Here’s an interesting, relatively new, privacy (with regard to publicity any way) issue that was reported today: locational privacy…
Locational Privacy…And Nonconsenting Research Subjects
June 4th, 2008Insider Threat Example: Coworkers Accessing Other Coworkers’ Email Messages
June 3rd, 2008Back in the mid-1990’s, a middle manager knew that the print queue messages for all the emails in the large organization were viewable in clear text; all you had to know was which printer queue to open. He would lurk in the print queues each day, all day, for all the printers all the other middle managers, and executives, used, and he would copy all the email messages he found that could be “advantageous” to his career. He amazed a lot of people by always seeming to know what was going on before anyone else did.
I was reminded of this particular mole-manager as I just read a news story, “Philly News Anchor Target in FBI Probe: FBI Investigates Anchor in Suspected Hacking of Fired Co-Anchor’s E-mail”
How To Create Information Security & Privacy Case Studies
June 2nd, 2008Over the years I’ve done a lot of information security, privacy and compliance training and awareness activities; content creation, delivery, tools, and a large variety of other related activities. I’ve found doing case studies to be one of the most effective, and most interesting and popular, type of training activity.
I’ve created dozens, and perhaps even hundreds, of case studies throughout the years. Case studies engage your personnel in thinking in ways that just telling them information cannot do, noticeably change their work habits, and measurably impact their opinions about information security and privacy.
In the third article of the May 2008 issue of my IT Compliance in Realtime Journal, “Creating Effective Case Studies for Information Security and Privacy Training” I provide direction for how to create effective case studies within any type of organization.
The following is an unformatted copy of the article, without the sidebar information and illustrations; download the PDF version of the article to see those…
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
June 1st, 2008Last month (May 2008…yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer’s personally identifiable information (PII) and other confidential information.
The suit charges that Lending Tree did not have appropriate or adequate information safeguards in place, resulting in the employees using names, addresses, phone numbers, Social Security numbers, income information, and assorted other personal information, to market their own mortgage loans to the LendingTree customers.
The class-action lawsuit, (this is from a subscription site) represents all Lending Tree customers who submitted loan request forms to the company between Jan. 1 2006 and May 1, 2008.
From the case file…
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
May 29th, 2008When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched?
There are many phishing scams going on right now, and they are widely reported and talked about. I want to talk about a new one spoofing Amazon, a popularly spoofed company in phishing messages, because I’ve already had a couple of other folks I know who are not in the info sec biz asking me about it today. I also got it in my email box today, so it will make a good example to discuss…
Business Leader Primer for Effective Information Disposal
May 28th, 2008I’ve been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security technologies to protect day-to-day business…attention is good and MUST be done…but often it seems it is at the expense of then overlooking, or perhaps shrugging off, how to securely dispose of PII, systems, applications and hardware when they are no longer needed in the business. This has led to many information security incidents and privacy breaches.
I address the reasons why business leaders must give attention to information disposal in the second article of my May issue of IT Compliance in Realtime, “Business Leader Primer for Effective Information Disposal.”
Download a PDF version to get a much nicer-looking copy, the super-duper graphic I put into the article, plus the sidebar information and facts. Here is an unformatted version of the article…
BONY Loss Of Backup Tape With Unencrypted PII Is Disappointing…But Not Surprising
May 27th, 2008Late last week I communicated with Linda McGlasson about a story she was putting together for bankinfosecurity that was published today, “Bank of New York Mellon Investigated for Lost Data Tape: 4.5 Million Customers Potentially Exposed.”
It’s a good and interesting article; check it out.
In Linda’s article there was a quote from Bank of New York (BONY) Mellon’s spokesperson Ron Sommer,
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
May 25th, 2008I’ve been doing some research for insider threat training content I’m creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make a great case study for any organization to help personnel improve the ability to better protect personally identifiable information (PII).
Here’s the news release from the The United States Attorney’s Office for the Southern District of Texas…
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
May 25th, 2008I’ve been doing some research for insider threat training content I’m creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make a great case study for any organization to help personnel improve the ability to better protect personally identifiable information (PII).
Here’s the news release from the The United States Attorney’s Office for the Southern District of Texas…
More On The HHS HIPAA Compliance Activities
May 23rd, 2008Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, “Proliferating HIPAA complaints and medical record breaches”
She had seen my blog posting from yesterday, “HIPAA Complaints And Associated Resolutions Since 2003” and asked me some follow-up questions.
Here is the full reply I sent to her, much of which she used within her article, but with some other points I want to note as well…