Archive for the ‘Laws & Regulations’ Category
Thursday, August 28th, 2008
Here are some more data retention tips and considerations as a follow-up to my Tuesday blog post…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations | No Comments »
Tuesday, August 26th, 2008
There have been several interesting news reports recently about data retention proposals, plans, practices and laws in the U.K.
Currently there are proposals to require emails to be retained for a full year, but critics contend that sloppy data retention practices will result in actual retention periods much longer, if the emails even ever get deleted.
This is an important point; when it comes to data retention, the requirements are rarely, if ever, followed by some organizations…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Monday, August 25th, 2008
Yesterday I read about the 7th criminal conviction and sentencing that has been given under HIPAA, “Woman gets 14 months in ID theft case.”
(more…)
Tags:awareness and training, Health Insurance Portability and Accountability Act, HIPAA, identity fraud, identity theft, Information Security, insider threat, IT compliance, IT training, Jay Meckenstock, Leslie A. Howell, Nicole Lanae Stevenson, policies and procedures, privacy training, risk management, security training
Posted in identity theft, Laws & Regulations, Non-compliance Sanctions Examples, Privacy and Compliance, Privacy Incidents | No Comments »
Thursday, August 21st, 2008
Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk.
However, I was surprised when I watched an ABC News report this morning…
(more…)
Tags:awareness and training, disposal, disposal rule, FACTA, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 1 Comment »
Wednesday, August 20th, 2008
It amazes me how many news articles are frequently reported that are related to the misuse or breach of social security numbers (SSN). Today just a few the stories that popped up included:
(more…)
Tags:awareness and training, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Laws & Regulations | 1 Comment »
Sunday, August 17th, 2008
When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…
(more…)
Tags:awareness and training, Des Moines Register, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 2 Comments »
Monday, August 11th, 2008
It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…
(more…)
Tags:awareness and training, DPPA, Information Security, IT compliance, IT training, Missouri Department of Revenue, policies and procedures, privacy training, publicdata.com, risk management, security training, Shadowsoft, social engineering
Posted in government, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Tuesday, August 5th, 2008
I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, “If a company collects and manages PII from another country, e.g., India or the U.S., and transfers that PII to the E.U. for some type of processing or storage or even just transit, does the E.U. Data Directive apply once that PII leaves a country within the E.U.?”
(more…)
Tags:awareness and training, cross border data flow, EU Data Protection Directive, Information Security, IT compliance, IT training, personal information, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
Monday, July 14th, 2008
Do you have any customers in any of the 27 European Union (EU) countries? Do you have any personnel in the EU? COULD YOU have?
Any company sending or receiving personally identifiable information (PII) of a very wide range of possibilities…many more items are considered as PII outside of the U.S. than within the states…to or from other countries must abide by the data protection (read “privacy”) laws for those countries. The EU Data Protection Directive (95/46/EC) establishes the minimum PII data protection requirements that ALL companies, any where in the world, must follow to send PII for their citizens over their country borders. Each of the EU countries also have specific data protection laws that may be even more restrictive than the EU Data Protection Directive (95/46/EC).
(more…)
Tags:awareness and training, BCRs, binding corporate rules, EU Data Protection Directive, Information Security, IT compliance, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
Thursday, July 10th, 2008
In case you didn’t hear about it yet, President Bush just signed into law changes to the U.S. Foreign Intelligence Surveillance Act (FISA) that, among other things, grants immunity to telecom companies that cooperate with the secret warrantless wiretap program.
(more…)
Tags:awareness and training, encryption, FISA, FISA Amendments Act of 2008, Foreign Intelligence Surveillance Act, Information Security, IT compliance, policies and procedures, privacy training, regulatory compliance, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
