Group items tagged

Profile Optimization True Story: I'm at a party a few months ago - not the usual raucous affair that us search and social media types get into but a full on wine and cheese extravaganza. The kind of shindig Republicans go to and then accuse Democrats of loving when they get up in front of a "Joe the Plumber" type crowd. But I digress… After far too much wine the discussion turned to crazy work environments and I naturally brought up the Fortress of Googletude and it's predilection for hallway scooter parking and riding. A fellow party-go-er who I'll call "Natasha" to protect her identity, nodded and said, 'Yes it's true, I've been there too!" This led to a long, room-clearing talk about search and social media, the kind of talk that true geeks engage in while their spouses go off to chat about politics and religion. Somewhere between bottles Natasha said to me "Have you seen Google People Search?" "Google what now?" I replied. She went on to describe an internally searchable database that the Google folks showed her of people sorted by interests and web habits, ready to be rolled out to advertisers at some point in the future. Thank goodness for the red wine clause in their NDA. Well the future arrived today, at least partially, with Google's announcement that behavioral targeting is being rolled out to the AdWords content network. As the Googlelords put it: "With interest-based advertising, you will be able to reach users based on your past interactions with them, such as their visits to your website. We'll also provide interest categories, such as "sports enthusiasts," so you can reach the audience of your choice. Whether your goal is to drive brand awareness or increase responses to your ads, these capabilities can help expand the success of your campaigns." This is a most effective riposte to the OPA's announcement of new, ludicrous banner ad standards - why futz around with annoying crap no-one will clic

Paperwork containing the personal medical information of at least 66 patients at Massachusetts General Hospital was lost this month when an employee apparently left it on an MBTA train. The hospital sent out letters last week to patients whose identities were included in the lost paperwork, telling them the information listed their names and dates of birth, and private medical information, including their diagnoses and the name of the provider with whom they met. The material constituted billing records for patients who attended the hospital's Infectious Disease Associates outpatient practice on Fruit Street on March 4. Deborah A. Adair, the hospital's privacy officer and director of health information services, said in a statement released yesterday that while the incident was regrettable, the hospital followed privacy laws by immediately alerting affected patients and authorities, including the state attorney general's office and the Department of Consumer Affairs and Business Regulation. "[Hospital] police and security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again," Adair said. "Our information privacy and security policies and procedures are among the strongest in the healthcare industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this." According to hospital security reports, a manager in the infectious disease center's billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.

Top attorneys for Microsoft and Google today reiterated their companies' support for tougher government rules to protect consumer privacy. But when it comes to the details, some watchdog groups say they are concerned that Web firms will continue to fight against specific provisions that would limit the ways they can collect and use people's information to serve more targeted ads. Today's panel discussion, held here at the Computers, Freedom and Privacy conference, revisited a longstanding policy debate over the government's role in online privacy. The talk ran along some familiar plotlines, with Jeff Chester of the Center for Digital Democracy thundering about the detailed personal profiles being assembled by advertising companies who are using neuroscience to manipulate consumer behavior, while industry representatives assured the audience that their data-collection practices are benign, not to mention essential to providing free content and services on the Internet. But this wasn't just an idle debate. Rep. Rick Boucher, the Virginia Democrat who chairs a House subcommittee on the Internet, is developing legislation that could seek to impose sweeping restrictions on behavioral targeting. A few blocks up Pennsylvania Avenue at the Federal Trade Commission, the principal regulatory agency with authority over online advertising, newly minted Chairman Jon Leibowitz has spoken often about the need for industry to get serious about privacy. "The FTC's central concern here is transparency, consumer control," said Jessica Rich, assistant director of the agency's privacy and identity protection division. "We don't think consumers really know what's happening with their data."

Advertisers are your friend, and the government is here to help. If consumers don't take responsibility for their data, then all the regulation in the World won't matter.

Be careful what information you give to recruiters!

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor. The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information. The spam campaign showed the intruders successfully harvested e-mail addresses from the Web site, although Michener said it's not clear if SSNs were also obtained. Nonetheless, Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. The company is offering them one year of free credit monitoring, as SSNs are often used by identity thieves. "We wanted to err on the side of caution," Michener said. Aetna hired an IT forensics company to investigate how the Web site had been compromised. "At this point despite a thorough review, they've not been able to pinpoint the precise breach," Michener said. Aetna posted alerts on the job site, its main Web site and its internal intranet about the spam campaign, Michener said.

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws. The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago. Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that. According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced. The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law. Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.

Hackers, possibly from Asia, have stolen about a decade's worth of personal information on current and former UC-Berkeley students, the university announced Friday. The breaches involved records dating to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians. No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked. The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services. About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university's associate vice chancellor for health and human services. "What's been taken is bits of data that the thief might put together into an identity," he said. The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed. UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information. The thefts were discovered about a month ago, but system administrators did Advertisement not realize the breadth of the attack until April 21. The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university's associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said. "You should think of it as a public building," Waggener said. "They got into the building properly, but then they broke into secure areas." Administrators at Mills College, which contracts with UC-Berkeley for

Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, claiming their privacy has been breached. In March the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work the morning of Monday, March 9, according to hospital security reports. Last week two patients who are HIV-positive filed a suit in Suffolk Superior Court against the hospital and the unidentified billing manager. The unnamed plaintiffs have been joined by two other HIV-positive people. The legal action was first reported in the weekly newspaper Bay Windows. Their lawyer, John Yasi of the Salem law firm Yasi and Yasi, said in an interview he has filed a motion to make the suit a class action that could cover all 66 patients, a significant number of whom are also HIV-positive. "The damages that jump out are the emotional distress surrounding the loss of obviously very sensitive medical information and secondarily the loss of personal security information," he said. "A Social Security number in reality may lead to identity theft, which we all know is a nightmare."

The Federal Trade Commission, continuing its focus on behavioral advertising practices and online consumer privacy, has hired Harvard researcher Christopher Soghoian as a technical consultant. Soghoian, currently with Harvard's Berkman Center for Internet & Society and a noted researcher and blogger on online privacy, will work with the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection. He has been particularly critical about the length of time major Internet service providers and companies keep and use customer data Last month, several marketing and advertising industry associations, including the Direct Marketing Association and the American Association of Advertising Agencies, issued self-regulatory principles to govern the online practices of their members, in an attempt to stave off federal regulation of behaviorally targeted advertising.

LifeLock Inc., the identity-theft protection company that boasts 1.5 million customers, is embroiled in legal battles with critics who say its key service breaks the law and its advertising defrauds consumers. A federal judge has ruled that the Tempe-based company's practice of setting fraud alerts for consumers with the three main credit bureaus - a major part of its $10-a-month service - is illegal. LifeLock filed a motion challenging the decision. If the court sides with LifeLock's opponents, the decision could stunt the growth of one of the shining stars of Arizona's startup community, forcing the company to permanently alter its practices.

Everywhere you look (even here at Ars), there are articles about people making poor decisions about what kinds of info and how much to share on sites like Facebook. The Internet is no longer a place where you can hide out easily-friends, family, and employers are all lurking, reading your embarrassing status updates and checking up on those drunken pictures from last week. And that's just the beginning-the world of social networking is a feeding ground for identity thieves and stalkers, too. But it doesn't have to be that way. Many users are aware that Facebook has numerous privacy controls, for example, but even the most experienced Facebook users often don't know just how much they can control who sees what. For instance, did you know that you can specify...

There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008. Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology. "It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

Cornell University officials are investigating the theft of a school computer that may have compromised the personal information of about 45,000 current and former students, faculty and staff. University spokesman Simeon Moss says the university has sent e-mails about the incident to everyone whose data was on the computer. They're being offered one year of free credit reporting, credit monitoring and identity restoration services. A Cornell Web page on the theft says there have been no known misuses of the data, which include Social Security numbers. The page says the laptop was in the possession of a Cornell technician who was doing some troubleshooting. Moss says police are investigating the theft.

The million-and-one ways in which the Internet can be useful, efficient and fun are well known. Its potential for abuse by pornographers, phishers, scammers and spammers has also been apparent since its early days. What has taken a bit more time to emerge, however, is awareness of the Internet's increasing threat to privacy as people become more comfortable offering information about themselves online. Faculty members at Wharton say people who access the Internet for what have become routine functions -- sending email, writing blogs, and posting photos and information about themselves on social networking sites -- do not realize how much of their personal privacy, their very identities, they put at risk. Nor do they fully comprehend the extent to which they are inviting mischief, embarrassment and harm, perhaps for decades to come, from others looking to dig up digital dirt. In addition, legal experts say that while laws already on the books provide criminal and civil remedies for some nefarious uses of personal information, the ways in which the Internet can be harnessed for questionable purposes that encroach on privacy have yet to be fully addressed by the courts.

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

It is information no one would want scattered on papers in a parking lot, much less thrown away in a dumpster for anyone to find. Medical records were found behind a 99 Cents store in southwest Houston putting people's identities at risk. "This has got Social Security numbers, Medicare numbers. That's pretty serious," said the man who found the documents. Dozens of documents with sensitive personal information were dumped. A self-proclaimed dumpster diver who wants to remain anonymous found them.

The suggestion comes after a 12 month period in which the Government has admitted losing millions of personal records, including the entire child benefit database. Richard Thomas, the information commissioner, will tell MPs that its annual tracking survey has found a big jump in the way that people view loss of personal data, excessive surveillance, privacy intrusions and identity theft. Its survey of 1,000 people found 94 per cent of people ranked "protecting personal information" as their top concern, ranked equal with concerns about crime. Public awareness of access to their personal information held by public bodies has also jumped, from 74 per cent to 86 per cent between 2007 and 2008. Mr Thomas will say that part of the reason has been the 277 data breaches by public bodies, since HM Revenue and Customs said it had lost the personal details of 25 million families on the child benefit database in October 2007.

Internet scams, phishing, identity theft and other attacks that exploit your personal data are always a threat when you shop online, set up an email account, use a credit card, manage an online bank account or carry your Social Security card. There is hope, however, for fighting these threats, and you can start by taking back control of all of your personal data. The 50 tips and tools in this list will help you understand how these scams originate, how to protect yourself online and offline, and how to track down your personal data on the Internet. Web Privacy Protect yourself and your data online by choosing a secure Web browser, understanding the dos and don'ts of wireless security, and correctly managing passwords.

Is your company keeping information secure? Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles: * Take stock. Know what personal information you have in your files and on your computers. * Scale down. Keep only what you need for your business. * Lock it. Protect the information in your care. * Pitch it. Properly dispose of what you no longer need. * Plan ahead. Create a plan to respond to security incidents. To learn more about how you can implement these principles in your business, play our interactive tutorial. You'll see and hear about practical steps your business can take to protect personal information. After you experience the tutorial, we hope you'll take advantage of the other resources on this site to educate your employees, customers, and constituents. Order copies of our brochure, Protecting Personal Information: A Guide for Business, or publish an article on information security in your newsletter, magazine, or website. All of the information on this site is in the public domain; we hope you'll share it freely.