Archive for the ‘Privacy and Compliance’ Category

Be Aware of Risks with Outsourcing to Other Countries

Saturday, October 3rd, 2015

Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.

I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses.  Many believe they do not need to. (more…)

Small Businesses Must Address Security and Privacy

Friday, September 18th, 2015

I’ve been working with hundreds of businesses over the past fifteen years, and I’ve found many common challenges that they are always trying to address, as well as some common, dangerously incorrect, beliefs about security and privacy. There are some common misconceptions that are unique to one-person to small businesses.

Here are four common recurring incorrect information security and privacy beliefs of small businesses, and the facts that these businesses need to know: (more…)

TV Ratings Should Not Trump Patient Privacy

Saturday, January 3rd, 2015

Yesterday I read a news story about how a woman, Mrs. Anita Chanko, saw an episode of the Dr. Oz show “NY Med” that included video of her husband, who had died 16 months earlier, in the hospital receiving care after being hit by a truck while crossing the street. She did not know that such a video even existed.

The picture was blurred, but the woman knew it was her recently deceased husband because she recognized his voice when he spoke, the conversation topic, the hospital where the care was occurring, along with other visual indicators. She heard her husband ask about his wife; her. She then watched his last moments of life, and then his death on television. (more…)

If Compliance Isn’t Documented It Didn’t Happen

Monday, September 22nd, 2014

Most of the 250+ organizations I’ve audited, and the hundreds of others I’ve had as clients, hate documentation. At least creating documentation. So, they don’t do it, or they do it very poorly. Or, they document things they don’t need to, and fail to document the important things. And then, considering all that documentation, they often don’t retain it long enough, or forget where they put it.

Last year I wrote an article about legal retention length requirements. Now I’m focusing on the types of compliance activities organizations need to document, and then the need to retain that documentation for the appropriate periods of time. (more…)

Using “Compliant” Stuff Doesn’t Result in Full Compliance

Wednesday, June 11th, 2014

In the past couple of weeks I’ve spoken with five different small to mid-size organizations who have had a software or hardware vendor basically tell them, “Our product is HIPAA compliant! Use it and you will also be fully HIPAA compliant!” How can that be? In three words; it can’t be. Here’s what is most likely going on with those claims. (more…)

If it was Intentional it is *NOT* Incidental

Wednesday, December 11th, 2013

In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)

You Must Practice Daily Compliance Hygiene

Tuesday, October 22nd, 2013

Compliance, like much of life, takes ongoing effort

Okay, folks. Time for a reality check for what data protection compliance involves. 

You know what’s often tedious and hard? Well, a lot of things in life. (more…)

Context Determines Privacy Impact

Tuesday, July 2nd, 2013

I’ve been getting the following question and comment increasingly more often in the past several months:

1)    “If someone’s name (more…)

Don’t Be Penny Wise and Privacy Foolish

Monday, June 17th, 2013

“We Can’t Afford Security and Privacy!”

Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.

Him: “I wish (more…)

Don’t Treat Privacy Breach Victims like a Spurned Lover

Wednesday, May 1st, 2013

A new data breach research report is out, and it is a good read.  This is the annual Experian/Ponemon Institute “Is Your Company Ready for a Big Data Breach?” report.  I want to focus on one of the findings in that report; that most organizations are not willing to assist those affected by a breach of their personal information. (more…)