sec & Privacy Days/Weeks/Months
As I've mentioned a few times before, I'm in the final lap of finishing the 2nd edition of my book, "Managing an Information Security and Privacy Awareness and Training Program." Woo hoo! Over the weekend I updated "Appendix N -...
FTC's New Red Flags Rules FAQ
Today the US FTC released "Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies." Here are a couple important things to take away from this FAQ......
Healthcare Worker Gets 1 Year In Prison For Posting HIV Victim's Medical Records On Internet
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet......
Privacy Enhancing Technologies (PETs) & Privacy Threatening Technologies
I'm doing research while working on the 2nd edition of my book, "Managing an Information Security and Privacy Awareness and Training Program"......
Audits Show Things At a Moment in Time; Silly To Sue For Breaches That Happen 1 Year After Audit Conclusion?
There has been much written in the past week about Merrick Bank suing the audit firm, Savvis, because a breach occurred at CardSystems in 2005 even though Savvis had given passing marks for the CardSystems audit that Merrick Bank hired...
Great InfoSec and Privacy Info and Resources This Week On Twitter
I got my week's issue of Time magazine in the mail today, and lo-and-behold the cover and feature story was about Twitter!...
Not Providing Training and Awareness Is The Dumbest Idea For Information Security
As time goes on, and more and more information security incidents and privacy breaches occur, I continue to hear otherwise smart people say silly and completely wrong statements about the need (or lack of) for information security and privacy training...
Rights for Privacy Breach Victims
I received a provacative question on Twitter last week from idExperts, "If you had a wish list of rights for identity theft victims, what would that be?" Sounds like a great blog topic! :) Here are my thoughts......
Common InfoSec & Privacy Training Mistakes
I've been reviewing some of the information security and privacy training and awareness content for some organizations; some large and some small. Most of the training is ineffective......
Insider Threat: Horrible Tragedy Highlights Need For Policies & Training
I got the June 1 issue of Newsweek today, and something that's bothered me ever since I first heard about it was on page 4......
HIPAA, HITECH Act and Disposal Problems
Here's yet another incident that provides very good lessons that could be incorporated into information security and privacy training sessions as a case study, particularly for HIPAA compliance as well as secure disposal training......
The World's Largest (and BEST!) Cyber Defense Competition for Teens...In Ames Iowa!
Last month Iowa State University, in Ames, held a unique type of IT Olympics for teens......
Effectively Explaining the Purpose of Information Classification to Employees
The topic for my Q2 2009 issue of Protecting Information was helping employees to understand why different types of information need different levels of security. Yes, this is information classification, but I describe it in a way that employees of...
HITECH Act does *NOT* make HIPAA, or HIPAA advice, "obsolete"!
A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance......
Secure360 Starts Tomorrow!
I drove up to St. Paul, MN, today and will be speaking, and look forward to attending the sessions, at Secure360....
Regulatory Requirements for Training and Awareness
Today I had a great conversation with a CISO about the regulatory and legal requirements for organizations to provide information security and privacy training and awareness activities......
Podcast: HITECH Act adds new compliance requirements, penalties
Last week I had the pleasure of speaking with Alexander B. Howard at SearchCompliance.com for a 26 minute podcast......
Understanding Data Protection from 4 Critical Perspectives
Today I gave a webcast (27 minutes) about "Understanding Data Protection from 4 Critical Perspectives" and it is now available online through this link......
IP Addresses Are Considered PII By Some Countries No Matter If U.S. Orgs Like It Or Not
Today on Twitter, @clarinette02 posted a link to an interesting article, "IP Addresses Are Personal Data, E.U. Regulator Says," from a little over a year ago......
Red Flags Rule Enforcement Delayed to August 1, 2009; FTC Providing a Compliance "Template"
The FTC has once more announced a delayed enforcement of the Red Flags Rule to August 1, 2009......
Employee Rights to PII When You Leave Your Employer or Lose Your Job
I often get emails from my blog and Twitter readers, many of whom I have never met before; sometimes several in a day. Many often ask for help that really is a call for free consulting help. Others are quick,...
HIPAA & HITECH Act Sanctions & Penalties
Today I had the great pleasure and opportunity to do a podcast with Alexander Howard over at TechTarget discussing HIPAA and the HITECH Act......
2 More Things In History That Could Have Improved Infosec & Privacy
Late last week I blogged about a question I got while at InfoTec in Omaha last week, "2 Things In Computing History That Could Have Improved Information Security and Privacy"......
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and...
HIPAA Requirements Changes & Business Associates Impacts From HITECH Act
Last week I engaged in a very interesting tweetversation with David Mortman about when the U.S. Department of Health and Human Services (HHS) needs to get their guidance documents and rules published for the various HITECH Act requirements......
2 Things In Computing History That Could Have Improved Information Security and Privacy
This past Wednesday I gave a session at Infosec09 in Omaha, Nebraska. What a great event and venue! If you get a chance to attend next year, I highly encourage you to do so....
"Secure Your ID Day" is April 18
I'm in Omaha to speak tomorrow at the Infotec09 conference and I heard on the local news that "Secure Your ID Day" is April 18......
Pointers to interesting & useful information security, privacy & compliance info
I've been using Twitter for a couple of months now. I never saw the value of using Twitter before this time, and in fact had a completely different view of what it was "all about" until I actually started using...
You aren't in Kansas anymore, ToTo...you're in virtual Kansas!
Oh; and, by the way, what the heck are virtual worlds? Aren't they something that only kids use?...
Measuring The Effectiveness of Information Security & Privacy Awareness & Training
I'm a longtime advocate of creating a wide range of metrics to determine the effectiveness of the various components of information security, privacy and compliance programs....
Privacy Breach Lesson: Encrypt Mobile Digital PII!
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach......
What Corporate Business Leaders Need To Know About Data Protection
The first chapter of my new ebook, "Understanding Data Protection from Four Critical Perspectives" has been published! The first chapter is "What Corporate Business Leaders Need To Know About Data Protection" and is written to an audience of CEOs and...
Pros & Cons Of Surveillance Cameras For Compliance
We had a very interesting discussion on Twitter this morning about the practice of automatically photographing license plates to use for parking, tickets, etc......
Ongoing Awareness Communications and Regular Training Are Necessary For Effective Information Security & Privacy Programs
Scott Wright over at Streetwise Security Zone graciously invited me to do a podcast interview with him to discuss information security, privacy and compliance training and awareness issues. In the last half of February I had the pleasure of taking...
HIPAA Sanctions and Convictions Will Increase with HITECH Act & New Administration
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee...
Don't let differing authority levels damage info sec, privacy & compliance collaboration
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990's while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+...
Carnegie Mellon's CyLab Is A Great Resource
I was very happy to be invited to Carnegie Mellon University (CMU) to speak about information security and privacy convergence last month at their CyLab research and education center. It was a great experience!...
Many Motivators For Identity Theft
I've heard far too many business leaders in lesser-regulated industries, of organizations of all sizes, say something to the effect of, "Oh, we don't have any information that hackers would find of any value."...
There Are 47 US State & Territory Breach Notice Laws: 1-Page Listing
Over the weekend I did some research to make sure I am up to date with all the current U.S. state and U.S. territories breach notice laws......
Avoid Information Overload In Your Information Security & Privacy Training!
I've been reviewing some "canned" information security and privacy training offerings in the past few months, and I'm seeing that many of them are trying to dump TOO MUCH information on those taking them; learners can only absorb so much...
Cautionary Tales for Tweeting About Work
I've been using Twitter now (http://www.twitter.com/privacyprof) for three going on four weeks. I've found it to be a very great way to be in touch with the latest news and happenings, and also to get in touch with other folks...
Encryption Solution Reviews
Here are some encryption solution reviews, from David Strom at PC World, that anyone who wants to protect their laptop data, as well as information security, and yes privacy, practitioners should find useful......
Computer Fraud Criminal Sentenced To 4 1/2 Yrs Jailtime + US$1.6 Million
Would you notice a $20 - $30 fraudulent charge mixed in with a lot of other charges...most people have more than 10 according to a financial fraud expert friend...on your credit card statement? It looks like in Bulgaria they really...
Business Continuity Awareness Week is 3/23 - 3/27
Here's another awareness raising opportunity......
68 Info Sec & Privacy Tweets Digest Back Through March 7
Once more I'm providing a digest of the Twitter tweets I put out (PrivacyProf) over the past week that provided pointers to interesting and useful news reports and pieces of information that I do not want to have lost in...
1746 Organizations In The U.S.'s EU Safe Harbor Program
A type of project I really love to do is a privacy impact assessment (PIA). For companies who collect or otherwise handle the personally identifiable information (PII) of individuals from multiple countries, typically doing a cross border data flow analysis...
Court Decision on FACTA Credit Card Transaction Receipt Violations
I was doing a bit of research around the Fair and Accurate Credit Transactions Act (FACTA), and ran across an interesting recent court decision......
Here's the link for Web 2.0 Privacy and Security Considerations
I forgot the link to my article yesterday!! Here it is... "Web 2.0 Privacy and Security Considerations"...
Web 2.0 Privacy and Security Considerations
I've been having a lot of conversations in the past few weeks about Web 2.0 privacy and security issues. Web 2.0 certainly has greatly enhanced how the Internet can be used. Posting information on blogs, social networking sites, microblogs (such...
Most Laws Are Flawed, But It Is Up To Us To Make Them Better & Make Them Work
Rafal Los makes some very good points in his post "Analysis of the Stimulus Bill and Healthcare Privacy" from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work...
UK Company Caught Selling Their Employees' & Job Applicants' PII
Here's an interesting shocking story about some bad...make that VERY BAD...business decisions in the UK to make money by selling employees', and job applicants', personally identifiable information (PII) as a revenue stream......
A Cornucopia Of Audit, Information Security and GRC Information
It was great to see Dan Swanson include some of my resources in his Security Insider blog posting today!...
31 Info Sec & Privacy Tweets From Past 4 Days
I've been running across many interesting and useful news reports and pieces of information over the past few days, and putting them out on my Twitter peeps/tweeps/tweets/etc. For posterity and my own future reference, here's a listing of the ones...
HIPAA & Calling Out Full Names In Waiting Rooms
Over the years I have done several interviews for articles about HIPAA compliance. I recently did an interview for an HCPro article, "Physician offices: Tackle a different set of privacy training challenges." (Sorry, this is not publicly posted to my...
Judgment For Disclosing PII To Business Partners: Explicit Opt-In Is Required
I just ran across the judgment for an interesting case involving privacy and opt-in consent for disclosing personally identifiable information (PII)......
HIPAA Violations: Nurses Allegedly Post X-Ray Photos To Facebook
Okay, here's a perfect real incident to use for a case study to argue discuss whether or not this is a HIPAA violation!...
7 Info Sec & Privacy Tidbits
Today I spent a lot of time in phone meetings and doing research. So, instead of focusing on writing about one topic today, here are my tweets I sent out, that cover a wide range of topics......
Employee Suing Starbucks For Poor Security & Laptop Theft
Here's an interesting progression in how to address the growing data breaches that occur largely from ignored, overlooked, and/or inadequate security practices......
Report on Healthcare Provider HIPAA Progress
Here's an interesting report from URAC about healthcare providers and HIPAA compliance progress......
Surveillance: New Employee Privacy Law in Portugal
On Februry 17, 2009, a new workplace privacy law took effect in Portugal......
Medical Identity Theft: Medical Equipment Co. Owner Sentenced to Prison
I just ran across this U.S. Department of Justice (USDOJ) press release from January 20, 2009......
2ND HIPAA Sanction: CVS Must Pay $2.25 Million And Improve Info Sec Practices For Improper Disposal
The 2nd ever to date HIPAA sanction has been handed down by the Department of Health and Human Services (HHS)......
Humorous Security Calendar
Check out a sample month of a humorous information security wall calendar that Rick Lawhorn created that "tracks notable breaches, infosec facts and viruses."...
Massachusetts Encryption Law Pushed Back Once More
Monday I received messages almost at the same time from Brandon Dunlap and Brett J. Byers; thanks Brandon and Brett! They were notifying me of yet another delay in the Massachusetts law, "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF...
Data Privacy Day Activities That Deserve Recognition
January 28 was international Data Privacy Day, which I blogged about a few times here, here, and here. While the Intel site posted about many of the events that occurred, there were many more they missed. Here are a few...
New Online Behavioral Advertising Principles: Self Regulation Does Not Mean Less Scrutiny By The FTC!
On February 12 the U.S. Federal Trade Commission (FTC), the most actively aggressive oversight agency in the U.S. with regard to enforcing privacy protections, released new behavioral advertising principles......
Cloudy Privacy Computing
Cloud computing is an attractive, low-cost means of collaboration. But have you considered the risks involvd with placing documents with PII "in the cloud"? The monthly column I wrote for the December 2008 CSI Alert was, "Cloudy Privacy Computing." Here's...
Using Facebook To Serve Lien Notices
I just ran across this article while doing some research, and it made me go, "Whoa!"......
President Obama Wants Better Cybersecurity!
I was very happy to see that President Obama kept his Blackberry, and is using it with super good security controls. I am even happier to see that he wants to make sure the U.S. has strong cybersecurity in place;...
FYI: New Website for Health Information Privacy
I just got this email notification from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) yesterday......
Patient Privacy in Peril: EHRs, HITECH Act and $20B Handouts
On February 2 Allscripts released a report, "The 2009 Economic Stimulus Plan and the Electronic Health Record: Opportunities and Challenges for U.S. Medical Groups; A Survey of 1,800 Healthcare Professionals" (NOTE: Registration is required, but it's free.) A few excerpts...
Shred Those Documents Finely!
With the new technologies being used to piece paper documents back together, be sure to shred your documents containing confidential information into bits too tiny to do anything with......
HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files
I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy...
Another HIPAA Felony Conviction; 8 To Date
Yesterday a lawyer asked me if there had been any more HIPAA sanctions or convictions from the list I posted a few months ago in August. I hadn't seen any, but I thought I'd do a bit of checking since...
The Yin And Yang Of Google Latitude
Google Latitude, with it's ability to allow you to select folks who can follow your every geographic move...and with the ease of an accompanying map, no less...can be quite useful! However, in the hands of the wrong people, or used...
Use This RBS Worldpay News Report For Training
On November 8, 2008 more than 130 ATM machines in 49 cities throughout the world were hit by a group of cybercriminals during a 30-minute period....
New Report Finds HIPAA Privacy Rule Is Ineffective As Written
Today the Institute of Medicine (IOM) released a report, "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research"......
Surveillance: I Spy With My Little Eye Some Potlikker Pie
Do any of you really think that there is a single place on earth that cannot be looked down upon from satellites too high in the sky to see with the naked eye? Google continues their march to know all...
Txt Phishing (Vishing) In Iowa: MetaBank NOT Calling!
Boy, all throughout the day I heard on the radio, and it was all over the noon and evening news, that Iowa customers of MetaBank were receiving text messages on their phones to call MetaBank about unusual activity in their...
Don't Be A Dodo; Follow Privacy Requirements!
I just ran across a privacy law non-compliance fine news report from Australia that was published October 22, 2008......
Revisiting Google Streetview
A few months ago I blogged about some of the privacy issues related to Google streetview here and here. I just noticed that Google has a nice, short video on YouTube that explains how to get images removed from Google...
Happy Data Privacy Day!
So, what are you doing to raise awareness about privacy issues today? I'm sending various awareness communications to several mailing lists and online groups I belong to. Here's the message I sent to my school parents' mailing list......
Business Info Fact of the Day: PII Increasingly Stored On MP3 Players
Over the past few months during some of my presentations I've discussed how easily PII can be stored on mobile storage devices that most business leaders and information security folks often do not think about or overlook. One of those...
More Ideas For Data Privacy Day, Jan. 28!
I recently blogged about the upcoming international Data Privacy Day on January 28 here. You and/or your organization can get involved in a number of ways, even at this relatively late date. Here are a few more ideas for you...
Business Info Fact Of The Day: Smartphones CAN Be Used Securely!
I thought it was pretty silly to read over the past few weeks that President Obama was being pressured to give up his Blackberry because of security reasons. If information security controls are properly implemented, then there is no reason...
Business Info Fact Of The Day: 70% Of Top 100 Websites Link To Malicious Software
For those of you whose business leaders do not think website filters, IDS systems or other types of security technologies are necessary business investments, show them this article......
New Guidelines for Safeguarding Personal Data
Happy U.S. presidential inauguration day! :) Did you take off a few minutes of work to watch the inauguration? I wasn't going to, was planning to just catch videos on the news sites or YouTube later, but then I did,...
Business Info Fact Of The Day: Most Personnel Do Not Protect Laptop Information
The Ponemon Institute seems to have been busy doing surveys throughout the world recently! According to three separate research surveys they did in the U.S., Canada and the U.K. they report within the BNA Privacy and Security Law Reports (subscription...