The Transportation Security Administration (TSA) today announced that Peter Pietra has been named the agency’s director of privacy policy and compliance.  He now is TSA’s assistant chief counsel for information law.

"The Homeland Security Department agency said in a press release that Pietra’s appointment, along with expanded staffing of TSA’s privacy office, showed its commitment to privacy protection. "Peter’s appointment extends the privacy functions he currently serves and is expected to build a strong privacy program within the agency," said Kip Hawley, TSA administrator. "That knowledge, along with the close working relationship he has established with the DHS Privacy Office, makes him well suited for this new post." TSA said the pending launch of the Transportation Worker Identification Credential, Registered Traveler and Secure Flight programs highlight the increased workload and need for improved public communication about privacy policies. All three programs involve the use of personal information to conduct background checks needed to approve transportation workers and travelers for speedy transit of checkpoints or access to sensitive facilities. Pietra earned an undergraduate degree from the University of Pennsylvania and was a field artillery officer in the Army. He graduated from Temple University’s law school. He practiced law in the private sector and as an attorney for the Coast Guard before joining TSA’s Chief Counsel Office in 2003."

Appears from the org chart posted on the TSA site that R. Gunderson is/was the current Chief Privacy Officer…in the Acquisition Department.

Technorati Tags
privacy
TSA
CPO

The Honolulu Star Bulletin reported today

"Records containing the names, Social Security numbers and birth dates of more than 40,000 individuals were illegally reproduced at a copying business sometime before January while they were waiting to be put onto a compact disc for the state.  State Attorney General Mark Bennett said federal authorities notified his office of the theft in January but asked that the information be withheld while an unrelated drug investigation was ongoing."

This illustrates one of the concerns with the loopholes in the existing and proposed breach notification laws; they allow law enforcement to delay notifications following such theft of personal information that can easily be used for identity theft and fraud, without providing any accompanying accountability to the law enforcement for the bad things that happen to the impacted individuals in the meantime. 

The information was withheld because of "an unrelated" drug investigation?  Someone, or perhaps several people, had 40,000 people’s SSNs and birthdates, and law enforcement thought it was okay that they be kept in the dark because of the remote chance that an unrelated drug investigation may somehow be involved? 

Accountability to law enforcement should be written in with these loopholes.  Perhaps then it would not be such a seemingly flippant decision for law enforcement to restrict notification if they were responsible for fixing all the messes that resulted from the crimes that occurred with the stolen data during that wait time when the corresponding people were kept in the dark.

""We are taking this issue very seriously and strongly advise those affected … to obtain and review their credit reports," state Attorney General Mark Bennett said yesterday in a news release. "Social Security numbers and other personal information can be used by thieves to obtain credit cards, to open fraudulent bank accounts, to mortgage property and purchase automobiles.""

They understand the risks, and yet they waited over four months to notify the individuals?  And now, they are advising them to obtain and review their credit reports?  They should at least be offering to pay for credit monitoring services for these people.  Again, organizations and law enforcement need to be more directly accountable for what happens to stolen personal data when they choose to delay notification.

"The records from the Voluntary Employees Benefit Association of Hawaii were set to be copied at NewTech Imaging in Honolulu when they were apparently illegally reproduced by one or more people, said Bennett’s special assistant, Dana Viola."

This is another surprising risk that was taken; highly confidential data was taken to a local public copy store and left to be reproduced?  Why was such a decision made to leave highly sensitive data in the hands of an untrusted third party, in what appears to be a neighborhood copy store, where the public mills about?

"She could not say when the records were taken, but Bennett believes it was after February 2005.  Federal investigators learned in January that the records had been stolen, Bennett said. Police later found the data on a computer that had been confiscated as part of an investigation into drugs.  Russell Okata, HGEA’s executive director, said the state is to blame for the theft because officials failed to "adequately protect the records" of the union’s members."

The sensitive data should never have been taken to a public store and dropped off for duplication in the first place.  Organizations who collect and maintain sensitive data must be responsible for it at all times, especially when they choose to entrust it to other organizations, for whatever reasons, and they need to be accountable when bad things occur as a result of those decisions.

Technorati Tags
privacy
law
identity theft
identity fraud
breach notification

Last week I posted that this was Health Information Privacy and Security Week.  Seems fitting that I should put a few resources out in observance of the week, doesn’t it?  🙂

• The American Health Information Management Association (AHIMA) has a site, myPHR, to help the public understand their rights over their personal health information, communicate how to preserve the privacy of their health information, and they also provide many tools and resources, many of them free, to help individuals keep track of their health information.
• Interesting news story appeared April 9 in the Delaware Cape Gazette, "Supreme Court’s Lawson ruling a win for privacy in death"  The first couple of sentences read, "The Delaware Supreme Court this week ruled that when a natural or accidental death occurs, a family’s right to grieve in private outweighs the public’s right to know what caused the death.  The ruling marks the first time that the court has reviewed Delaware’s 2002 health record privacy statute, which ensures that health information gathered by the state will not be improperly disclosed."
• Patient Privacy Rights provides some interesting information about health information privacy
• The American Medical Association (AMA) provides information about health information privacy and HIPAA.
• Privacy Rights Clearinghouse provides a "Medical Records Privacy Fact Sheet"
• The Privacy Commissioner of Canada provides some nice health links

Technorati Tags
privacy
law
PHI
HIPAA
health information

Interesting report…my thoughts follow the story…

"Internet hunting ban

The Kentucky Legislature on Tuesday voted to outlaw the practice of using the Internet to fire remote-controlled rifles at live animals.  A spokeswoman for Governor Ernie Fletcher said the governor intends to sign the bill banning internet hunting.  No such facilities exist in the state, but all Kentuckians would be banned from hunting on such sites, even if the target is in another state or country. At least 10 other states have passed similar measures.  State Representative. Robin Webb, a Democrat who sponsored the bill, said she considers internet hunting unsportsmanlike.  The flurry stems from a Texas website that let users fire at animals from the privacy of their homes. At the urging of sportsmen’s groups, Texas banned such operations last year."

Holy cow!  Or, considering I live in the country in Iowa and know the capabilities of largely city-living "hunters" coming out to the country to hunt with no knowledge of animals outside of a zoo, I should say HOLEy Cow!  I never even thought about this possibility before; using the Internet in conjunction with a webcam to fire a rifle or shotgun. 

And, yes, it certainly is unsportsmanlike.  Beyond that, it is just downright dangerous.  I’ve seen many people new to nature (putting it kindly) shoot at cats mistaking them for rabbits and shoot at cows and horses that they only had a glimpse of through the woods or grass thinking they were deer.  And then of course there are those who are trigger happy and will shoot at anything that moves.  Can you imagine how many accidental shootings could possibly occur if all it took was the press of a computer key from miles away to fire a gun (yes, I thought of several snide remarks about Cheney, but I’ve suppressed them.), not to mention potential premeditated shootings.

Now I don’t know what is involved with these Internet hunting "sites", and you may wonder what the heck this has to do with information security or privacy.  However, as I read this I thought of how this type of gun-shooting surveillance is really melting technology more and more into the material world and not only creating new privacy concerns, but also physical safety concerns at the same time.  Shooting a gun through the use of a webcam placed who-knows-where (I get MANY hunters wanting to hunt on my private land…which I don’t allow) on private property, where the people could be using cams could see people within their own homes and on their own property, really does present a privacy and safety risk to the people; the many children that play outside, and the pets and livestock that are on the property, just to name a few. 

Guns in the hands of firearms-ignorant people is dangerous…guns under the control of whomever happens to remotely pull the trigger, accidentally or on purpose, from miles away by depending upon the fuzzy images they see through a cam is very, very, very dangerous…and a very real privacy concern to boot.

In case you’re curious, at least 10 states (Delaware, Hawaii, Maine, Michigan, Minnesota, North Carolina, South Carolina, Vermont, Kentucky and  Wisconsin) and possibly up to 12, ban Internet hunting, and a Federal law H.R. 1558 prohibits "certain computer-assisted remote hunting, and for other purposes."  Here is an excerpt from that short bill:

"(a) PROHIBITION.—Whoever, using any instrumentality of interstate or foreign commerce, knowingly makes available a computer-assisted remote hunt shall be fined under this title or imprisoned not more than 5 years, or both.
(b) EXCEPTION.—Providing an instrumentality of commerce, such as equipment or access to the Internet, is not a violation of this section unless the provider intends the use of the equipment or access for a computer-assisted remote hunt.
(c) CONSTRUCTION WITH OTHER LAW.—Nothing in this section limits the power of State and local authorities to enact laws or regulations concerning computer-assisted remote hunting facilities.
(d) DEFINITIONS.—In this section—
(1) the term ‘computer-assisted remote hunt’ means any use of a computer or any other device, equipment, or software, to allow a person remotely to control the aiming and discharge of a weapon so as to kill or injure an animal while not in the physical presence of the targeted animal; and
2) the term ‘instrumentality of interstate commerce’ means any written, wire, radio, television, or other form of communication in, or using a facility of, interstate commerce.’’

Well…does that give you the warm fuzzies…?  Seems to only apply to using Internet hunting capabilities across state lines.

Maybe I’m making a mountain out of a mole-hill, but such a scenario that merges privacy, safety, surveillance, and gunfire, sure seems like a frightening possibility down the road if we are not already at the crossroads…

Technorati Tags
privacy
law
surveillance
Internet hunting

Next week is Health Information Privacy and Security Week, sponsored by the American Health Information Management Association (AHIMA). 

Through this week AHIMA is encouraging each person to keep his or her own personal health record (PHR) to "help reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency." I think this is a good idea, but I know that I have not been able to collect all the information each of my healthcare providers has about me and my children, so being able to maintain my own PHR would be quite a challenge. 

Even though HIPAA provides folks in the U.S. with the opportunity to view their own PHI, much medical information within patient records falls outside the HIPAA requirements, and healthcare providers often do not want to provide all details to patients, for various reasons.  Remember that episode of Seinfeld where Elaine reads her chart in the doctor’s office, the doctor is upset when she confronts her about it and tells her she shouldn’t be reading her chart?  This reminds me of that episode…there is likely significant information within patient records that most people never know about.

I think raising awareness of health information privacy and security is a great idea, and the other four topics this week highlights are also worth noting.  All the topics as outlined by AHIMA include the following:

1. "Each of your healthcare providers compiles a separate medical record on you. This means your complete history probably cannot be found in any one place. By keeping your own personal health record (PHR), you can provide your doctors with valuable information that can improve the quality of care you receive. A PHR can help reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency.
2. Federal laws are in place to protect the privacy and give you access rights to your health information. Under the Health Insurance Portability and Accountability Act (HIPAA), you can view, request changes to, and obtain copies of health information documents collected and kept about you.
3. Your information can only be seen by those who need it in order to provide your treatment, to facilitate payment for healthcare services, and to make sure quality care is being received. Your information may also be used for research and as a legal document in cases where evidence of care is needed. Anyone else who wants to use it for any other purpose needs your permission first.
4. The healthcare industry and the federal government are working to improve healthcare through the use of information technology. This is done through the use of electronic health records (EHR) and a secure system that would allow EHRs to be shared across healthcare systems and providers to allow you greater access to your health information.  Currently most healthcare providers still manage medical records in a paper format.
5. At healthcare organizations across the nation, health information management professionals are working to maintain your health record. These professionals are responsible for ensuring your health record is accurate, complete, confidential, and available when you, your doctor, and other healthcare professionals need access to the information."

Technorati Tags
information security
HIPAA
health information
privacy