Yesterday yet another incident occurred where a business partner / vendor lost the personally identifiable information (PII) for which they had been entrusted. Americhoice sent a CD containing the PII of 67,000 individuals to TennCare via overnight UPS delivery.
UPS lost the CD. Americhoice did not encrypt the PII on the CD.
Oops. Another Oops. An apology. Yet another apology.
This is happening with too much frequency. Stronger penalties need to be applied to help ensure organizations are protecting PII, instead of waiting until after an incident occurs and just accepting feeble apologies and assurances it won’t happen again.
Last month I blogged about the dangers of entrusting sensitive data and PII to others, “You Will Be Judged By The Company You Keep.”
Over the past few years I’ve done many business partner security reviews to help ensure the businesses my clients are entrusting their sensitive data and PII to have appropriate security programs and controls in place.
I have discovered some very scary situations and huge vulnerabilities that absolutely should not exist in this day and age.
Having strong security practices is not just good business, it is necessary for business; it should not be viewed as an option.
Next Wednesday, September 19, I will be giving a webinar, “Vendor Management For Financial Institutions: Addressing Outsourcing Risks”
Even though the target audience for this particular webinar are financial institutions, the concepts and issues are applicable to anyone entrusting data to business partners.
If you’re able to attend, please give me your feedback! I’d love to hear if you have additional tips to add to what I discuss.
Tags: Americhoice, awareness and training, Information Security, IT compliance, outsourcing risks, personally identifiable information, PII, policies and procedures, privacy, privacy incident, risk management, TennCare, UPS, vendor management