Archive for the ‘Privacy and Compliance’ Category
Sunday, August 17th, 2008
When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…
(more…)
Tags:awareness and training, Des Moines Register, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 2 Comments »
Friday, August 15th, 2008
Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Thursday, August 14th, 2008
Recently I wrote about the privacy implications of Google Street View after communicating with John Grogan (from Popular Science and Computer World) about this topic; see here and here.
Today I saw an ABC news video…
(more…)
Tags:awareness and training, Computerworld, Google street view, Google walking directions, Information Security, IT compliance, IT training, John Brandon, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | 3 Comments »
Wednesday, August 13th, 2008
Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Monday, August 11th, 2008
It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…
(more…)
Tags:awareness and training, DPPA, Information Security, IT compliance, IT training, Missouri Department of Revenue, policies and procedures, privacy training, publicdata.com, risk management, security training, Shadowsoft, social engineering
Posted in government, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Wednesday, August 6th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, SMB security, wardriving, wireless hack, wireless security
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
Wednesday, August 6th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, SMB security, wardriving, wireless hack, wireless security
Posted in Information Security, Privacy and Compliance, Privacy Incidents | 2 Comments »
Tuesday, August 5th, 2008
I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, “If a company collects and manages PII from another country, e.g., India or the U.S., and transfers that PII to the E.U. for some type of processing or storage or even just transit, does the E.U. Data Directive apply once that PII leaves a country within the E.U.?”
(more…)
Tags:awareness and training, cross border data flow, EU Data Protection Directive, Information Security, IT compliance, IT training, personal information, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
Monday, August 4th, 2008
Last Friday afternoon I got a message from a Popular Science reporter, John Brandon, asking me if I thought that the Google walking directions feature created any privacy concerns. I was finishing a client deliverable at the time, but indicated I would answer him later in the day…which I did take the time to do late in the evening instead of doing other, more recreational, things. I heard no ackowledgment or response with him about the information I provided, but he did write an article about Google walking directions that was published today, “Google Walking Directions: a Privacy Concern?”
John did just confirm to me that he had received my message but too late to include in the article.
Here is the information I provided…
(more…)
Tags:awareness and training, Google walking directions, Information Security, IT compliance, IT training, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | No Comments »
Monday, August 4th, 2008
Last Friday afternoon I got a message from a Popular Science reporter, John Brandon, asking me if I thought that the Google walking directions feature created any privacy concerns. I was finishing a client deliverable at the time, but indicated I would answer him later in the day…which I did take the time to do late in the evening instead of doing other, more recreational, things. I heard no ackowledgment or response with him about the information I provided, but he did write an article about Google walking directions that was published today, “Google Walking Directions: a Privacy Concern?”
John did just confirm to me that he had received my message but too late to include in the article.
Here is the information I provided…
(more…)
Tags:awareness and training, Google walking directions, Information Security, IT compliance, IT training, John Brandon, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | No Comments »
