By:
On:
In: *Connecting the Dots Blog*, Human Resources, Information Privacy, Information Security, Risk Management

  In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites. Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information. Why are mobile users more vulnerable? Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down. Size – the smaller screens of mobile devicesRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

  One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information.  This blog will address yet another third-party risk – your janitors. A janitor was recently arrested for removing boxes of records from a Southern California health care clinic.  Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40.  This janitor was not interested in identity theft, but the next one might be… In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance

  A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information. GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information. In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers.  Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company willRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management

  Dissemination vs. Implementation The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency. What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops.  Patient information has been sent to the wrong address or mailed incorrectly 441 times.  There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required. Almost 10,000 breach incidents in 3 months!  What is wrong with this picture?  Instead of just disseminatingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information. In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities.  Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers. A few questions this incident brings to mind: Should personal data be stored outside of buildings? Should trash/storage bins beRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Regulatory Compliance

I was reading a blog the other day and the question presented to readers was do you believe adoption of end-to-end encryption technology throughout the payments industry is the panacea to protecting personal information?  Some experts have indicated that end-to-end encryption is the way to protect sensitive and personal information from being hacked in situations like TJX and Heartland Payment Systems and others.  The Ponemon Institute even released a new survey (sponsored by PGP – an encryption company) saying that their research shows that breaches are more expensive and can lead to losing customers and indicated that a strategic and more holistic use of encryptionRead More →