Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that’s not the only problem, as I’ve discovered over the past couple of decades reviewing privacy notices. In the past year in the privacy impact assessments (PIAs) I’ve done, I’ve found two consistent problems with them all. (more…)
Recently I’ve heard in various discussion venues the argument that information security controls are an impediment to technology use, and that instead we should look at demotivating the hackers. With specific regard to medical devices, one commenter stated that generally, the best “bet in defending medical devices (as well as financial systems) is making the information useless/pointless for the attackers.” This is a dangerous attitude, and minimizes the true value of data on the devices.
Considering data on any type of computing device is considered (more…)
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
This week January 28 was recognized around the world at International Data Privacy Day. Data Privacy Day is the perfect time to think about all things privacy. For example, consider all the computing devices and gadgets you use, including smartphones and tablets. Many folks don’t realize these devices are continually collecting personal information about (more…)
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
I’ve also found that many organizations have online contracts for their web site customers that are in conflict with their posted privacy policies.
Over the past few years I’ve done a lot of research and reviewed a lot of privacy policies, and it’s really been amazing to see how the wording in many of them are not providing any privacy protections to website visitors or customers at all! In fact, some of them are downright tricking people into agreeing to share their personally identifiable information (PII) having software installed on their computers that they probably really do not want to have…
Here’s a pretty good mainstream news story from CNN to give to your business leaders to raise their awareness and understanding about phishing…
I knew the civil suits for lost laptops would start soon. Thanks so much to my buddy Alec for pointing out this story to me!
Raelyn Campbell took a laptop computer to Best Buy to get fixed, and three months later, after giving Campbell the run-around, Best Buy admitted to her that they lost the computer.