Over the weekend I did some research to make sure I am up to date with all the current U.S. state and U.S. territories breach notice laws…
Posts Tagged ‘privacy breach’
There Are 47 US State & Territory Breach Notice Laws: 1-Page Listing
Monday, March 23rd, 2009Business Info Fact of the Day: PII Increasingly Stored On MP3 Players
Monday, January 26th, 2009Over the past few months during some of my presentations I’ve discussed how easily PII can be stored on mobile storage devices that most business leaders and information security folks often do not think about or overlook. One of those devices is the innocent-looking and seemingly benign MP3 player, such as the cool ipod. You gotta love’em! I know I love mine. However, a couple of times when I talked about how easy it is to store large amounts of company data, including personally identifiable information (PII), onto MP3 players, I got some noticeable snickers and sneers from a few in the audience who apparently thought such an idea was preposterous!
Well, here are a couple of different news articles that demonstrates otherwise; both about the same incident, but each with slightly different information…
Business Info Fact of the Day: PII Increasingly Stored On MP3 Players
Monday, January 26th, 2009Over the past few months during some of my presentations I’ve discussed how easily PII can be stored on mobile storage devices that most business leaders and information security folks often do not think about or overlook. One of those devices is the innocent-looking and seemingly benign MP3 player, such as the cool ipod. You gotta love’em! I know I love mine. However, a couple of times when I talked about how easy it is to store large amounts of company data, including personally identifiable information (PII), onto MP3 players, I got some noticeable snickers and sneers from a few in the audience who apparently thought such an idea was preposterous!
Well, here are a couple of different news articles that demonstrates otherwise; both about the same incident, but each with slightly different information…
Business Info Fact Of The Day: PII Sent Through The Mail Is Often Stolen Or Lost
Tuesday, January 13th, 2009Over the years I have heard many times by my various government friends, even following too many mis-deliveries and lost packages to enumerate here, that packages and letters sent via the US postal service, and even through other delivery organizations such as UPS, FedEx and DHL, are considered as “secure” and that delivery is expected to be “guaranteed” or a “sure thing.” One time a couple of years ago an IRS employee told me curtly, “If we mailed it to you through the USPS then we can legally assume you received it.”
NOT!
Business Info Fact Of The Day: Banks In Maine Spent $2.1 Million Responding To Breaches In 2007 & 2008
Monday, January 12th, 2009Maine’s Bureau of Financial Institutions, a division of the Department of Professional and Financial Regulation, conducted the survey at the direction of the state legislature that revealed the costs of Maine’s banks and credit unions when responding to breaches…
FEMA Records Of 16,000 Katrina Victims Posted Online
Tuesday, December 23rd, 2008How did the following happen…there are many options…insider threat? Poor IT storage controls? Poor applications development controls? Perhaps using real personally identifiable information (PII) for test purposes? Hacker break-in? Through an outsourced company with access to the PII, but who also had poor controls? There are so many possibilities…
Laws & Regulations Require Security & Privacy Training & Awareness
Wednesday, July 9th, 2008I’m in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.
Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.
Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty
Wednesday, July 2nd, 2008Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
Where And How Do You Dispose Of Your Cell Phones and Paper Documents?
Monday, June 30th, 2008Something I’m planning to do this summer with my sons is to do some dumpster diving, with the advice of my police and security services company owner friends, to see just how much personal information is left out for just anyone walking by to pick up and use, or misuse. We’ll also see about any cell phones that were just dropped in the dumpster or trash can…
How do you dispose of your cell phones? At work, and at home? And what do you do with the papers that contain personally identifiable information (PII) and other sensitive information when you throw them away? Are you more diligent at work? Or at home?
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
Sunday, June 29th, 2008In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
