A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy. They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place. I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle; from creation and collection, to deletion and disposal. They were on board with everything I was describing until we got to (more…)
Posts Tagged ‘FACTA’
Disposal Dummies Cause Privacy Problems
Thursday, May 31st, 2012Court Decision on FACTA Credit Card Transaction Receipt Violations
Wednesday, March 11th, 2009I was doing a bit of research around the Fair and Accurate Credit Transactions Act (FACTA), and ran across an interesting recent court decision…
Court Decision on FACTA Credit Card Transaction Receipt Violations
Wednesday, March 11th, 2009I was doing a bit of research around the Fair and Accurate Credit Transactions Act (FACTA), and ran across an interesting recent court decision…
Sloppy Disposal Aids Cybercriminals
Wednesday, September 10th, 2008For day 3 of Global Security Week I want to talk a little bit about the importance of securely disposing of your papers and storage media that contains personal information…
Company Uses Negotiated Checks For Packing Material!
Thursday, August 21st, 2008Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk.
However, I was surprised when I watched an ABC News report this morning…
Laws & Regulations Require Security & Privacy Training & Awareness
Wednesday, July 9th, 2008I’m in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.
Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.
Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty
Wednesday, July 2nd, 2008Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
Business Leader Primer for Effective Information Disposal
Wednesday, May 28th, 2008I’ve been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security technologies to protect day-to-day business…attention is good and MUST be done…but often it seems it is at the expense of then overlooking, or perhaps shrugging off, how to securely dispose of PII, systems, applications and hardware when they are no longer needed in the business. This has led to many information security incidents and privacy breaches.
I address the reasons why business leaders must give attention to information disposal in the second article of my May issue of IT Compliance in Realtime, “Business Leader Primer for Effective Information Disposal.”
Download a PDF version to get a much nicer-looking copy, the super-duper graphic I put into the article, plus the sidebar information and facts. Here is an unformatted version of the article…
FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations
Wednesday, December 26th, 2007On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster.
Under the terms of the penalty, American United Mortgage Company must:
Definitions For the Identity Theft Prevention Program Rule Under FACTA & Questions For Your Organization
Friday, November 2nd, 2007In addition to some great followup questions I got from Andy in response to my blog posting yesterday, “FTC Now Requires Organizations to Have an Identity Theft Prevention Program” I have also received some interesting questions from others about the new Identity Theft Prevention Program Rule, along with having the opportunity to have some interesting discussions with several folks today, such as Linda McGlasson at bankinfosecurity.com.