I really like investigations where those carrying them out are not afraid to get down and dirty to find out what really is going on at businesses, and seeing how sloppy practices put privacy, and personal safety, at risk.  Digging into dumpsters to find personally identifiable information (PII) is a great indicator of the information security practices of an organization. 

Here’s an article about such an investigation to put within your awareness and training files for the ongoing problems organizations have with properly disposing of PII.  WTHR in Indianapolis did an investigation into the trash habits of pharmacies. Indeed there are some very sensitive types of information your friendly neighborhood pharmacy has on file about you and all the other folks who fill their prescriptions.  Not to mention tossed drugs…but that’s another story…

Some of the more interesting findings of the research done by the television station:

"Over a two-month period, 13 Investigates reporter Bob Segall visited 65 local pharmacies. Actually, he visited their dumpsters. Some were latched, locked or chained. But most had no security at all – out in the open, 24 hours a day. At those dumpsters, we took whatever we found – it’s perfectly legal."

Just take a nice stroll at lunch through your downtown alleys (if you are in a day-safe area), and I am willing to bet you will also find dumpsters wide open containing papers and other potential PII storage media.

"Perhaps more alarming, we found prescriptions, pill bottles and prescription labels that provided personal information about hundreds of patients. In fact, at pharmacies where we took garbage bags, we found more than half of them trashed their customers’ privacy by failing to destroy their personal information as required by federal law.  We learned who’s taking birth control pills, who has an enlarged prostate, which customers suffer from depression and which one has a prescription for genital herpes. And along with it, we learned their names, addresses, phone numbers and birthdates. You won’t hear from any of those particular patients, but others are speaking out."

"Margie Kerr was not so fortunate. A thief came to her Bloomington home and stole her prescription painkillers. Detectives say the thief singled out his 76-year-old victim when he found her personal information in an open dumpster behind her pharmacy."

Drug addicts are desperate to get a fix.  What better way to find out who has the drugs they need than by digging through the pharmacy, hospital and medical clinic dumpsters?  Organizations that do not irreversibly destroy PII prior to disposing of them are not only in noncompliance with HIPAA, but are also putting the corresponding individuals about whom the PII applies at a safety risk.

""Protections need to be in place," said Susan McAndrews, who is a top legal advisor at the Department of Health and Human Services in Washington.  McAndrews said the law is clear: customers’ personal health information must be carefully protected. After seeing what we found in the trash, she offered advice for pharmacies.  "Don’t do that!" she said. "Putting protected health information in a dumpster that is accessible to anyone… is clearly not an example of a reasonable safeguard."  McAndrews said most pharmacies are bound by HIPAA, a federal law that requires patients’ and customers’ private health information to be protected. Businesses that fail to comply can be fined up to $100 per incident."

A huge problem with HIPAA is the enforcement, or lack of, for this federal law by theDepartment of Health and Human Services (HHS).  No fines or penalties have yet been applied; just two criminal cases successfully prosecuted.  The HHS needs to step up and apply fines in such instances of blatent disregard of the law.  Without fines being applied there is no motivation for compliance by covered entities (CEs).  If the HHS is making statements about how CEs need to comply with HIPAA, they need to step up to the plate and enforce the law!  Just shaking a finger and tisk-tisking breaking the legal requirements of HIPAA will not motivate most CEs. 

"For this investigation, we randomly chose 65 metro-area pharmacies. The test included pharmacy-only stores such as Walgreens, CVS, Osco, Tucker Pharmacy and Low Cost Rx stores. It did not include grocery and retail stores that also offer pharmacy services because dumpsters at those locations contained mostly non-pharmacy trash. During the test, we took trash only from pharmacy dumpsters that offered easy public access. We did not take trash from the 13 pharmacies where the dumpsters were either locked or unaccessible to the public. Nor did we take garbage from the seven pharmacies at which dumpsters were behind a closed fence, even if the fence was unlocked. Trash dumpsters at 15 of the pharmacies were easily accessible but empty at the times we visited. We took trash from the remaining 30 pharmacies with easily-accessible garbage dumpsters, and 19 of them failed to destroy all of their customers’ personal information before placing it in the dumpsters."

The station provided a list of the secure dumpsters they encountered; largely CVS and Walgreens stores.

They also provided a map of all the dumpsters they investigated, and comments about the security of each.

What a great investigation.  It would be enlightening to see this same exercise performed in other cities and towns. 

Take a look at your own organization’s dumpsters…you might be surprised at what you find.

Residential trash is also at risk.  Dumpster diving for trash treasures the night before trash day is pretty common in many residential areas.

Technorati Tags
information security
IT compliance
cybercrime
HIPAA
data disposal
dumpster diving
patient information privacy
personal information breach
privacy breach
policies and procedures
awareness and training
privacy

I’m reading the "2006 Workplace E-Mail, Instant Messaging & Blog Survey" performed and issued July 11 jointly by the American Management Association (AMA) and The ePolicy Institute.  It is an interesting read and has some good, and sometimes surprising, statistics and findings. 

Here are a few of the tidbits for you:

• "Last year, the inability to produce subpoenaed e-mail resulted in million dollar‚Äîeven billion dollar‚Äîlawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail."

What are your records retention policies and practices for not only email, but also instant messaging, voice mail, and other types of files?  Be sure you clearly address the issues of email content (typically what is focused upon within policies) and also email retention.  This is a very important issue that is often not covered.

• "Fully 26% of employers have terminated employees for e-mail misuse. Another 2% have dismissed workers for inappropriate instant messenger (IM) chat. And nearly 2% have fired workers for offensive blog content‚Äîincluding posts on employees‚Äô personal home-based blogs."

I know there are some really amazing stories about the types of email, IM and blog content personnel write and post while at work and/or using their employers’ systems…what are these people thinking?  Probably not thinking…

Again, having a good, clearly written policy will help to support your organization’s decision if you need to make a termination or a disciplinary action that is subsequently challenged in court.  I know of many instances where the cases were thrown out before going to trial because the organizations had policies explicitly stating personnel could not use electronic communications in certain ways, and also had documented and visible proof and procedures verifying communications of the policies, when personnel brought suit, particularly for claiming ignorance about a policy.

• "With the blogosphere growing at the rate of one new blog per second, industry experts expect the ranks of dooced [fired] employee bloggers to swell."

Wow…a new blog every *SECOND*?  That amazed me.  Can that be true?  I wonder how quickly blogs disappear?  One every hour?  Every 30 minutes?  What is the ratio of blogs to websites?  How many blogs are being set up by personnel under their employers’ domains without the knowledge of the employers?

I also learned a new word…or at least a new meaning for a word…"dooced." 

• "4% of companies have written e-mail retention/deletion policies in place, in spite of the fact that 34% of employees don‚Äôt know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged."

No surprises here…it is a scary fact that a huge amount of confidential and mission critical data is contained within or attached to email messages, and that no one really has responsibility for these email security and privacy issues, and most users have no idea of the risks involved.

Organizations need to implement classification policies and procedures to support the save and purge activities.

• "While 35% of employees use IM at work, only 31% of organizations have IM policy in place, and 13% retain IM business records."

I know a large majority of the organizations I speak with indicate they use IM internally.  IM communications, even at work, are typically mush less restrained…in content, opinions, accusations, gossip…than email.  All of which could get not only the employee but also the employer in hot water legalwise.

• "Among the blog risks…are copyright infringement, invasion of privacy, defamation, sexual harassment and other legal claims; trade secret theft, financial disclosures, and other security breaches; blog mob attacks and other PR nightmares; productivity drains; and mismanagement of electronic business records."

Since a growing segment of business professionals rely upon these communication methods so heavily it is important to have policies governing the appropriate and reasonable use of email, IMs, and blogs. 

How many of you have such policies and supporting procedures?  I have seen many organizations with email policies and procedures, but very few companies, almost nil, with instant messaging or blog policies.

Technorati Tags
information security
IT compliance
messaging security
regulatory compliance
email security
instant messaging security
blog security
policies and procedures
awareness and training
privacy

It is important for business leaders throughout the enterprise to understand the system development life cycle (SDLC) and how decisions made during the process can impact, negatively or positively, the entire business. First and foremost, systems and applications must be built to support the business in the most efficient and effective manner possible. Business leaders must be involved with the process to ensure systems and applications are being developed to meet this goal; the information technology (IT) areas cannot create applications and systems on their own and reach this goal. Second, applications and systems must be created to reduce risk to the level acceptable by the business, as well as to meet compliance with applicable laws, regulations, and contractual requirements. 

I just wrote and posted a paper,"The Business Leader’s Primer for Incorporating Privacy and Security" that provides an overview for business leaders about the importance of incorporating information security and privacy into the SDLC, and key information security and privacy activities to address within each SDLC phase.  Let me know what you think, and if you have additional ideas about this topic.

Technorati Tags
information security
IT compliance
SDLC
regulatory compliance
systems development
awareness and training
privacy

There was a very interesting read in ConsumerAffairs today, "ChoicePoint Gets a Makeover."

The story reinforces once again the need to have a good security program in place with good controls and a well communicated comprehensive information security awareness and training program.  If the controls and awareness had been in place would this fraud have occurred?  We’ll never know for sure, but the chances would have been much smaller that this incident would have occurred…knowledge and controls could have blocked the criminals from instigating their fraud.

However, lack of controls and awareness aside, the gargantuan amount of personal information Choicepoint controls is very scary…especially considering how the use of it to make decisions impacts virtually everyone in the U.S. and significant others outside the states.

It would have been good to have gotten some statistics about ChoicePoint in this story…how many people’s records do they have in their systems?  In how many places are these records located?  How do they successfully and completely change errors within the records?  What specific types of information do they have?  I have a feeling the answer to that would be a very, very long and disconcerting list.  With how many other organizations do they share their data?  Do they send information corrections to all these other organizations when they correct their own errors?  I could go on…but you get the picture….

Some information about Choicepoint from their site:

• They have around 5,500 employees in 60 locations (Is all our personal data also as scattered?  Are any of these locations outside the U.S.?  Within any outsourced entities?)
• Their 2005 Annual Report is interesting (A lot of spin….A LOT.)  A few excerpts:
  • "For the first time ever, revenues exceeded one billion dollars, at $1.06 billion, a 15 percent increase over 2004."
  • "Last year, we helped more than 100 million Americans obtain fairly-priced home and auto insurance."

So they have information on at least 100 million Americans then?

• "As of December 31, 2005, the Company recorded a charge of $8.0 million for the FTC settlement that represents the $10.0 million civil penalty, the $5.0 million fund of consumer redress initiatives, a $4.0 million charge for additional obligations under the order offset by $11.0 million anticipated recovery of these fees from the Company’s insurance carrier."

Interesting…so of the $19 million penalty, Choicepoint only had $8 million come out of their pockets…the other $11 million was covered by their insurance provider…gee, wonder if that is something that will impact their insurance score and bump up their premium…speaking of which…

This story caught my eye for another reason because I’ve been interested in the impact and type of insurance scores Choicepoint generates and how they impact consumers’ costs for insurance.  To see a list of all the variables that go into creating your insurance score see Choicepoint’s ChoiceTrust site.  There are 156 different types of situations/events listed that can impact your insurance costs…making them go higher…and some of them will be surprising to a large segment of the population.

It’s truly amazing the power and impact these huge data brokers have, Choicepoint in particular, and the huge amount of personal information…some of it inaccurate but propogated…about literally 100’s of millions of people.

Technorati Tags
information security
IT compliance
Choicepoint
privacy law
data mining
personal information protection
awareness and training
regulatory compliance
privacy

Government Technology today reported Robert C. Cresanti was appointed CPO along with his other current responsibilities as under secretary for technology.  I could not find an announcement about this on the Dept of Commerce site, however; I was hoping to get more info than provided within the report.

It is good they are appointing a CPO.  However, U.S. federal privacy and data protection governance would benefit from one CPO over the entire government; basically adding a cabinet position.  Then this position could coordinate privacy and data protection activities through CPOs assigned to each of the government agencies.  This similar type of system seems to work well for Canada. 

The scattered and uncoordinated data protection and privacy approach currently taken does not result in consistent regulatory enforcement or unified federal laws.  Some agencies have rigorous privacy enforcement activities while there seem to be none within other agencies.

Technorati Tags
information security
IT compliance
government
regulatory compliance
privacy

When you entrust business partners and vendors with your company’s confidential data, you are also entrusting them with all control of security measures for your organization’s data. That trust cannot be blind. Many recent privacy and security incidents have resulted from inadequate privacy and/or security practices within outsourced organizations handling another company’s customer or employee data. 

Christopher Grillo and I discuss this topic at length in our two-day information security and privacy workshop.  I just posted a paper, "Security and Privacy Contract Clause Considerations," to my Realtime IT Compliance site.  This paper covers the issues we discuss in addition to a table we created for our workshop that lists the types of information security and privacy requirements that organizations should consider including within contracts with third parties.  The table has been very helpful for organizations addressing outsourcing and partnering security and privacy issues, so we are making it available in the hope it will also be helpful to you.

Technorati Tags
information security
IT compliance
outsourcing security
awareness and training
regulatory compliance
privacy

The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors’ PHI under certain conditions.

With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person.

Restricting access to minors’ PHI from parents certainly can be tricky, particularly within automated systems that may not have access controls down to the field level.  I just posted a paper, "What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy," on my Realtime-IT Compliance site that provides information about the issues organizations, such as healthcare insurers, healthcare providers and pharmacies, need to address when establishing ways to restrict access to minors’ PHI. 

Technorati Tags
information security
IT compliance
HIPAA
awareness and training
regulatory compliance
health information privacy
privacy

Friday (7/7) the Naval Safety Center (NSC) reported personal information on more than 100,000 Navy and Marine Corps aviators and aircrew had been posted on its public Web site for over 6 months.  The data reportedly included Social Security numbers for current active-duty and reserve aviators and aircrew, and potentially every Navy and Marine aviator who has actively served in the past 20 years.

"The same personal information was contained on 1,083 Web-enabled safety program disks mailed to Navy and Marine Corps commands, according to an NSC statement. The center’s Web site has been shut down since July 7."

And yes, they had a similar incident just weeks ago.

"In late June the Navy Personnel Command (NPC) said it had discovered that personal data – including Social Security numbers and birthdates – on 28,000 service members and their family members had been published on a civilian Web site."

Where are the controls over this sensitive information?  If this is simply human error, where is the oversight?  Why isn’t someone checking these sites continuously to ensure nothing inappropriate is getting posted?  What are the policies and procedures in place to protect this type of information?  ARE there policies and procedures in place?

Hackers don’t need to break into most networks to get confidential information; they can just keep an eye on websites for whenever the information is posted.

The Navy, and probably every other government agency, needs to do a privacy impact assessment (PIA) to find where their other privacy breach risks exist, and they need to ensure security and privacy are built into their SDLC process to help keep this type of incident from happening.  And, of course, it definitely appears that their information security and privacy awareness and training efforts could be beefed up.

And yes, government agencies ARE required to do annual PIAs…but are they being done effectively?  It seems a lot is getting overlooked based upon the ongoing security breaches.

Technorati Tags
information security
IT compliance
privacy training
awareness and training
personal information breach
military information security
Navy privacy breach
privacy

Privacy and trust are essential to maintain good relationships with customers, employees and business partners, as well as to comply with the growing number of privacy regulations worldwide. Addressing privacy touches all facets of an organization, including business operations, websites and services, back-end systems and databases, communications with third parties, customers and service providers, and legacy systems.

Over the past three years I have been delivering a 2-day workshop I created that addresses these issues, along with explaining practical steps for structuring an effective privacy governance program based on a privacy impact assessment.  I update the workshop each time I give it (approximately twice a year) to ensure all the latest privacy and related information security challenges are addressed.

I will next be giving the workshop in San Francisco on July 20 & 21.  For more information click here.  To save $100, enter the priority code SAN06 in the registration form.

I really enjoy giving this class and working with the participants on how to address their privacy governance challenges.  If you have the chance please join us!

Technorati Tags
information security
IT compliance
privacy training
awareness and training
privacy

Yesterday the U.S. Department of Health and Human Services (HHS) published "HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool."  The flow chart that is part of the tool should be particularly helpful for healthcare providers.

Technorati Tags
information security
IT compliance
HIPAA
awareness and training
patient information privacy
government
privacy