Posts Tagged ‘privacy training’
Friday, August 15th, 2008
Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Thursday, August 14th, 2008
Recently I wrote about the privacy implications of Google Street View after communicating with John Grogan (from Popular Science and Computer World) about this topic; see here and here.
Today I saw an ABC news video…
(more…)
Tags:awareness and training, Computerworld, Google street view, Google walking directions, Information Security, IT compliance, IT training, John Brandon, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | 3 Comments »
Wednesday, August 13th, 2008
Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Tuesday, August 12th, 2008
For those of you that weren’t aware, this past weekend the long-running Defcon convention (historically started with only “hard core” hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.
Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about “Anatomy of a Subway Hack,” detailing a school project they did, and received an “A” on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.
Well, the MBTA got wind of this…actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it…and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.
But guess what? Yep…I bet you can see this coming…
(more…)
Tags:awareness and training, Defcon, Information Security, IT compliance, IT training, MBTA, MIT, policies and procedures, privacy training, risk management, security training
Posted in government, Information Security | 3 Comments »
Monday, August 11th, 2008
It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…
(more…)
Tags:awareness and training, DPPA, Information Security, IT compliance, IT training, Missouri Department of Revenue, policies and procedures, privacy training, publicdata.com, risk management, security training, Shadowsoft, social engineering
Posted in government, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Friday, August 8th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social engineering
Posted in Information Security, Training & awareness | No Comments »
Thursday, August 7th, 2008
Okay, now here’s an example of how people will take information you’ve given them, under false pretenses, just because they can, and post it for the world to see, with no regrets about how it hurts other people.
(more…)
Tags:Andrew Aguecheek, awareness and training, Craigslist, Information Security, IT compliance, IT training, Jason Fortuny, policies and procedures, privacy training, risk management, security training, social engineering
Posted in Miscellaneous, Privacy Incidents | 3 Comments »
Wednesday, August 6th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, SMB security, wardriving, wireless hack, wireless security
Posted in Information Security, Privacy and Compliance, Privacy Incidents | 2 Comments »
Wednesday, August 6th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, SMB security, wardriving, wireless hack, wireless security
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
Tuesday, August 5th, 2008
I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, “If a company collects and manages PII from another country, e.g., India or the U.S., and transfers that PII to the E.U. for some type of processing or storage or even just transit, does the E.U. Data Directive apply once that PII leaves a country within the E.U.?”
(more…)
Tags:awareness and training, cross border data flow, EU Data Protection Directive, Information Security, IT compliance, IT training, personal information, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »