Posts Tagged ‘breach’
Tuesday, October 2nd, 2012
Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years. Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons. (more…)
Tags:awareness, breach, compliance, customers, e-mail, electronic mail, email, employees, employment, hiring, HR, human resources, IBM, ID theft, identifiers, identity theft, IDs, Information Security, information technology, infosec, IT security, job applicants, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social security number, SPI, SSN, systems security, training
Posted in Information Security, Laws & Regulations | 1 Comment »
Monday, October 1st, 2012
Today is October 1st, which is also Blue Shirt Day™ World Day of Bullying Prevention©!
Cyber bullying is a topic I cover in my Q3 2012 issue of Protecting Information Journal, and my youth reporter for this quarter’s issue, Lexx, wrote about his personal experience with cyber bullying. Typically only my subscribers get to read these great articles, but in honor of Blue Shirt Day™ I want everyone to have a chance to read his article that provides important insights into how so many of our children are dealing with this growing problem. Here it is in its entirety; please provide feedback, not only to me, but also for my talented youth reporter! (more…)
Tags:awareness, Blue Shirt Day, breach, bullying, CiviliNation, compliance, cyber bully, cyberbully, Daniel Solove, e-mail, electronic mail, email, Information Security, information technology, infosec, IT security, Mary Kay Hoal, messaging, non-compliance, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protecting information, protecting information journal, Rebecca Herold, reputation, security, sensitive personal information, social media, SPI, Sue Scheff, systems security, training, tweet, twitter, YourSphere
Posted in Cyber Bullying | No Comments »
Monday, September 17th, 2012
There is a topic that has been coming up, over and over and over again over the past 12 years, that I’ve never seen addressed in other publications. What does your organization do with all the personal information you collect from job applicants? Consider a real situation I encountered around ten years ago. (more…)
Tags:awareness, breach, compliance, e-mail, electronic mail, email, employment, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, lawsuits, messaging, midmarket, non-compliance, online posting, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, sue, systems security, training, tweet, twitter
Posted in Privacy and Compliance, Uncategorized | Comments Closed
Friday, August 31st, 2012
Every day I see yet another (often another dozen) situation where employees misused, abused or otherwise accused social media sites to the chagrin of their employers. Businesses need to make a coordinated effort, using a combination of policies, training and technology to mitigate the risks (to personnel as well as the business) of workers using social media sites. Today let’s consider what organizations should be telling their workers about social media information security and privacy. (more…)
Tags:awareness, breach, bullying, compliance, cyberbullying, e-mail, electronic mail, email, facebook, IBM, Information Security, information technology, infosec, IT security, lawsuits, Linked In, messaging, midmarket, non-compliance, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, systems security, training, tweet, twitter
Posted in Social Media, Training & awareness | 5 Comments »
Thursday, August 16th, 2012
At the end of July, Twitter suspended the account of Guy Adams, a reporter for the UK’s Independent, after he posted the corporate email address of Jim Bell, Producer of NBC Olympics, and said less than flattering things about his expectations for how NBC would do in their Olympics coverage. Adams reportedly claimed that he felt the email account was open to public use since it showed up in Google search results. However, privacy concerns were widely expressed over his decision to share the executive’s contact details, and thus his account was suspended. Apparently NBC complained, Twitter listened, and Guy’s account was shut down. After a bit of hullabaloo, Twitter then changed heart and re-activated his Twitter account. I received several great questions related to this, collectively boiling down to the following five: (more…)
Tags:awareness, breach, compliance, CSO Online, e-mail, electronic mail, email, Guy Adams, IBM, Information Security, information technology, infosec, IT security, Jim Bell, lawsuits, messaging, midmarket, NBC, non-compliance, Olympics, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, sue, systems security, training, tweet, twitter
Posted in Social Media, Training & awareness | No Comments »
Monday, August 6th, 2012
Every year or so, an otherwise smart information security professional publishes some really bad information security advice about how awareness and training is a waste of time and money. The latest proclamation at CSO Online has generated a small bit of a firestorm since it was published.
As time goes on, and more and more information security incidents and privacy breaches occur, and more information is put into the hands, and care, of more and more end-users who have no background in information security or privacy, such statements are simply bad, bad, bad advice. Making such statements also makes it harder for information security and privacy pros to do their job as effectively as possible when business leaders believe such hogwash and then wind up cut funding for information security and privacy education as a result. I’ve been in the information security and privacy compliance profession for a very long time, have built such programs and assisted many organizations in building theirs, and I could fill a book with examples of how training and awareness activities have improved their information security and privacy efforts and outcomes. Others in this profession with hands one responsibilities for the full lifecycle of information protection could also write their own books with such examples.
I wrote a blog post about this topic in 2009, and now is a good time to write another and point out that there is greater need than ever before for organizations, of all sizes, to make the comparatively small investment in information security and privacy education for their workers.
5 flawed arguments against information security and privacy education (more…)
Tags:awareness, breach, compliance, CSO Online, e-mail, electronic mail, email, Information Security, information technology, infosec, IT security, Keywords: personal information, messaging, midmarket, non-compliance, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, SPI, systems security, training
Posted in Laws & Regulations, Training & awareness | 4 Comments »
Thursday, August 2nd, 2012
A few weeks ago I wrote about recent situation in which the Des Moines public school system superintendent’s career was brought to a standstill (it is yet to see whether it is temporary or permanent) by using the public school email system to exchange 115 personal messages, and including at least 40 cases sexually explicit messages, with her lover, married with children highly decorated Army Captain Hintz. Since that time he has been fired from his position as head of Army Recruiting Command, a Des Moines-based recruiting company. So not only was one person’s misuse of her employer’s email system the cause of her own career downward detour, it also has had ripple effects and derailed the career of the man who was corresponding with her, and likely also further ripples out to damage his family.
More privacy and security lessons
In addition to the lessons from my earlier post, this provides additional lessons: (more…)
Tags:awareness, breach, compliance, Des Moines, e-mail, electronic mail, email, IBM, Information Security, information technology, infosec, Iowa, IT security, messaging, midmarket, non-compliance, Omaha, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, public school, Rebecca Herold, Sebring, security, sensitive personal information, SPI, systems security, training
Posted in privacy, Training & awareness | No Comments »
Wednesday, June 27th, 2012
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
Tags:Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training
Posted in government, healthcare, HIPAA, HITECH | No Comments »
Monday, June 18th, 2012
June 22 update to this topic: Today the judge refused to block the release of the emails as Sebring and her lover requested. See http://www.desmoinesregister.com/article/20120622/NEWS/120622012/Judge-announces-decision-on-Sebring-email-release
In the past few weeks the use of emails at work has been in the news a lot in central Iowa, and the news quickly spread around the globe because of the sex and intrigue involved. Basically, approximately four months before the end of school, the Des Moines Superintendent of Schools at the time, Dr. Sebring, started sending what would end up being over 40 very personal and sexually explicit messages to
(more…)
Tags:awareness, breach, compliance, Des Moines, e-mail, electronic mail, email, IBM, Information Security, information technology, infosec, Iowa, IT security, messaging, midmarket, non-compliance, Omaha, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, public school, Rebecca Herold, Sebring, security, sensitive personal information, SPI, systems security, training
Posted in Information Security, Training & awareness | 4 Comments »
Thursday, May 31st, 2012
A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy. They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place. I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle; from creation and collection, to deletion and disposal. They were on board with everything I was describing until we got to (more…)
Tags:big data, breach, compliance, data analytics, data mining, degauss, disposal, disposal rule, facebook, FACTA, frictionless sharing, IBM, Information Security, information technology, infosec, IT security, midmarket, Netflix, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, SB 3159, security, Senate Bill 3159, sensitive personal information, shred, SPI, systems security, trash
Posted in Laws & Regulations | 5 Comments »