NASA’s Series of Data Breaches

This article takes a look at NASA data breaches since 2011, most of which have involved stolen laptops which contained sensitive or personally identifiable information (PII) that were not protected by encryption technology. The most recent data breach was announced on October 31, 2012, and resulted in agency-wide changes to the handling and protection of PII. NASA’s Chief Information Officer has since ordered that all agency laptops be encrypted by December 21, [...]


Successfully Responding to Data Breaches

Organizations that suffer a data breach must respond appropriately, or they will risk increased losses, both in financial terms and diminished brand perception. Each type of data breach has an associated level of harm, so it’s important that decision makers within the organization know how to evaluate and respond to the various breaches. The article looks at the four main categories of identity theft which may arise when a breach occurs: 1) financial identity theft; 2) employment identity theft; 3) medical identity theft; and 4) criminal identity [...]


Health Information Technology for Economic and Clinical Health Act (HITECH)

Prior to the HITECH (Health Information Technology for Economic and Clinical Health) Act, there were many cases in which patients’ private and confidential information was compromised without knowledge of the health care provider. These data breaches led to legal complications, damage to the brand image and loss of clientele.

What is the HITECH Act?

Enacted on February 17, 2009, the HITECH Act ensures the privacy and security of patient health information. As part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act made significant changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Particularly, the [...]


Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)

SP 800-122, a special publication released in April 2010 by the US National Institute of Standards and Technology (NIST), is a resource for those responsible for assessing privacy and designing and implementing privacy controls within information systems and business processes. This article offers a brief introduction to the key concepts and important elements of this publication.

Major Recommendations

The SP 800-122 aims to provide usable guidelines for a risk-based approach to protecting personally identifiable information (PII), particularly in US federal government agencies and their business associates. To this end, the publication makes the following recommendations:

Organizations should identify all PII that resides in [...]


OMB Circular A-130

Circular A-130 was first issued by the Office of Management and Budget (OMB) in 1985, in order to establish policy for the management of US federal government information resources. The circular provides uniform policies, as required by the Paperwork Reduction Act of 1980.

Main Policy Points

The body of Circular A-130 discusses the policy for managing information resources. The information management policy is briefly outlined below:

Agencies are required to plan in an integrated manner for managing information throughout its lifecycle.
Agencies should provide for public access to records where required/appropriate.
Agencies should collect or create only the information that is necessary for the proper [...]