Do you have any customers in any of the 27 European Union (EU) countries? Do you have any personnel in the EU? COULD YOU have?
Any company sending or receiving personally identifiable information (PII) of a very wide range of possibilities…many more items are considered as PII outside of the U.S. than within the states…to or from other countries must abide by the data protection (read “privacy”) laws for those countries. The EU Data Protection Directive (95/46/EC) establishes the minimum PII data protection requirements that ALL companies, any where in the world, must follow to send PII for their citizens over their country borders. Each of the EU countries also have specific data protection laws that may be even more restrictive than the EU Data Protection Directive (95/46/EC).
Posts Tagged ‘privacy training’
Great New Privacy Guidance Tools From The EU
Monday, July 14th, 2008Outsourcing and Customer Service Thoughts…
Friday, July 11th, 2008Over this past week I had some interesting (to me any way) experiences related to customer service and some of the general business risks of outsourcing…
FISA Change Gives Telecoms Immunity; Headaches Ahead For Businesses?
Thursday, July 10th, 2008In case you didn’t hear about it yet, President Bush just signed into law changes to the U.S. Foreign Intelligence Surveillance Act (FISA) that, among other things, grants immunity to telecom companies that cooperate with the secret warrantless wiretap program.
Laws & Regulations Require Security & Privacy Training & Awareness
Wednesday, July 9th, 2008I’m in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.
Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.
Information Security and Privacy Education Lesson Fines And Court Penalty Judgments
Tuesday, July 8th, 2008My July issue of “IT Compliance in Realtime” has been published!
This month I continue to focus on the importance of information security and privacy training and awareness to not only improve security and privacy preservation, but also to meet a very wide range of compliance requirements. The first article in this month’s Journal is, “Information Security and Privacy Education Support Compliance.” Download the PDF of the full Journal issue for the formatted, best-looking version.
Here are the first couple of sections from that article…
15 Actions/Penalties Brought By FTC Under GLBA + FTC Act
Monday, July 7th, 2008The FTC has long provided a great role model for other government oversight and enforcement agencies with regard to their activities in ensuring organizations follow data protection laws and also ensure organizations actually fulfill the promises they make within their published information security and privacy policies. It is too bad most of the other government agencies are not as diligent or nearly as effective in helping to ensure organizations sufficiently protect personally identifiable information (PII).
While doing some research today I compiled a list of the actions the FTC has taken, which I thought may be useful to some of you as well…
Just Because Security Is Simple Doesn’t Mean People Will Do It
Thursday, July 3rd, 2008Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty
Wednesday, July 2nd, 2008Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
Information Security and Privacy Convergence Is Nothing New…Both Areas MUST Collaborate
Tuesday, July 1st, 2008The comparatively new awareness of the need for information security and privacy convergence and collaboration has actually existed for many years. I first experienced this firsthand in the first half of the 1990’s when I was responsible for information security in a multinational financial and insurance company. The company launched one of the very first online banks, and I was establishing the security requirements when I saw the need to address the privacy aspects. This was before the passage of GLBA or HIPAA, but I knew that a few bills addressing privacy had been being considered, not only in the U.S. but also worldwide, and that the OECD privacy principles were the basis for many of the privacy requirements.