Archive for May, 2008

Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon

Thursday, May 29th, 2008

When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched?
There are many phishing scams going on right now, and they are widely reported and talked about. I want to talk about a new one spoofing Amazon, a popularly spoofed company in phishing messages, because I’ve already had a couple of other folks I know who are not in the info sec biz asking me about it today. I also got it in my email box today, so it will make a good example to discuss…

(more…)

Business Leader Primer for Effective Information Disposal

Wednesday, May 28th, 2008

I’ve been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security technologies to protect day-to-day business…attention is good and MUST be done…but often it seems it is at the expense of then overlooking, or perhaps shrugging off, how to securely dispose of PII, systems, applications and hardware when they are no longer needed in the business. This has led to many information security incidents and privacy breaches.
I address the reasons why business leaders must give attention to information disposal in the second article of my May issue of IT Compliance in Realtime, “Business Leader Primer for Effective Information Disposal.
Download a PDF version to get a much nicer-looking copy, the super-duper graphic I put into the article, plus the sidebar information and facts. Here is an unformatted version of the article…

(more…)

BONY Loss Of Backup Tape With Unencrypted PII Is Disappointing…But Not Surprising

Tuesday, May 27th, 2008

Late last week I communicated with Linda McGlasson about a story she was putting together for bankinfosecurity that was published today, “Bank of New York Mellon Investigated for Lost Data Tape: 4.5 Million Customers Potentially Exposed.”
It’s a good and interesting article; check it out.
In Linda’s article there was a quote from Bank of New York (BONY) Mellon’s spokesperson Ron Sommer,

(more…)

Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots

Sunday, May 25th, 2008

I’ve been doing some research for insider threat training content I’m creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make a great case study for any organization to help personnel improve the ability to better protect personally identifiable information (PII).
Here’s the news release from the The United States Attorney’s Office for the Southern District of Texas

(more…)

Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots

Sunday, May 25th, 2008

I’ve been doing some research for insider threat training content I’m creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make a great case study for any organization to help personnel improve the ability to better protect personally identifiable information (PII).
Here’s the news release from the The United States Attorney’s Office for the Southern District of Texas

(more…)

More On The HHS HIPAA Compliance Activities

Friday, May 23rd, 2008

Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, “Proliferating HIPAA complaints and medical record breaches
She had seen my blog posting from yesterday, “HIPAA Complaints And Associated Resolutions Since 2003” and asked me some follow-up questions.
Here is the full reply I sent to her, much of which she used within her article, but with some other points I want to note as well…

(more…)

HIPAA Complaints And Associated Resolutions Since 2003

Thursday, May 22nd, 2008

The U.S. Health Insurance Portability and Accountability Act (HIPAA) has required compliance from covered entities (CEs) since 2003. The Department of Health and Human Services (HHS) is the Federal agency with regulatory oversight for compliance; with the Office of Civil Rights (OCR) responsible for Privacy Rule enforcement and the Centers for Medicare and Medicaid Services (CMS) responsible for Security Rule enforcement. Why two different offices to perform enforcement activities? No good reason was ever given.
I was just out looking on the HHS’s HIPAA compliance and enforcement site.
On May 12, 2008, they provided some interesting statistics from their enforcement activities from the past 5 years. Looks like they love Excel and the graphing capabilities! 🙂 I want to share some of the statistics with you…

(more…)

45 U.S. Breach Notice Laws…And Still Counting

Wednesday, May 21st, 2008

Yesterday I posted a link to my quick reference list of breach notice laws.
I created that document at the beginning of this month, and Doug Markiewicz told me today in a comment to that post that there are two additional laws, one signed since I created my most recent list; thanks Doug!

(more…)

43 U.S. Breach Notice Laws…And Counting

Tuesday, May 20th, 2008

There are currently 43 breach response laws in the U.S.; this includes the District of Columbia and Puerto Rico.

(more…)

Do Your Terms Of Use Try To Gut Your Privacy Policy Promises?

Sunday, May 18th, 2008

I see a growing trend in organizations trying to gut the promises made in their website privacy policies through sneaky wording they place in their rarely read “Terms of Use” statements.
Over the past few months I have heard from some CISOs and CPOs who are concerned at some of the wording that their legal counsels are suggesting they put on their web sites. And rightly so. Why? Because the considered “Terms of Use” statements seem to be, 1) trying to eliminate all liability to the organization for anything bad that happens to the personally identifiable information (PII) submitted to or accessed from the site; 2) basically nullifying the posted privacy policy; and 3) trying to require the website user to agree to these terms just by using the site…no active acknowledgment or agreement necessary.
Here is a composite from around half of a dozen of these worrisome passages from the considered drafted Terms of Use statements that I’ve seen…

(more…)