Group items tagged

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

A consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves, has agreed to settle Federal Trade Commission charges that it violated federal law. Under the settlement, the company and its principal must ensure that they provide credit reports only to legitimate businesses for lawful purposes, use a comprehensive information security program, and obtain independent audits every other year for 20 years. The settlement also imposes a $500,000 penalty but suspends payment due to the defendants' inability to pay. According to the FTC, the defendants use sensitive financial data from other consumer reporting agencies to create reports that landlords use to assess potential renters. These reports contain consumers' names, Social Security numbers, birth dates, bank and credit card account numbers, credit histories, and other personal information. The Commission alleges that the company failed to properly screen new customers. The company allegedly requested only publicly-available information from applicants seeking credit reports, and it did not request supporting documentation to establish that an applicant was actually a landlord renting property. As a result, identity thieves posing as property owners were given an account with unlimited online access to credit reports, and the account was used to access at least 318 reports containing sensitive personal information. The FTC charged the defendants with violating the Fair Credit Reporting Act (FCRA) by furnishing credit reports to persons who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to prevent such impermissible disclosures and to verify their customers' identities and how they intended to use the information. The agency also charged them with violating the FTC Act by failing to employ reasonable and appropriate security measures to protect sensitive consumer inform

Paperwork containing the personal medical information of at least 66 patients at Massachusetts General Hospital was lost this month when an employee apparently left it on an MBTA train. The hospital sent out letters last week to patients whose identities were included in the lost paperwork, telling them the information listed their names and dates of birth, and private medical information, including their diagnoses and the name of the provider with whom they met. The material constituted billing records for patients who attended the hospital's Infectious Disease Associates outpatient practice on Fruit Street on March 4. Deborah A. Adair, the hospital's privacy officer and director of health information services, said in a statement released yesterday that while the incident was regrettable, the hospital followed privacy laws by immediately alerting affected patients and authorities, including the state attorney general's office and the Department of Consumer Affairs and Business Regulation. "[Hospital] police and security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again," Adair said. "Our information privacy and security policies and procedures are among the strongest in the healthcare industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this." According to hospital security reports, a manager in the infectious disease center's billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.

It's unclear whether a report being prepared for President Barack Obama on federal information security preparedness will support recent calls for the creation of a new cybersecurity office within the White House, two lawmakers said last week. Instead, the report may recommend a more collaborative and cooperative strategy among federal agencies on the issue of cybersecurity without a single agency or department in charge, they said. Members of the U.S. House Cybersecurity Caucus met with Melissa Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council. Hathaway, who is conducting a 60-day review of federal cybersecurity preparedness on behalf of the president, Thursday presented a status report to members of the caucus. Speaking with reporters after the briefing, Rep. James Langevin (D-R.I.), co-chair of the caucus, and Rep. Yvette Clarke (D-N.Y.), chairwoman of a subcommittee within the Committee on Homeland Security, said it was unclear yet what Hathaway might recommend. Rather than "include another structure" within the White House, there may be a call for an increase in staffing within the White House Office of Management and Budget (OMB) in a bid to improve its current role of overseeing government cyberaffairs, said Langevin. Chances are "there will not be one king," he said. Langevin co-chaired a commission at the Center for Strategic and International Studies, a bipartisan think tank, that has called for the creation of a centralized cybersecurity office in the White House to be named the National Office for Cyberspace. The new office could combine the National Cyber Security Center (NCSC) and the Joint Interagency Cyber Task Force, two existing agencies that are handing cybersecurity today. The U.S. Government Accountability Office (GAO) has also called for a new office dedicated to cybersecurity within the White House. Calls have been prompted by what is perceived as the inability of the U.S. De

NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-16, Revision 1, Information Security Training Requirements: A Role- and Performance-Based Model. This publication is now available for public comment. The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems. We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.

"Data broker ChoicePoint, the victim of a 2004 data breach affecting more than 160,000 U.S. residents, has agreed to strengthen its data security efforts and pay a fine for a second breach in 2008, the U.S. Federal Trade Commission said Monday. ChoicePoint, now a subsidiary of Reed Elsevier, will pay US$275,000 to resolve the newest FTC complaint. The FTC accused the company of failing to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after the 2004 breach. The April 2008 breach compromised the personal data of 13,750 people, the FTC said in a press release. ChoicePoint turned off a "key" electronic security tool used to monitor access to one of its databases, and failed to detect that the security tool was turned off for four months, the FTC said. For a 30-day period, an unknown hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers, the FTC said. After discovering the breach, the company notified the FTC. If the software tool had been working, ChoicePoint likely would have detected the intrusions "much earlier," the FTC said. "

Privacy & security are individual rights and responsibilities, not just corporate or governmental responsibilities. Reliance on technology is bound to fail without motivation for all involved to find mutual benefits.

Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses. Information technology companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately, we can't rely just on technology for identity protection. While some of these security incidents involve someone hacking into a system, many involve a human failing. Examples include a laptop with confidential information being lost or stolen and employees e-mailing sensitive data to their personal e-mail accounts so they can work on it from home.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

A company that monitors P2P networks says it found details about the president's helicopter, Marine One, on a computer in Tehran. Pittsburgh station WPXI reports. Bob Boback, CEO of Tiversa, said, "We found a file containing entire blueprints and avionics package for Marine One. … What appears to be a defense contractor in Bethesda, MD had a file sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said. Retired Gen. Wesley Clark, an adviser to Tiversa, added: We found where this information came from. We know exactly what computer it came from. I'm sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went. It's no accident the information wound up in Iran, the company said. Countries like Iran, Pakistan, Yemen, Qatar and China are "actively searching for information that is disclosed in this fashion because it is a great source of intelligence," Boback said. Rep. Jason Altmire said he will ask Congress to investigate the risk to national security of this sort of exposure. Cnet's Charles Cooper interviewed the Tiversa's Sam Hopkins (Cooper says he's the CEO but the original report said Boback is CEO; the company website doesn't list executives), who said someone at the company was running a Gnutella client - possible a buggy one. Hopkins said it's hardly an unusual occurence - although presumably the usual breaches aren't so closely connected to the President. Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.'s who wanted to listen to music would install software on secure computers and it got compromised. … We see information flying out there to Iran, China, Syria, Qatar-you name it. There's so much out there that sometimes we can't keep up with it. Bottom line: P2P is the big

This tip is part of SearchSecurity.com's Data Protection School lesson, E-discovery and security in the enterprise. Visit the E-discovery and security in the enterprise lesson page for additional learning resources. Most information security pros have a handle on the major data types found in their environments, but they also know that there is a whole lot more data lurking around the edges. These unknown data types can include documents used by individuals, or whole applications owned by departments that have quietly become essential to the business. Most of the time, focusing on the squeaky wheels is an acceptable strategy; if there's no "squeak" then there's no need to worry. But when it comes to litigation, and especially managing the electronic discovery process, what you don't know can hurt you. There are four major types of data in use today: paper documents; structured data sets, like databases; semi-structured applications, like email and image stores; and unstructured repositories, like file servers. Comprehending the vast volume of these varied records can be a challenge for everyone involved, which includes information technology, records management, legal staff, and even the data owners themselves. But since almost all business information is stored in digital formats today, electronic storage systems are the most popular target for the discovery motions filed as part of legal proceedings. It is most efficient for a litigator to head straight for your email, spreadsheets and applications, looking for what they term electronically stored information (ESI). Making matters worse for IT administrators, new rules for civil litigation enacted at the end of 2006 (called the Federal Rules of Civil Procedure, or FRCP) have pushed up the timetable of electronic discovery. What was once a delayed and informal process has become much more structured, with lawyers meeting to discuss available ESI, typically just a few weeks after legal action commences. When l

NEW YORK With increasing amounts of personal information liable to float around in cyberspace, consumers are deciding whether their data is safe in the hands of some public- and private-sector entities. A BBC World News America/Harris Poll finds a mixed verdict, with social-networking sites faring especially badly. In polling conducted last month, adults were asked to say how much trust they have in various sectors "to handle your personally identified information (such as credit-card information, contact information and so forth) in a properly confidential and secure manner." The poll's best scores went to "health providers, such as doctors and hospitals," with 20 percent of respondents expressing "a great deal of trust" and 55 percent "some trust" in these. Nineteen percent voiced "not much trust" and 7 percent "no trust at all" in this sector. At the bottom of the rankings were "social-networking sites (like Facebook or MySpace)," with 5 percent expressing a great deal of trust and 18 percent some trust in these. Thirty-one percent said they had not much trust and 46 percent no trust at all in these sites to safeguard personal information. (Whether people should direct their distrust to themselves for posting such information there in the first place is a question the survey didn't address.) Respondents were also wary of "search and portal sites (like Google or Yahoo!)" when it comes to keeping personal information secure: Ten percent voiced a great deal of trust, 39 percent some, 29 percent not much and 22 percent no trust at all. Even the federal government fared (slightly) better, with 13 percent expressing a great deal of trust, 41 percent some, 28 percent not much and 18 percent none. The scores were more positive for "banks and brokerage companies": 15 percent a great deal of trust, 43 percent some, 28 percent not much and 13 percent none. That was roughly on a par with the ratings for "my e-mail provider": 14 percent a great deal, 48 percent some, 27 p

Incident demonstrates that even agencies that put in security controls are still vulnerable The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts. Just a month later, FAA officials had to admit that hackers breached one of the agency's servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft. The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA's security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack. "Every agency is living through the same problems," but most are being less forthcoming about reporting them, said Alan Paller, director of the SANS institute. "FAA should get kudos for rapid action. Slamming them shows a complete lack of understanding about the state of security in federal agencies."

Is the price to safeguard America's information systems and networks on a collision course with efforts to rescue the economy? One would hope not, but the $789 billion stimulus package that contains nearly $10 billions for IT-related projects offered very little for cybersecurity. Still, the president sees protecting government and private-sector information systems as crucial to the economic vitality of the country. So, when Acting Senior Director for Cyberspace Melissa Hathaway hands the President her recommendations on securing the nation's information infrastructure later this month, a sharper picture should emerge on how much money the government will need to spend to do just that. What Price Security? The government isn't a spendthrift in protecting its IT networks; it earmarked $6.8 billion a year on cybersecurity this fiscal year, up from $4.2 billion five years ago, according to the White House Office of Management and Budget. But is that enough? Appropriating money to find new and innovative ways to protect our critical information infrastructure doesn't seem to be a government priority, at least not yet. Of the $147 billion the government planned to spend on all types of research and development this fiscal year, only $300 million or 0.2 percent was slated for cybersecurity, according to the Securing Cyberspace in the 44th Presidency report issued by the Center for Strategic and International Studies. By comparison, the budget contained five times as much money $1.5 billion for nanotechnology R&D.

Most Americans believe the world financial crisis has increased their risk of identity theft or related crimes, according to the latest Unisys Security Index. The biannual survey of consumers in nine countries found that more than two-thirds of Americans are "extremely or very concerned" about other people obtaining and using their credit or debit card details -- with 90 percent at least "somewhat concerned." In addition, computer security remains a major concern. More than 40 percent of Americans are extremely or very concerned about security in relation to viruses or unsolicited emails. Three-quarters of Americans believe that the world financial crisis will increase the risk that they will personally experience identity theft or related crimes. More than one-quarter believe that the risk will increase substantially. "Financial security for Americans has moved from third place to front and center, number one," Tim Kelleher, vice president of enterprise security at Unisys, provider of information technology consulting services, told SCMagazineUS.com Monday. "People feel they are much more financially at risk." This has major implications for banks and other financial institutions, as well as internet businesses, he said. "Banks and businesses need to understand that customers are more wary than ever about using services that may compromise their personal data," Kelleher said. "If economic concerns increase these fears, companies need new strategies to strengthen customer confidence through accountability and transparency, which also plays to part of the Obama administration's call to action for government and business." The U.S. Security Index is based on a random telephone survey of 1,004 persons ages 18 and over. The first wave of the study was conducted in August 2007.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

On September 12, 2009, Maine's Act to Prevent Predatory Marketing Practices Against Minors (the "Act") will take effect. The Act prohibits businesses from knowingly collecting or receiving a minor's health-related information or personal information for marketing purposes without first obtaining verifiable parental consent. Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor. Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice. The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators. For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching. The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor's name in combination with any information concerning the minor. In light of the Act's restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms. The text of the law is available here.

Further proof that LA has it head in the clouds - A plan to overhaul the city of Los Angeles' computer system is raising concerns about the security of confidential information. The nation's second-largest city is considering dumping its in-house computer network for Google Inc. e-mail and office programs that are accessed over the Internet. But the city police union says it doesn't have enough information to determine if sensitive witness and investigation files will be secure from hackers. Google spokeswoman Aviva Gilbert says security "is built into the DNA of our products."

A plan to overhaul the city of Los Angeles' computer system is raising concerns about the security of confidential information. The nation's second-largest city is considering dumping its in-house computer network for Google Inc. e-mail and office programs that are accessed over the Internet. But the city police union says it doesn't have enough information to determine if sensitive witness and investigation files will be secure from hackers. Google spokeswoman Aviva Gilbert says security "is built into the DNA of our products."

Stunned applicants filling out immigration forms are now being warned their personal information can be shared with the RCMP, national security and intelligence agents, and even foreign cops. The immigrants, many who arrive here from brutal regimes, are being told that they must sign a consent form or their requests will not be dealt with by federal immigration officials. One form, which was obtained by Sun Media, said the data can be shared with the Canada Border Services Agency, RCMP, Canadian Security Intelligence Service and foreign police. TARGET FRIENDS The information can be used to target friends or family members of those who say negative things about their homelands, said Jamal Kaker, of the Afghan Association of Ontario. "This will impact a lot of immigrants in many communities," he said yesterday. "This is scary because the information will get back to Afghanistan in no time." Toronto lawyer Guidy Mamann said it can be deadly for immigrants who give information that may be negative to their governments and are then refused by Canada. "The rights of these immigrants are being trampled," Mamann said. "All this was done under the radar without an announcement." He said foreign police -- some working for the worst regimes -- will be able to find out where their nationals who fled to Canada live and allegations they have leveled against their homelands. "All this information will now be shared," Mamann said. "The lives of immigrants and some Canadian citizens will become an open book." SIGN FORMS He said Canadian citizens are affected if they sign forms to sponsor a spouse or loved ones. "It's another nail in the coffin for civil rights in Canada," Mamann said. "Negative information against governments will now be open for sharing." Toronto lawyer Mendel Green called the changes troubling. "This is a serious breach of our privacy laws," he said. "It appears to be an excess of authority. Big Brother wants to watch our visitors." Federal immig

Every time you get online, your privacy comes under attack. Whether it's an overbearing End User License Agreement, contact forms, or just website cookies, there are literally millions of ways that you can let your private information slip away online. One of the best ways to fight invasions of your privacy is to get informed and learn how to prevent it. Read on to find advice, organizations, and other resources that can help you keep your privacy safe online. Guides & Articles These resources have specific advice and information for protecting your online privacy. 1. EFF's Top 12 Ways to Protect Your Online Privacy: Read this guide from the Electronic Frontier Foundation to learn how you can protect private information online. 2. Frequently Asked Questions about Online Privacy: Get answers to questions about online privacy and safety from this resource. 3. Is Your PC Watching You? Find Out!: This article from CNN will help you figure out if your privacy is being violated through your PC. 4. Nameless in Cyberspace: Anonymity on the Internet: Find out why the right to anonymity online is so important to have by reading this article. 5. Consumer Privacy Guide: The Consumer Privacy Guide offers a variety of resources and information for protecting your privacy online. 6. This Email Will Self-Destruct: Learn about email security measures that you can take to protect your privacy. 7. Anti-Spam Resources: Visit this guide to learn how to stop receiving junk email. 8. All About Internet Privacy and Security: Read this guide to learn about security terms and Internet privacy settings. 9. Online Privacy: The Complete Guide to Protect You: WebUpon's guide discusses steps you can take to protect your online privacy. 10. Social Networking and Safety Online: Read this guide to learn how to practice common sense on social networking sites. 11. Internet privacy: Wikipedia's entry on Internet privacy offers a broad view at staying private o

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach. FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week. Story continues below ↓advertisement | your ad here Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes. Waters said the other file contained medical information that was encrypted. "These government systems should be the best in the world, and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.