August 2008 - Page 2 of 3 -

Archive for August, 2008

Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa

Sunday, August 17th, 2008

When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…

(more…)

Tags:awareness and training, Des Moines Register, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 2 Comments »

Is Your Accountant Sending Your Information Offshore?

Friday, August 15th, 2008

Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…

(more…)

Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »

An Example of Google’s Street View Crossing The Privacy Line…?

Thursday, August 14th, 2008

Recently I wrote about the privacy implications of Google Street View after communicating with John Grogan (from Popular Science and Computer World) about this topic; see here and here.
Today I saw an ABC news video…

(more…)

Tags:awareness and training, Computerworld, Google street view, Google walking directions, Information Security, IT compliance, IT training, John Brandon, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | 3 Comments »

How Do You Use Social Security Numbers?

Wednesday, August 13th, 2008

Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”

(more…)

What Happens On The Internet Stays On The Internet…No Matter What A Judge Says!

Tuesday, August 12th, 2008

For those of you that weren’t aware, this past weekend the long-running Defcon convention (historically started with only “hard core” hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.
Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about “Anatomy of a Subway Hack,” detailing a school project they did, and received an “A” on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.
Well, the MBTA got wind of this…actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it…and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.
But guess what? Yep…I bet you can see this coming…

(more…)

Tags:awareness and training, Defcon, Information Security, IT compliance, IT training, MBTA, MIT, policies and procedures, privacy training, risk management, security training
Posted in government, Information Security | 3 Comments »

Missouri Dept of Revenue Sued (Under DPPA) For Releasing PII That Was Posted for Sale on the Internet

Monday, August 11th, 2008

It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…

(more…)

Tags:awareness and training, DPPA, Information Security, IT compliance, IT training, Missouri Department of Revenue, policies and procedures, privacy training, publicdata.com, risk management, security training, Shadowsoft, social engineering
Posted in government, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »