Posts Tagged ‘disposal’
Monday, October 28th, 2013
“What’s the minimum shred size?”
Recently I got a great question from one of my Compliance Helper clients:
“This may seem like a silly question, but is there any type of HIPAA compliance requirements for shredder types? For example, minimum shred size?”
Not a silly question at all! Of the organizations that shred their paper documents (there are still way too many that don’t), a large portion of them are not shredding their documents to a point that they are actually doing so effectively. Here are some points and tips (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, disposal, dispose, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, reassemble, Rebecca Herold, risk assessment, risk management, security, shred, shredder, systems security, training, unshred
Posted in Information Security | No Comments »
Thursday, May 31st, 2012
A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy. They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place. I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle; from creation and collection, to deletion and disposal. They were on board with everything I was describing until we got to (more…)
Tags:big data, breach, compliance, data analytics, data mining, degauss, disposal, disposal rule, facebook, FACTA, frictionless sharing, IBM, Information Security, information technology, infosec, IT security, midmarket, Netflix, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, SB 3159, security, Senate Bill 3159, sensitive personal information, shred, SPI, systems security, trash
Posted in Laws & Regulations | 5 Comments »
Thursday, May 21st, 2009
Here’s yet another incident that provides very good lessons that could be incorporated into information security and privacy training sessions as a case study, particularly for HIPAA compliance as well as secure disposal training…
(more…)
Tags:awareness and training, disposal, HIPAA, HITECH Act, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Privacy and Compliance, Training & awareness | No Comments »
Tuesday, December 16th, 2008
Another real-life example to show the importance of having effective policies and procedures in place for not only information disposal, but also for the disposal of computers and storage media…
(more…)
Tags:awareness and training, disposal, Information Security, IT compliance, IT training, McCain, Palin, policies and procedures, privacy, privacy incident, privacy training, risk management, security training
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
Thursday, August 28th, 2008
Here are some more data retention tips and considerations as a follow-up to my Tuesday blog post…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations | No Comments »
Tuesday, August 26th, 2008
There have been several interesting news reports recently about data retention proposals, plans, practices and laws in the U.K.
Currently there are proposals to require emails to be retained for a full year, but critics contend that sloppy data retention practices will result in actual retention periods much longer, if the emails even ever get deleted.
This is an important point; when it comes to data retention, the requirements are rarely, if ever, followed by some organizations…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Thursday, August 21st, 2008
Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk.
However, I was surprised when I watched an ABC News report this morning…
(more…)
Tags:awareness and training, disposal, disposal rule, FACTA, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 1 Comment »
Wednesday, July 2nd, 2008
Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
(more…)
Tags:awareness and training, disposal, FACTA, Information Security, IT compliance, personal information privacy, policies and procedures, privacy breach, privacy training, risk management, security training, Texas Credit Services Organizations Act, Texas Deceptive Trade Practices Act, Texas EZPAwn, Texas Identity Theft Enforcement and Protection Act
Posted in Non-compliance Sanctions Examples, Privacy and Compliance, Privacy Incidents | No Comments »
Wednesday, October 24th, 2007
Finally, a report that looks much more accurate with regard to how much identity theft costs the VICTIMS of a privacy breach. Most reported victim costs that I have seen in the past seemed much too low considering all the time that victims talked about trying to repair and recover from identity theft, and how much resources it took, the many years it often takes, and so on.
(more…)
Tags:awareness and training, disposal, identity theft, Information Security, insider threat, IT compliance, policies and procedures, privacy, risk management
Posted in identity theft, Privacy Incidents | No Comments »
Tuesday, May 29th, 2007
Mid-last week it was widely reported, probably more so in the national news than here in Iowa, that one of Hillary Clinton’s top campaign folks had written a memo to her urging her to skip Iowa and focus on other states. This leaked memo was the grist of much discussion on the political talk shows over the weekend.
(more…)
Tags:awareness and training, disposal, email security, ethics, Hillary Clinton, Information Security, insider threat, IT compliance, policies and procedures, privacy
Posted in Information Security, Training & awareness | 2 Comments »
