| Organizations that suffer a data breach must respond appropriately, or they will risk increased losses, both in financial terms and diminished brand perception. Each type of data breach has an associated level of harm, so it’s important that decision makers within the organization know how to evaluate and respond to the various breaches. The article looks at the four main categories of identity theft which may arise when a breach occurs: 1) financial identity theft; 2) employment identity theft; 3) medical identity theft; and 4) criminal identity [...] Prior to the HITECH (Health Information Technology for Economic and Clinical Health) Act, there were many cases in which patients’ private and confidential information was compromised without knowledge of the health care provider. These data breaches led to legal complications, damage to the brand image and loss of clientele. What is the HITECH Act? Enacted on February 17, 2009, the HITECH Act ensures the privacy and security of patient health information. As part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act made significant changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Particularly, the [...] SP 800-122, a special publication released in April 2010 by the US National Institute of Standards and Technology (NIST), is a resource for those responsible for assessing privacy and designing and implementing privacy controls within information systems and business processes. This article offers a brief introduction to the key concepts and important elements of this publication. Major Recommendations The SP 800-122 aims to provide usable guidelines for a risk-based approach to protecting personally identifiable information (PII), particularly in US federal government agencies and their business associates. To this end, the publication makes the following recommendations: Organizations should identify all PII that resides in [...] Circular A-130 was first issued by the Office of Management and Budget (OMB) in 1985, in order to establish policy for the management of US federal government information resources. The circular provides uniform policies, as required by the Paperwork Reduction Act of 1980. Main Policy Points The body of Circular A-130 discusses the policy for managing information resources. The information management policy is briefly outlined below: Agencies are required to plan in an integrated manner for managing information throughout its lifecycle.
Agencies should provide for public access to records where required/appropriate.
Agencies should collect or create only the information that is necessary for the proper [...] The US Department of Homeland Security (DHS) is often criticized for its privacy policies and practices, as it handles a vast amount of sensitive personal information. However, it is important to note how the DHS does attempt to protect personal privacy, in policy as well as practice. In addition to compliance with federal privacy legislation, such as the FOIA (Freedom of Information Act) and the Privacy Act, the Department consults with privacy professionals in order to evaluate new or potential programs, systems, technologies and certain rule-making procedures in order to appropriately handle personal information. This article takes a look at exactly how the Department of Homeland Security approaches privacy [...] This article takes a look at security double standards, which allow executives, managers and department heads certain exemptions from standard security controls. Despite the increased risk of targeted attacks, this double standard is unfortunately common practice in many enterprises and organizations. it’s important to remember that such exemptions and double standards (termed “executive risk”) destabilize even the strongest security frameworks. The article also looks at some industry-recommended practices for reducing risks to targeted [...] There are two main approaches to engineering privacy protection: privacy-by-policy and privacy-by-architecture. Privacy-by-policy relies on the Fair Information Practices and notice and choice. Privacy-by-architecture leverages privacy protective technologies. While they are normally considered dichotomous, privacy experts recommend a hybrid approach that integrates these two [...] Enterprise privacy policies and privacy programs are essential. While policies alone cannot prevent data breaches or misuse of personal information, they are a good step in ensuring transparency and privacy-friendly practices. A privacy policy should contain the following key components: notice; consumer choice; access and correction; security; and [...] In April 2011, Google was at the center of public scrutiny, after security experts, researchers and hackers revealed that its Android mobile devices were continuously collecting user’s location data. Contrary to Google’s claims, it was discovered that this information was tied to a numerical identifier. This article looks at numerous responses to this discovery, in the US and [...] On Tuesday, January 18 2011, Facebook announced its decision to suspend the controversial feature allowing developers to access users’ home addresses and mobile numbers. The announcement comes just days after the social networking website decided to share users’ contact information with third party app developers. Privacy watchdogs have long decried Facebook’s privacy and security failings, which have affected its over 500 million users [...] | |
