Group items tagged

The whole idea of privacy has become a joke. On one hand we have consumers who will give away their personal details to random Web sites (as well as to Mrs. Sikiratu Seki Adam, "a widow to Late Saheed Baba Adams") at the drop of a virtual hat, and on the other we have businesses losing personally identifiable information and transaction data with wild abandon … yes, I'm talking about you Heartland Payment Systems. (Heartland lost data on more than 100 million transactions although it is hardly alone - check out the data loss database at the Open Security Foundation). This widespread carelessness has compromised the privacy of tens of millions of consumers and businesses. While carelessness is the cause, what has allowed it to go unchecked are a number of factors: The Internet making transactions easier and faster; the systems we use on the Internet (particularly Windows PCs) being as secure as the First Little Pig's house of straw; organizations not taking security seriously enough; naive consumers; and inadequate regulation of the companies that hold private data. What got me thinking about this privacy void was a letter my wife received from Nordstrom Bank yesterday. My wife has a Nordstrom credit card and the company sent us, for what seems like the 1,000th time, its latest privacy policy. This version was one page of small text that more or less says what every other privacy notice from financial services companies say (we average about one of these "revised" policies every couple of weeks).

The Heartland data breach is an opportunity for the US government to standardise data breach notification laws. Bill Conner, chairman, president and CEO of Entrust, claimed that following the revelation that more than 100 million credit cards could have been compromised, the government needs to continue to move quickly to standardise data breach notification laws and call for technology, such as encryption and stronger authentication, that truly protects consumer information. Conner said: "Cybercrime continues to grow and is increasingly affecting more and more of this country's citizens. To slow the upward trend of cybercrime in this country, all organisations - enterprise, consumer and even governments - need to carefully review current security approaches and identify key gaps within their infrastructures." He further called for Congress to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption. "This is an opportunity to do something about a security issue that impacts all Americans", said Conner.

As the National Security Council works on its comprehensive review of federal cybersecurity programs for President Obama, it is going to great lengths to consider privacy and civil liberty issues, some Congress members said Thursday. The House Cybersecurity Caucus on Thursday met with Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, who is conducting for the administration a 60-day cybersecurity review. Rep. James Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus, said Hathaway has been meeting with privacy and civil liberties groups to receive their input on how to reform cybersecurity. Those issues are "a forethought rather than an afterthought," he said. "Because these are such powerful tools (to grant federal authorities to regulate cyberspace), we're going to have to have the buy-in of the public and have their support." While the Senate is working on its own plan for White House-run cybersecurity efforts, Langevin said Hathaway's assessment may ultimately suggest a strategy with a stronger emphasis on inter-agency efforts. Langevin said it is still unclear whether Hathaway will recommend that a new office for cybersecurity should be created within the Executive Office of the President--a move some senators are pushing for. Certainly, though, policy will have to come from the White House. "This is going to have to be an ongoing strategy of collaboration and cooperation directed out of the White House," Langevin said. "But there won't be one king, so to speak, at the end of the day. The chief information officers at the departments and agencies are still going to have a role to play."

The International Dimensions of Securing Cyberspace with Seymour Goodman, Professor of International Affairs and Computing at Georgia Tech.Hudson Institute hosts the fourth installment of its Telecommunications, Information, and Security Policy Seminar series. Drawing on his experience in the international dimension of cyberspace, Goodman leads a discussion on the extent of the internationalization of cyberspace, specific international problems and weaknesses that add to cyberspace insecurity, especially relating to Africa, and also discusses some forms of international cooperation that might help alleviate these problems.

Since Obama's landmark speech on cybersecurity in May, his administration hasn't revealed much about its long-percolating plans to shore up the government's defenses against hackers and cyberspies. But privacy advocates monitoring the initiative are already raising concerns about what they know and what they don't: the details that have trickled out--including the involvement of the National Security Agency--and the veil of classified information that still covers much of the multibillion-dollar project. "It feels like the Bush administration all over again," says Pam Dixon, executive director of the World Privacy Forum. "Not enough people know the details about these programs to have a good public discussion. We all want good security of government systems, but you have to balance the cloak and dagger elements with civil liberties."

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey. The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data. The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they're compliant.

"As the federal government readies the third iteration of Einstein, privacy concerns over the intrusion detection system were voiced at a Senate hearing on Tuesday. Philip Reitinger, Department of Homeland Security deputy undersecretary for the National Protection and Programs Directorate, told the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security that DHS envisions deploying Einstein 3 as an intrusion prevention system. Einstein 1 monitors network flow and Einstein 2 detects system intrusions. "This more robust version of Einstein would provide the federal government with an improved early warning and an enhanced situational awareness; the ability to automatically detect malicious activity; and the capability to prevent malicious intrusions before harm is done," Reitinger said. But Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens. "While Einstein 2 merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns," Nojeim testified. Einstein 3 reportedly could operate within the networks of private telecommunications companies, and Nojeim wondered if the technology could analyze private-to-private communications. "If Einstein were to analyze private-to-private communications, that would likely be an interception under the electronic surveillance laws, requiring a court order," he said. "

Hospital CIOs, chief information security officers, and privacy officers are working diligently to keep their names off that wall. But they are dealing with a regulatory environment that is still in flux. A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. HHS also has proposed a rule for the accounting of disclosures from electronic records. The biggest shift under way may be a new enforcement regime as the HHS Office for Civil Rights (OCR) shifts gears from only reacting to data breach reports to begin random audits of the privacy and security safeguards of large and small providers and their business associates. Another new wrinkle under the HITECH Act is that state attorneys general can file civil lawsuits for HIPAA violations.

State and federal lawmakers continue to introduce bills regulating the collection, use and security of consumer and personal information. The proposed federal bills could change the national privacy framework. At the same time, regulators and the plaintiffs' bar remain focused on privacy and security issues and continue to initiate enforcement actions and class action suits. This program will address these developments and provide tips for managing privacy concerns in an era of fast-changing privacy laws.

As I'm sure you know, former NSA analyst Russell Tice revealed that the agency spied on journalists and ordinary Americans - not just communications between the U.S. and overseas. Speaking on the Keith Olbermann show on MSNBC, Tice said: "The National Security Agency had access to all Americans' communications," he said. "Faxes, phone calls and their computer communications. … They monitored all communications." He made a further appearance on Olbermann Thursday (view above), in which he said that the NSA combined these illegal wiretaps with credit card and financial data. ""This [information] could sit there for ten years and then potentially it marries up with something else and ten years from now they get put on a no-fly list and they, of course, won't have a clue why," Tice said. "This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate," Tice said. "And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says 'potential terrorist'." Why were they monitoring reporters? New York Times reporter James Risen told Olbermann he thought it was a plot "to have a chilling effect on potential whistleblowers in the government to make them realize that there's a Big Brother out there that will get them if they step out of line."

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became "the poster child of data breaches," said Kathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response. As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data. "We have a culture of report, report, report," Maginnis said at the recent FOSE conference in Washington. The incident response program received a perfect score last year in the VA inspector general's Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year. The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

The National Institute of Standards and Technology (NIST) this month released preliminary recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information (PII). U.S. government agencies should take a number of precautions when dealing with personal information residing in their organizations, according to the NIST document. The recommendations are intended to be for U.S. federal government agencies, and companies with which they work, but NIST said that other verticals may also find value in it. The report states that organizations should store only PII necessary to conduct business, develop an incident response plan for the event of a breach and encourage coordination for data-loss incidents among CIOs, information security officers and legal counsel.

"Today, the Federal Trade Commission opened new areas of a "virtual mall" with content that will help kids learn to protect their privacy, spot frauds and scams, and avoid identity theft. The FTC Web site, www.ftc.gov/YouAreHere, introduces key consumer and business concepts and helps youngsters understand their role in the marketplace. The FTC is the nation's consumer protection agency. "YouAreHere presents practical lessons about money and business in a fun and familiar setting," said David Vladeck, Director of the FTC's Bureau of Consumer Protection. "The new content takes kids behind the scenes to raise their awareness of advertising and marketing, pricing and competition, fraud and identity theft. At the FTC's online mall, visitors play games, watch short animated films, and interact with customers and store owners. They can design and print advertisements for a shoe store, investigate suspicious claims in ads and sales pitches, learn to identify the catches behind bogus modeling schemes and vacation offers, and guess the retail prices of various candies based on their supply, demand, and production costs. At the Security Plaza, visitors can build a social networking page and see the unintended consequences of posting personal information. They also get tips on how to keep their computers safe while they're online. In the arcade, visitors can play Info Defender 3 and protect Earthlings from Cyclorian invaders who would steal their identities. The game teaches the importance of protecting personal information, including Social Security numbers. For parents and teachers, the site offers detailed fact sheets with ideas for related activities. Teachers can use the site to complement lessons in consumer economics, government, social studies, language arts, and critical thinking. The National Council for Economic Education has developed a lesson plan that prominently features YouAreHere; it is available on the Parents and Teachers page. "

"Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital - a crime being investigated by the FBI. But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said. One victim says that is too long to wait to tell patients they may be at risk of identity theft. The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information - the kind that can be used for identity theft - was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon. The man was stunned and angry to learn from someone other than hospital officials that his data had been leaked. Hospital officials should have notified him "way sooner," he said. "I would've given them two or three days after they initially found out. But this is a major thing - a priority thing!""

URAC, the leading health care accreditation and education organization, announced today the recent Healthcare Information and Management Systems Society (HIMSS) annual conference raised important questions about consumer privacy and security around electronic health records (EHR). (Logo: http://www.newscom.com/cgi-bin/prnh/20030501/URACLOGO ) "There is no doubt that electronic health records are coming. The question is whether or not consumers' privacy is a key issue or an afterthought," said Alan P. Spielman, President and CEO of URAC. "A lot of forces are driving the push for EHR. However, it is important that standards go hand-in-hand with policy so that it doesn't become the Wild West with every vendor and health care provider using different terms." The rules set by the Health Insurance Portability and Accountability Act (HIPAA) are integral to the widespread adoption of EHR. However, the rules can be confusing for consumers and providers. URAC was the first organization to offer HIPAA Privacy Accreditation. The organization now offers comprehensive standards for both HIPAA Privacy and HIPAA Security accreditation. These standards are applicable to all personal health information storage formats and exchanges claims transactions and are designed for many different types of health care organizations including both Covered Entities (CE) and Business Associates (BA). They also require an ongoing compliance program that identifies, tracks and makes the necessary changes in response to a federal or state regulatory change.

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in purchases, school officials say. One woman has been accused of fraudulent use or possession of identifying information and two charges of credit card abuse. A second person linked to the theft case has been arrested but no charges have yet been filed in the Irving case, authorities said. At least 64 of the 3,400 teachers and other employees whose names were on the old benefits report that somehow ended up in the trash have said they are identity theft victims. The school district mailed letters to current and former employees about the breach, but 472 of the letters were returned as undeliverable. Pat Lamb, district security director, said in a story for Sunday's online edition of The Dallas Morning News that the employees at risk of being on the list worked for the district in the 2000-01 school year and had payroll deductions for benefits. "We still do not know how our records were compromised," Lamb said. "We don't know if somebody was supposed to shred that information, but it ended up in a Dumpster." Lamb said his name was among those on the report, which was generated in 2000. Cynthia Will, a former teacher, pleaded for help from the school board last week. More than $25,000 was charged in her name, including a $4,000 diamond ring, the newspaper reported. "It was stunning the damage that was done in just seven days," she told the board. Will has to carry an affidavit stating that she is an identity theft victim and if there are warrants on her old driver's license number that they are not for her. Dawn Bizzell, who has taught in the district since 1996, said district officials acted too slowly. An employee advisory wasn't posted until Jan. 26. Bizzell said she learned she was an identity theft victim on Nov. 28 and police told her of the district connection on Dec. 3.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

Last week, the government took another step toward closing a legal loophole in federal privacy and security rules for emerging Health 2.0 information technology applications by issuing proposed rules aimed at covering an estimated 900 companies and organizations offering personal health records and electronic systems connected to them. The Federal Trade Commission was careful to point out its new interim proposed rule on federal breach notification requirements for the developers of electronic PHR systems did not apply to covered organizations or their business associates as defined by the Health Insurance Portability and Accountability Act of 1996, heretofore the key federal privacy and security regulation. The FTC, operating under new authority given it by the American Recovery and Reinvestment Act of 2009, noted that its new rule seeks to cover previously unregulated entities that are part of a Health 2.0 product mix. FTC staff estimates that about 200 PHR vendors, another 500 related entities and 200 third-party service providers will be subject to the new breach notification rule. The staffers estimate that the 900 affected companies and organizations, on average, will experience 11 breaches each per year at a total cost of about $1 million per group, per year. Costs include investigating the breach, notifying consumers and establishing toll-free numbers for explaining the breaches and providing additional information to consumers. Pam Dixon, founder and executive director of the World Privacy Forum, said that this isn't the first involvement of the FTC in healthcare-related regulation, noting the consumer protection agency joined with the Food and Drug Administration in a joint statement on the marketing of direct-to-consumer genetic tests. The FTC also has worked in the field of healthcare competition. She noted the compliance deadline with the FTC's "red flag rules" on provider organizations that provide consumer credit to patients for installment payment

New Englanders have a reputation for being taciturn, but when it comes to data Massachusetts takes the cake. No state loves its privacy more than the Bay State, which last year passed the nation's most exacting data privacy law, requiring companies to check off a honey-do list of steps designed to protect personal data belonging to commonwealth residents. Connecticut and Rhode Island preceded Massachusetts in joining the minority of states that have enacted proactive data privacy laws, requiring businesses to protect information like Social Security and credit card numbers. Maine, Vermont and New Hampshire, like nearly all states, have only reactive data laws, requiring companies to take certain steps - like reporting a breach to authorities - after data has been compromised. Rhode Island's law, passed in 2006, requires businesses that own or license Rhode Islanders' personal information to "provide reasonable security" for that data. Connecticut's law, passed shortly before Massachusetts enacted data privacy legislation last summer, requires businesses to create and publicly display a data protection policy, but does not specify what that policy should entail. The Connecticut and Rhode Island laws stop far short of the controversial requirements in Massachusetts, where new regulations are scheduled to take effect by January 2010. "They're not technically one-liners, but they're very general," Goodwin Procter LLP partner David Goldstone said of the Connecticut and Rhode Island statutes, which are similar to laws passed in Texas and California. "Essentially they say companies have to have reasonable protections in place."

Stay Online on the world wide web online roulette from Contemporary sydney, Fun and Free! Now you is capable of doing Actual "www.funlivecasino.com.au" Stay Online on the world wide web online roulette for Fun in Contemporary sydney on a product new web page, FunLiveCasino.com.au. Using the newest on the world wide web operating technology, Fun Stay Gambling house allows you be a part of a genuine action occurring on a genuine desk in a genuine betting house, all approved on Live! You can see other real gamers in the betting house betting on the same outcomes you do providing you greatest believe in in the outcomes as they are not designed 'just for you a, like other action experiencing items such as 'live studios' or pc designed actions. Its awesome to think next time your really in the betting house that you might be on digicam, and individuals on the world wide web might be watching! The long run is scary! Believe one day soon this will be the only way individuals would bet on the world wide web because the worldwide web is complete of fraudsters, you have to be extremely cautious, and why would you perform Online Online on the world wide web online roulette any other way except from a Actual Gambling house you can check out, see, pay attention to and trust! Amazingly this site is absolutely 100 % 100 % 100 % free and has no determining upon up process, no junk, no pc rabbit mouse mouse clicks and no pressure. Just Immediate Fun "www.funlivecasino.com.au" 100 % 100 % 100 % free Stay Roulette! Give it a try, its value verifying out! "www.funlivecasino.com.au"Australia's Online Fun Stay Casino! Backlinks designed from http://fiverr.com/radjaseotea/making-best-156654-backlink-high-pr

Bruce Schneier is the chief security technology officer at BT and a celebrated writer and speaker on privacy, cryptography and security issues. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked, and your conversations are no longer ephemeral. A future brought to you not by some 1984-like dystopia, but by the natural tendencies of computers to produce data. Data is the pollution of the information age. It's a natural byproduct of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after effects are toxic. And just as 100 years ago people ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. Increasingly, you leave a trail of digital footprints throughout your day. Once you walked into a bookstore and bought a book with cash. Now you visit Amazon, and all of your browsing and purchases are recorded. You used to buy a train ticket with coins; now your electronic fare card is tied to your bank account. Your store affinity cards give you discounts; merchants use the data on them to reveal detailed purchasing patterns.