Posts Tagged ‘data protection law’

Be Aware of Risks with Outsourcing to Other Countries

Saturday, October 3rd, 2015

Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.

I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses.  Many believe they do not need to. (more…)

Every Business Must Be Prepared for the Unimaginable

Tuesday, September 30th, 2014

Were you surprised to hear about the worker at the Chicago O’Hare airport last Friday? Certainly I was. Who would have ever thought someone working in the control center would light the hardware on fire, and then try to commit suicide? Unimaginable, right? However, what I was more surprised about was that there was no roll-over contingency operations center in place in the event something catastrophe took out the O’Hare operations center. After all, Chicago is in an area with a wide range of weather events, from blizzards and ice to severe storms and tornadoes, and everything in between. Not to mention that all airports are considered to be a target of a wide number of terrorist groups.

Just two days prior to the incident (more…)

If Compliance Isn’t Documented It Didn’t Happen

Monday, September 22nd, 2014

Most of the 250+ organizations I’ve audited, and the hundreds of others I’ve had as clients, hate documentation. At least creating documentation. So, they don’t do it, or they do it very poorly. Or, they document things they don’t need to, and fail to document the important things. And then, considering all that documentation, they often don’t retain it long enough, or forget where they put it.

Last year I wrote an article about legal retention length requirements. Now I’m focusing on the types of compliance activities organizations need to document, and then the need to retain that documentation for the appropriate periods of time. (more…)

Address Privacy During Social Media Marketing

Friday, August 29th, 2014

Over the past few months I’ve been creating some social media marketing privacy guidelines and requirements for a couple of my large clients. Today I read a post from a fellow IBM Midsize Insider contributor, Jason Hannula, “Social Media: Enterprise Content or Customer Relationship Information?” It stated that “93% of marketers are using social media for business.” A large number of these are from small and midsize organizations. It is important for these organizations to not only keep Jason’s suggestions in mind, and follow the business’s data governance requirements, but also to make sure privacy is also appropriately addressed. Many, perhaps most, small to midsize businesses do not yet have social media privacy requirements in place. (more…)

Avoid this Common Privacy Choice Mistake

Monday, August 25th, 2014

Many marketing professionals have a common temptation; they want to send as many marketing messages to as many people as possible, and they would love to send it to all folks who have ever been customers or clients of their business, and often times actually want to simply send to everyone whose email address they can obtain in any way.

Privacy professionals make many efforts to guide marketers on what is acceptable and not acceptable. After all, (more…)

Security is Action…Privacy is the Result of Action

Thursday, July 31st, 2014

What is the difference between security and privacy?

Many of my clients are small and midsized businesses. They often express confusion over what each of these terms (neither of which have a universally-accepted definition) actually means, how they are different, and how they are similar. This is important for business leaders to understand so they can make appropriate decisions within their information security and privacy management programs. Especially in small and midsize businesses, where there may not be a specific position to address either of these important topics. Let’s start with considering at a high level the differences between information security and privacy. (more…)

CORRECTION: Massachusetts Data Protection Law Takes Effect May 1, 2009

Saturday, January 3rd, 2009

A big thank you to Brandon Dunlap and Brett Myers for catching an error I made in my January 1 post

(more…)

New Data Protection Laws Go Into Effect Today

Thursday, January 1st, 2009

Happy New Year!
Several news laws go into effect today. Here are just a few of them…

(more…)

PII Encryption Required by New Massachusetts and Nevada Laws

Monday, September 29th, 2008

There is a growing trend in laws that require personally identifiable information (PII) to be encrypted.
Encryption in past laws have been directed to be considered based upon risk, but now they are more explicitly required in some laws.

(more…)

Useful Data Protection (Privacy) Law Sites

Wednesday, March 19th, 2008

This morning I took a little time to update my long listing of world-wide data protection (privacy) laws.
Here are some of them you may find helpful:

(more…)