Yesterday the FTC announced the launch of a new website, OnGuard Online.  This site has some very good information not only for consumers, but also for organizations to use in their information security and privacy education programs; especially small and medium sized businesses who often don’t have a budget for an adequate education effort for their personnel.  What is also nice is that they provide all this in both English and Spanish versions.

Some of the useful items on this site:

• Free Videos and Tutorials
  • Teaching Kids To Be Safe Online (video)
  • Protect Your Privacy, Your Family, and Your PC (video)
  • Reducing Spam (video)
  • Defend Yourself Against Viruses and Worms (video)
  • Security/Tools (tutorials)
  • Spam Filtering (tutorials)
  • Wireless Security (tutorials)
• Interactive Activities (such as quizzes)
• Topical Discussions
  • An Overview of Safer Computing
  • Identity Theft
  • Internet Auctions
  • Spyware
  • Wireless Security
  • Phishing
  • Social Networking Sites
  • Spam Scams
  • Online Shopping
  • Peer-to-Peer File-Sharing
  • VoIP (Voice over Internet Protocol)
  • Cross-Border Scams

And much more information.  Check it out!  You may find you can use a lot of the information.

Technorati Tags
government
information security
personal data protection
corporate governance
regulatory compliance
awareness and training
FTC
privacy

A story today in the Dallas Morning News, "18 fall ill from tainted muffins" reported the names of faculty and employees of Lake Highlands High who went to the hospital after eating muffins probably laced with marijuana that had been delivered to the school.  It also described the symptoms (nonstop laughter, increased heart rate, dizziness, etc.), and gave the age of the oldest, who is 86. 

What struck me was a statement made by the hospital,

"The muffins might have had marijuana and Benadryl in them, and tests were being done, said Terry Long, Presbyterian’s director of nursing administration and emergency services. He said he would not be able to confirm what was in the baked goods because of privacy laws. "We are suspecting some kind of street drug or over-the-counter drug," Mr. Long said."

So, the hospital could talk about the specific conditions and symptoms of named patients, but could not "confirm" what was in the muffins "because of privacy laws"?  Huh?  Well, perhaps they obtained consent form the patients to release their names.  Or, maybe the school provided the names and ages.  But what’s up with the muffin privacy?  They involved the FBI because food tampering could endanger the public.

Let’s see…I can’t think of anything in HIPAA that prevents hospitals from talking about the ingredients of tainted food that sends people to the hospital, as long as the individually identifiable health information (IIHI) is not discussed (e.g., it is de-identified)…muffin recipe ingredients, legal or not, are not included in the list of IIHI within the reg…

Wonder what the Texas Medical Practice Act, that is similar to HIPAA…but covers a wider range of businesses, says about this type of situation?  I got frustrated after spending way too much time searching the Texas state site for the text of this law and not being able to find it. 

If you are a CE, this would be a good example to discuss as part of your training and awareness efforts; particularly if you are a healthcare provider; what information would your organization release to the press in a situation such as this?

Technorati Tags
patient information
patient privacy
government
HIPAA
personal data protection
IT compliance
regulatory compliance
privacy

Over the past few years, as the position of privacy officer has emerged and evolved, I have discussed the responsibilities and activities of privacy officers and information security officers with many of these professionals at various meetings, conferences and seminars.  Something that has concerned, and continues to concern, me is how these two positions often seem to be at odds with each other. 

Some of the things I have actually heard privacy officers say include the following:

• "Information security is a necessary evil…you have to include them even if they make things harder than they need to be."
• "All I need to be concerned with are the privacy laws; I couldn’t give a s**t about firewalls or viruses."
• "Our CISO seams to speak a different language!  It’s easier to just avoid him than to try and figure out what he’s talking about."

Some of the things I have actually heard information security officers say include the following:

• "It’s not my job to know the laws.  If I need to know something, Legal will tell me.  Otherwise, I don’t worry about it."
• "We’ve had a privacy officer for a couple of years, but I’ve never met her."
• "I don’t worry about the Privacy Rule…I only need to know about the Security Rule."

Yes…I carry an old-fashioned little note pad with me to capture these nuggets…don’t worry, I never write down names…and my handwriting is like a form of cryptography…  🙂

Do these comments sound familiar?  It’s very likely there are some major compliance gaps, information security risks and vulnerabilities, and privacy infractions in organizations where CPOs and CISOs do not work together.  They have far too many overlapping issues to address to not work together.

Of course, the fact that most CPOs are at much higher levels within the organization than CISOs creates an environment that does not support collaboration.  However, in the best interests of the company, and of customer and employee privacy, these areas MUST work as a team for their shared goals.  And there are many.

• CPOs and CISOs BOTH must address how to safeguard personal information in all forms
• CPOs and CISOs BOTH must ensure that privacy and information security protections are built into all the organization’s applications, systems, and processes
• CPOs and CISOs BOTH must ensure all personnel and business partners with access to the organization’s information recieve appropriate training and awareness
• CPOs and CISOs BOTH must ensure all privacy and information security activities support the business, and must make a business case for their requirements
• CPOs and CISOs BOTH must comply with applicable laws, regulations and contractual requirements
• CPOs and CISOs BOTH are managing risks related to information
• CPOs and CISOs BOTH must establish a program that is effective, justifiable, and fits in with the rest of the business frameworks being used
• CPOs rely upon CISOs to implement the security protections to meet privacy law requirements
• CISOs rely upon CPOs to help justify the safeguards put in place
• And many others…

And, in some organizations, the same person, sometimes coming from an IT background and sometimes coming from a legal background, is given responsibilities for both CPO and CISO duties.  Such a role must know the issues involved with both types of practitioners, not just one.

After much discussion and thought with several practitioners about these overlapping responsibilities and the need to harmonize activities throughout the organization to be most successful and provide business with true process improvement, I had the fortune to create a 2-day workshop with Christopher Grillo, Director of Information Security at Medica, who has also put much thought into these issues.  We will next be giving this workshop June 10 – 11 in Scottsdale, AZ.  We have put literally hundreds of hours of time into the tools, frameworks, content and methodologies we will be providing within this workshop.  I’m really excited for this workshop to be offered; so many issues are critical, such as making sure the frameworks used within the business address privacy and security, and that they are understood.  Also the typical hierarchy of the privacy and information security responsibilities within the organizations.  I am confident the concepts, tools, reference materials, and case studies we provide truly will help privacy and information security practitioners more successfully meet their program goals.

Can you tell I am passionate about this topic?  🙂

Well, I truly am.  If these are issues you are dealing, struggling, or coping with, I would look forward to seeing you in AZ.

Technorati Tags
corporate governance
training
IT compliance
personal data protection
information security
privacy

Okay…you saw this coming!  "Telecoms face billion dollar wiretap lawsuits: Verizon sued for $50 billion over wiretap program."

Yes, we are a litigious society…the NSA is not immune, is it? 

"The legal experts said consumers could sue the phone service providers under communications privacy legislation that dates back to the 1930s. Relevant laws include the Communications Act, first passed in 1934, and a variety of provisions of the Electronic Communications and Privacy Act, including the Stored Communications Act, passed in 1986."

The USA PATRIOT Act widely increased surveillance capabilities without warrants…it changed at least 35 other laws were changed as a result.  It will be interesting to see if this comes into play for this, and other, lawsuits, and how.

And there are other lawsuits out there…and more coming…

• Dozens of Lawmakers Back Suit Challenging NSA Program: "As debate renewed over the National Security Agency’s surveillance program, dozens of Democrats in the House of Representatives backed a lawsuit filed in New York that challenges the government’s program of wiretapping without warrants."
• Hide and go seek: "The nonprofit Electronic Frontier Foundation filed the class action lawsuit in January on behalf of telephone subscribers against AT&T, charging the telecom illegally gave the NSA access to records. Many of the allegations were echoed in the USA Today story last week."

Here’s an interesting discussion of the legalities of the NSA surveillance…

* Online groups reveal details, legalities of NSA surveillance

Technorati Tags
surveillance
NSA
government
USA PATRIOT Act
personal data protection
phone calls
privacy

Happy Mothers Day!  I enjoyed receiving some wonderful handmade gifts from my two beautiful young sons this morning.  They are the lights of my life.

Many people are calling their mothers today.  Ah, yes…these will be recorded into the largest database in the world…the NSA’s log of virtually all calls made through the U.S.  I thought I’d do a quick check on "mother" and "NSA" and see the various stories related to this…there were several!   Here is a short listing of some that were interesting:

• In the Quad City Times, by the Washington Post, "Agency blurring lines on privacy":
  • "Colleen Holmes, a stay-at-home mother in Portland, Ore., reported an exchange with a Verizon Wireless customer agent that illustrated not only the dismay some Americans feel about the newly disclosed domestic surveillance but also the fear of terrorism that, for many, more than justifies the program.  Holmes said she was so angry about reports that the government was collecting telephone calling records on millions of Americans that she called Verizon Wireless to explore canceling her service and switching to Qwest.  ‚ÄúIt’s your constitutional right to voice your opinion,‚Äù she quoted the customer service agent as having told her. ‚ÄúIf you want planes to fly into your building … ‚Äù"

Hmm…interesting customer service!

• In the Decatur Daily, "Administration whittling away at Fourth Amendment":
  • "The theory of "Six Degrees of Separation" holds that any one person can be connected to any other person on the planet by a chain of acquaintances that has no more than four intermediaries. In other words: Somebody you know is familiar with someone else who knows another person who is acquainted with a fifth person who knows an al-Qaida operative. The goal of the government program is to "connect the dots.""

Yes, the NSA records, in conjunction with all the other gathered metadata, can certainly link basically anyone on the planet to anyone else…potentially providing a justification for anyone’s phone records, and subsequently other personal information, to be monitored or examined?  Are you really calling Mom today…or someone else…?

• In the Twin Cities Pioneer Press, "Government has your number":
  • "So, when you are talking to your mother today for Mother’s Day, the conversation is safe, if you want to look at it that way.  But we have no privacy."

Well, I’m not that skeptical…not convinced we have NO privacy.  We don’t have privacy with regard to others knowing who we called and when.  However, there are many forms of privacy.  Not everything about each of us is digitally documented…yet…unless your name is Johnny Mnenomic… 🙂

• ABC News had some great NSA/Mother’s Day funnies:
  • "Bill Maher: There are more calls made on Mother’s Day than any other day of the year ‚Äî or as the NSA calls it, "Our busy season.""

Ah, yes…and now…it’s time to go do some laundry…dishes…cleaning…vacuuming…cooking…hey!  Reminds me of a cool tool I found…just in time for Mother’s Day; to those of you who are also mothers, enjoy.  🙂

The "Mom Salary Wizard"

Technorati Tags
Mothers Day
NSA
government
personal data protection
phone calls
privacy

Today the Columbus Dispatch reported that hackers had broken in the Ohio University health center for the third time during the past 3 weeks.  Some of the people whose information was taken have already noticed their information being used fraudulently.  The potential exists for the information to continue to be used in the coming months…if it hasn’t been misused yet, it certainly is no assurance that it will not be misused.

The Department of Health and Human Services indicated they are going to investigate to see if HIPAA requirements have been violated.

Appears there have been some sanctions applied as a result…

"Three OU officials have been placed on paid administrative leave to help ensure a "full and fair" audit, OU spokesman Jack Jeffery said. The action is not disciplinary, and the employees are not suspected of wrongdoing, he said.  Duane Starkey, director of computer services; John Beam, assistant director of computer services; and Steve Ray, server administrator, were suspended Friday."

Technorati Tags
regulatory compliance
information security
data protection law
HIPAA
hackers
privacy

There was an interesting report in California today about a proposed bill, AB 2415, that would, generally, require manufacturers and retailers of computers with wi-fi to include warnings within the OS, as well as, by default, turn off file-sharing.

Of course there are new bills proposed all the time…and many of them do not make it into law.  However, I find this one interesting because it is so narrowly focused to wireless security.  There are so many other risks that exist with computers, how long will it be until these are legislated also?  Will there be a law that requires all personal information to be encrypted at rest (in storage) and in motion (while in transit)?  Will the use of malicious code previous become legislated?  These issues are covered, at least through implications that require security to be implemented based upon the results of risk assessments, along with many others, in such laws as HIPAA and GLBA and even through the interpretations of the FTC Act.  However, this bill is different in that it is forcing computer manufacturers and retailers to, in effect, implement a customer awareness/protection program for each computer sold.

Even though this is a California bill, if enacted, it would impact basically all computer manufacturers to implement the consumer warnings and reset defaults within the computer software by stating, "This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode."  I can’t think of any computer manufacturer who would not sell to California just because of this.

It’s curious why the bill was amended by striking "wireless technology" and replacing it with "network security" when it is specific to wi-fi security.

I think it is good to legally require businesses to protect information and implement security, but when it starts getting so narrowly scoped and technology specific there can be other more significant risks being overlooked (such as buggy, inadequately secured application code) in an effort to address only those very specific legal technical requirements.

The specific amended bill, with the stricken passages omitted, follows:

"   AB 2415, as amended, Nunez   Network security.
   Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software. 
   
   This bill would prohibit a person or entity from manufacturing or selling a device in this state that enables connection to a network without including a warning in its software that alerts the consumer of certain security
factors if he or she chooses to set up the device without security protections. The bill would also require a person or entity that manufactures or sells a computer in this state to distribute or sell the computer with the computer’s file-sharing feature in off mode. The bill would also provide that if any part of these provisions or their applications are held invalid, the invalidity would not affect other provisions.
   Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

SECTION 1.    The Legislature finds and declares the following: 
   (a) With the increasing use of wireless technology, consumers are unknowingly allowing their personal information to be accessed by unauthorized users who piggyback onto their network connection.

   (b) Piggybacking occurs when an unauthorized user taps into a consumer’s network connection. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where WiFi radio waves can easily emit through walls, floors, and ceilings. 
   (c) Since there is no gauge that shows how many people are using a particular connection, it is impossible to determine when someone has tapped into a consumer’s network connection.   
   (d) In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet.  Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year. 
   (e) In April 2004, Humphrey Cheung, the editor of a technology Web site, flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The laptops logged more than 4,500 wireless networks, only 30 percent of which were encrypted to lock out unauthorized users. 
   (f) In June 2002, there was only one major carrier that offered "hot spot" access. Recently, however, several other large carriers have announced plans to enter the market by the end of the year. Few people realize that hackers can take advantage of these wireless "hot spots" by redirecting E-mail traffic from its intended path to the hacker’s computer, thereby obtaining personal information without the consumer being aware of the hacker’s presence. 
   (g) There is disagreement as to whether it is legal for someone to use another person’s WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Section 502 of the Penal Code prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), which also prohibit the intentional access of a computer without authorization.
SEC. 2.   Chapter 34 (commencing with Section 22948.5) is added to Division 8 of the Business and Professions Code, to read:      
CHAPTER 34.   NETWORK SECURITY

   22948.5.  For purposes of this  chapter, "computer"  means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device. 
   22948.6.  A person or entity that manufactures or sells a device in this state that enables connection to a network shall include in its software a warning that comes up on the computer screen if the consumer chooses to set up his or her device without a password and other security protections. The warning should advise the consumer how to protect his or her personal information. These instructions may also be available in the product manual. 
   22948.7.  A person or entity that manufactures or sells a computer in this state may only distribute or sell the computer with the computer’s file-sharing feature in off mode.
   22948.8.   The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application."

Technorati Tags
regulatory compliance
information security
data protection law
wireless security
California law
privacy

The FTC posted an interesting news release yesterday, "FTC Moves to Stop Telemarketer Using Phony Caller ID". 

It seems that a telemarketer, Scorpio Systems, Ltd., decided that the National Do Not Call Registry is a great source of marketing information!  When calling the people on the Do Not Call list, Scorpio fixed it so that his own number would not be identified by those answering the phone.  Oh, and to top it off, Scorpio did not pay to access the Registry, as is required. 

So…how did Scorpio get into the Registry if no payment was made?  Was there a breach?  Did Scorpio buy the list from another business that did pay?  Hmm…

Technorati Tags
FTC
compliance
Caller ID
data protection
government
personal information protection
Do Not Call Registry
privacy

This whole concept of "compliance" is rather nebulous and fuzzy.  I see different vendors referencing it in different ways.  I hear different practitioners worrying about different things.  I wanted to speak with some IT compliance professionals with significant experience to see how they are handling this "compliance" responsibility.  I wanted to get the viewpoint of not only a practitioner responsible for an organization’s compliance efforts, but also a consultant who has worked with a wide range of organizations to see where the compliance efforts, successes and challenges are greatest.  On April 17, I had the opportunity to speak with two such folks, Chris Pick, Vice President of Corporate Strategy at NetIQ, and Wayne Crane, CIO, also from NetIQ, about a wide range of compliance issues, and what‚Äîfrom their perspectives and based on their experiences‚Äîthey believe businesses need to know about the whole concept of compliance.  As a publicly traded company, NetIQ must meet the same strict regulatory requirements, such as SOX, as many other organizations, so it was interesting to hear their thoughts. 

I posted my interview with Chris and Wayne in the Realtime IT Compliance reading room, "What Businesses Need to Know About Compliance." See their thoughts on:

• What "compliance" means to businesses
• International compliance approaches
• Industry-specific compliance challenges
• The most challenging compliance areas
• The use of frameworks, such as ITIL, for compliance
• The most challenging regulation for compliance
• What executives need to know about compliance
• Budgeting for compliance
• Using automation for compliance
• The single most important compliance activity
• The importance of executive support for compliance activities

David T.S. Fraser has a great blog covering information privacy in Canada, The Canadian Privacy Law Blog.  He just posted the proposed Bill 16, the Personal Information International Disclosure Protection Act, that was introduced in the Nova Scotia legislature last week.

Just one of the interesting passages within:

"5(1)  A public body shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless
           (a)  where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations to it being stored in or accessed from, as the case may be, outside Canada;
           (b)  where it is stored in or accessed from outside Canada for the purpose of disclosure allowed under this Act; or
           (c)  the head of the public body has allowed storage or access outside Canada pursuant to subsection (2).

       (2)  The head of a public body may allow storage or acess outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body’s operation."

The proposed bill is 11 pages long, and there is much, much more.  However, this gives you a good indication and good flavor for how this *proposed* bill is incorporating more and more of the OECD privacy principles and aligning even more more with the types of requirements such as those found within the EU Data Protection Directive than their existing laws, such as Canada’s PIPEDA.

In the past few years it seems most U.S. organizations, with regard to international data protection activities, have been primarily concerned with data protection issues within their EU offices and for their EU customers.  This proposed Canadian bill is likely to be a bellwether for more and similar bills within other countries.  A good reason for organizations everywhere to start thinking more globally and in a more unified manner with regard to handling the personal information they collect.

Technorati Tags
Bill 16
compliance
EU Data Protection Directive
data protection
government
personal information protection
international law
privacy