Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk.
However, I was surprised when I watched an ABC News report this morning…
Posts Tagged ‘PII’
Company Uses Negotiated Checks For Packing Material!
Thursday, August 21st, 2008Whose PII Is Covered Under the EU Data Protection Directive?
Tuesday, August 5th, 2008I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, “If a company collects and manages PII from another country, e.g., India or the U.S., and transfers that PII to the E.U. for some type of processing or storage or even just transit, does the E.U. Data Directive apply once that PII leaves a country within the E.U.?”
17 Info Security & Privacy Topics Call Center Staff Must Understand
Tuesday, July 29th, 2008Okay…back to my continuing lecture on the need to provide targeted training on specific information security and privacy topics to the various responsibility groups throughout your enterprise.
Consider this; what if you took a driver’s education class and all they told you to do, by showing you on a PowerPoint slide, is how to put the key in the ignition, turn the engine over, how to press the accelerator to move forward, and how to press the brakes to stop. Then they told you to go out there and drive…have it it! Would you be well prepared to get onto the road and deal with all the other things you need to know about driving? Most likely not. If you feel you would be well prepared, please tell me you will not be driving on the central Iowa roads… 🙂
People Need Periodic, Effective, Training And Ongoing Awareness To Truly Safeguard Information
Friday, July 25th, 2008Imagine this; what if you were given training just one time, in a 1-hour session with no hands-on practice, for how to do first aid and give CPR and then were never given more training or reminders about how to do first aid and CPR…two years later would you be able to competently perform first aid when someone needed it? Probably not. Probably not even 1 year later, or even 6 months later.
People need to have regularly scheduled training and ongoing awareness in how to do activities competently. You cannot expect to give a 1-hour, often poorly-constructed, training course about information security or privacy and the have the people taking the training know what to do weeks or months or even yeas later. However, this is the situation that occurs in a very large portion of organizations.
It is no wonder that the majority of security incidents and privacy breaches occur as a result of lack of knowledge and mistakes.
Here is the third part of the third article, “Providing Call Centers with Information Security and Privacy Education,” in my July issue of IT Compliance in Realtime, that speaks to this issue…
Call Center Folks Have Huge Amounts Of Access TO PII
Thursday, July 24th, 2008Need more reasons from my post from yesterday about why call centers need targeted training and ongoing awareness?
If so, then here is the second part of the third article, “Providing Call Centers with Information Security and Privacy Education,” in my July issue of IT Compliance in Realtime…
The Area With The Most Customer Contact Usually Has The Least Information Security and Privacy Training
Wednesday, July 23rd, 2008Think for a few moments about the area in your company that has the most, or close to the most, direct contact with your customers and consumers…
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Sunday, June 1st, 2008Last month (May 2008…yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer’s personally identifiable information (PII) and other confidential information.
The suit charges that Lending Tree did not have appropriate or adequate information safeguards in place, resulting in the employees using names, addresses, phone numbers, Social Security numbers, income information, and assorted other personal information, to market their own mortgage loans to the LendingTree customers.
The class-action lawsuit, (this is from a subscription site) represents all Lending Tree customers who submitted loan request forms to the company between Jan. 1 2006 and May 1, 2008.
From the case file…
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
Thursday, May 29th, 2008When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched?
There are many phishing scams going on right now, and they are widely reported and talked about. I want to talk about a new one spoofing Amazon, a popularly spoofed company in phishing messages, because I’ve already had a couple of other folks I know who are not in the info sec biz asking me about it today. I also got it in my email box today, so it will make a good example to discuss…
Business Leader Primer for Effective Information Disposal
Wednesday, May 28th, 2008I’ve been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security technologies to protect day-to-day business…attention is good and MUST be done…but often it seems it is at the expense of then overlooking, or perhaps shrugging off, how to securely dispose of PII, systems, applications and hardware when they are no longer needed in the business. This has led to many information security incidents and privacy breaches.
I address the reasons why business leaders must give attention to information disposal in the second article of my May issue of IT Compliance in Realtime, “Business Leader Primer for Effective Information Disposal.”
Download a PDF version to get a much nicer-looking copy, the super-duper graphic I put into the article, plus the sidebar information and facts. Here is an unformatted version of the article…
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
Sunday, May 25th, 2008I’ve been doing some research for insider threat training content I’m creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make a great case study for any organization to help personnel improve the ability to better protect personally identifiable information (PII).
Here’s the news release from the The United States Attorney’s Office for the Southern District of Texas…
