Group items tagged

"If you're concerned about Google retaining your personal data, then you must be doing something you shouldn't be doing. At least that's the word from Google CEO Eric Schmidt. "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Schmidt tells CNBC, sparking howls of incredulity from the likes of Gawker. But the bigger news may be that Schmidt has actually admitted there are cases where the search giant is forced to release your personal data. "If you really need that kind of privacy, the reality is that search engines - including Google - do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities." There's also the possibility of subpoenas. And hacks. But if any of this bothers you, you should be ashamed of yourself. According to Eric Schmidt. Gawker highlights the irony of Schmidt's typically haughty proclamations. After all, this is the man who banned CNet for a year after the news site published information about him it had gleaned from, yes, Google. But the larger point here is that Schmidt isn't even addressing the issue at hand. Per usual. When the privacy question appears, Google likes to talk about the people asking the questions. But the problem lies elsewhere: with the millions upon millions blissfully unaware of the questions. If you're concerned about your online privacy, you can always put the kibosh on Google's tracking cookies. You can avoid signing in to Google accounts. And, yes, you can avoid using Google for anything Eric Schmidt thinks you shouldn't be doing. But most web users don't even realize Google is hoarding their data. CNBC asks Schmidt: "People are treating Google like their most trusted friend. Should they be?" But he answers by scoffing at those who don't trust Google at all. Not that you'd expect anythin

Has your management team asked the following four questions about your organization's internal controls? 1) Have we identified the meaningful risks to our objectives? 2) Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in a particular process? 3) What information will be persuasive in assessing whether the controls are continuing to operate effectively? 4) Are we presently performing effective monitoring that is not unnecessary and costly testing? These questions appear in a white paper, "Effective Internal Control Systems for Rapidly Changing Markets: A New Opportunity," packed with answers for GRC professionals wondering if there is a better way to operate. The paper, authored by the GRC experts at advisory firm SMART Group, clearly lays out how controls monitoring processes can and should align with the "Guidance on Monitoring" COSO published earlier this year to help organizations strengthen the effectiveness and efficiency of their internal controls frameworks. Among other useful how-to information, the 12-page paper includes a five-step "Implementation Guide" for creating a better controls-monitoring program.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

These were developed for boards, but they would probably be a good basis for questions auditors could ask as well.

"Facebook founder Mark Zuckerberg told a live audience yesterday that if he were to create Facebook again today, user information would by default be public, not private as it was for years until the company changed dramatically in December. In a six-minute interview on stage with TechCrunch founder Michael Arrington, Zuckerberg spent 60 seconds talking about Facebook's privacy policies. His statements were of major importance for the world's largest social network - and his arguments in favor of an about-face on privacy deserve close scrutiny. Zuckerberg offered roughly 8 sentences in response to Arrington's question about where privacy was going on Facebook and around the web. The question was referencing the changes Facebook underwent last month. Your name, profile picture, gender, current city, networks, Friends List, and all the pages you subscribe to are now publicly available information on Facebook. This means everyone on the web can see it; it is searchable. I"

Zuckerberg should not be trusted with your personal data. The range of reader comments in response to this article are worth a read.

"Facebook tightens security as it deals with the continuing fallout over changes to its privacy settings." ...Earlier on May 13, Facebook had a meeting where employees asked executives questions about privacy. Facebook officials would not comment on exactly what was said. "We have an open culture and it should come as no surprise that we're providing a forum for employees to ask questions on a topic that has received a lot of outside interest," a spokesperson said.

Hey Zuck! Privacy & security are NOT the same thing. Misdirection is not the response FB users are seeking.

Ultimately, your first line of defense rests with your doctor, though, says Peel. To thwart breaches, pepper your doctor with questions. How will my data be transmitted? Will it be encrypted? For assistance, you can also download a question form at Patientprivacyrights.org.

URAC, the leading health care accreditation and education organization, announced today the recent Healthcare Information and Management Systems Society (HIMSS) annual conference raised important questions about consumer privacy and security around electronic health records (EHR). (Logo: http://www.newscom.com/cgi-bin/prnh/20030501/URACLOGO ) "There is no doubt that electronic health records are coming. The question is whether or not consumers' privacy is a key issue or an afterthought," said Alan P. Spielman, President and CEO of URAC. "A lot of forces are driving the push for EHR. However, it is important that standards go hand-in-hand with policy so that it doesn't become the Wild West with every vendor and health care provider using different terms." The rules set by the Health Insurance Portability and Accountability Act (HIPAA) are integral to the widespread adoption of EHR. However, the rules can be confusing for consumers and providers. URAC was the first organization to offer HIPAA Privacy Accreditation. The organization now offers comprehensive standards for both HIPAA Privacy and HIPAA Security accreditation. These standards are applicable to all personal health information storage formats and exchanges claims transactions and are designed for many different types of health care organizations including both Covered Entities (CE) and Business Associates (BA). They also require an ongoing compliance program that identifies, tracks and makes the necessary changes in response to a federal or state regulatory change.

Facebook founder Mark Zuckerberg has responded to the privacy concerns raised in this post by Consumerist. The post pointed out that a change Facebook made to its terms of service left the impression that the social network could keep and use copies of user content (e.g. photos, notes, and personal information) in perpetuity even if users removed the information and closed their accounts. "One of the questions about our new terms of use is whether Facebook can use this information forever," Zuckerberg wrote. But, oddly, he did not answer that question. Instead he opted for a rather roundabout explanation: if you send a friend a message via Facebook's e-mail system, Facebook must create mutliple copies of that message -- one for your "sent" message box and one for your friend's inbox. That way, if you leave Facebook, the copy your friend has would not be deleted. Fair enough. The implication is that, by extension, Facebook also keeps copies of all your other information, too. But the e-mail example has a major hole in it. Copying content makes sense for e-mails, where the medium itself depends on messages being copied. The thing is, Facebook users generally do not 'send' other types of content to one another, including photographs. Rather, they post them on their own profiles for others to stop by and see. There's no obvious reason that Facebook would need to perpetually store multiple copies of photographs -- because, as far as the user is concerned, they appear only in one place. Plus, Zuckerberg seems to underestimate his users' understanding of e-mail. My guess is most Facebook users don't think that if they close an e-mail account that all the e-mails they've ever sent will disappear. Frankly, it's not e-mails that are at issue here; it's this other, more personal category of content -- the stuff that people post within their own digital walls. Zuckerberg goes on to write that despite the presence of "overly formal and protective" language that Facebo

Outgoing CPO of the Department of Homeland Security Hugo Teufel discusses his team's accomplishments and the challenges ahead for his successor. If you had a chance to pose any question to the person in charge of protecting Americans' privacy as the U.S. Department of Homeland Security executes its mission, what would you say? I had that chance this month when Hugo Teufel, departing chief privacy officer at the DHS, delivered an address, entitled "Reflections on My Time as DHS CPO of the War on Terror," to the Twin Cities Privacy Retreat. After the address, I cornered Teufel for some follow-up questions. Those and his answers follow.

The European Commission has prepared a set of questions and answers as well as a flowchart to help companies understand when they can and when they cannot send personal data abroad. The European Union's Data Protection Directive protects the personal data of EU citizens from abuse and misuse. Organisations have a duty to protect it, and that means ensuring that it is not sent to countries with poor data protection. The Directive says that data can be sent to another country "only if... the third country in question ensures an adequate level of protection". Only a handful of countries have been deemed acceptable destinations for data by the European Commission. Those are Switzerland, Canada, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and the US, when the data's treatment is in the Safe Harbor Privacy Principles of the US Department of Commerce The advice has been prepared by the Data Protection Unit of the Directorate-General for Justice, Freedom and Security at the European Commission. It is designed particularly to help small and medium sized companies to understand the law when it comes to transferring personal data outside of the European Economic Area (EEA). The guidance points out that in order for a transfer to be legal, data has to be properly handled in the first place according to the data protection laws of the country where the processing organisation is established. If the transfer is to a country not listed as having adequate data protections in place, a transfer can still take place, the guidance says, but only if "the data controller offers 'adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights'," says the guidance, quoting the Directive. "These safeguards may result from appropriate contractual clauses, and more particularly from standard contractual clauses issued by the Commission," it sai

Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure. Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly." Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year. "I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.

Online spying or behavioral targeting?

A question: If you have 347 followers on the Twitter microblogging service, what are the chances that they'll click on the same online ad you clicked on last night? Advertisers are dying to know. Or, say you and a colleague exchange e-mails on a Saturday night. Can managers assume that you have a tight working relationship? Researchers at IBM and Massachusetts Institute of Technology are investigating. Friendships aren't what they used to be. We now have tools, from e-mail to social networks, to keep in touch with people who a decade ago would have drifted into distant memories. Practically every hand we shake and every business card we exchange can lead to an invitation, sometimes within minutes, for a "friendship" on LinkedIn or Facebook. And unless we sever them, these ties could linger for the rest of our lives. What do these relationships say about us and the people in our networks? Companies armed with rich new data and powerful computers are beginning to explore these questions. They're finding that digital friendships speak volumes about us as consumers and workers, and decoding the data can lead to profitable insights. Calculating the value of these relationships has become a defining challenge for businesses and individuals. Marketers are leading the way. They're finding that if our friends buy something, there's a better-than-average chance we'll buy it, too. It's a simple insight but one that could lead to targeted messaging in an age of growing media clutter.

When it comes to online privacy, we all appreciate the risk of publicizing juicy factoids such as incriminating photos or credit card numbers. But few of us realize a subtler threat: In abundance, innocuous, everyday data can divulge sensitive information as well. Some questions shouldn't be asked. Employers, for instance, generally are not allowed to discriminate based on marital status, sexual orientation and so on. But our growing digital footprint is threatening our ability to dodge inappropriate inquiries. Through data mining, employers, insurers, advertisers and others can infer the answers to private questions without even asking. They need two things: a heap of personal data, and the techniques to crunch it. Both are readily available. People generate and share more information than ever before. Besides consciously generated Web content such as blogs, Facebook profiles and YouTube videos, a steady stream of data is exchanged in the background. Companies track our searches, browsing and shopping behavior. Personal electronic devices can silently disclose our location while we post status updates and photos to the Web. All this seems innocent enough - and the more others do it, the safer we all feel. After all, what's one more Twitter update among millions?

Abortion has long been a misguided litmus test for the Supreme Court - but privacy rights?

Supreme Court nominee Judge Sonia Sotomayor's views on abortion and privacy rights are coming into the spotlight as attention turns to her confirmation. NARAL Pro-Choice America is urging senators to make sure Sotomayor is questioned on Roe v. Wade and privacy rights during her confirmation hearings. President Barack Obama is pro-choice, but Sotomayor's views are not known. The White House was asked yesterday if the president asked Sotomayor about abortion or privacy rights. A spokesman says the president did not specifically ask that question. The discussion comes as supporters and opponents of Sotomayor's nomination are taking their message to the airwaves. A coalition of liberal groups has unveiled a television advertisement in favor of Sotomayor's confirmation touting her extensive resume, while a conservative group calling itself the Judicial Confirmation Network has put out its own ad, charging Sotomayor will push a liberal agenda based on her gender and racial background. The White House is hoping Sotomayor will get the green light before the Senate goes on recess in August. Republicans are signaling they will not delay Sotomayor's confirmation, but will scrutinize her legal philosophy and some of her past decisions as a judge.

There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

DESPITE SIGNIFICANT IMPROVEMENTS since the U.S. Sarbanes-Oxley Act of 2002 became effective, the continuing cost of compliance with the act's Section 404 requirements remains a concern for board members and management. A periodic operational audit of the Section 404 program can provide valuable information to executive management and the audit committee, and potentially identify areas where significant costsavings can be realized. Whether the Section 404 program is managed by the finance department, internal auditing, or another organization, it's an excellent candidate for this type of review, particularly if the focus remains on program efficiency. Several questions, based on The IIA's publication Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, can be used as the basis for the audit. The questions cover issues ranging from ensuring that operating management takes ownership of its processes, to achieving fewer and more effective key controls, to determining whether the external auditor's reliance on management testing has been optimized.

The White House has erased all mention of the Privacy and Civil Liberties Oversight Board from its Web site. The removal, which was done wth no public notice, has underlined questions about the Obama administration's commitment to the board, which was created on the recommendation of the 9/11 Commission to oversee the federal government's actions on civil liberties and privacy.

Every time you get online, your privacy comes under attack. Whether it's an overbearing End User License Agreement, contact forms, or just website cookies, there are literally millions of ways that you can let your private information slip away online. One of the best ways to fight invasions of your privacy is to get informed and learn how to prevent it. Read on to find advice, organizations, and other resources that can help you keep your privacy safe online. Guides & Articles These resources have specific advice and information for protecting your online privacy. 1. EFF's Top 12 Ways to Protect Your Online Privacy: Read this guide from the Electronic Frontier Foundation to learn how you can protect private information online. 2. Frequently Asked Questions about Online Privacy: Get answers to questions about online privacy and safety from this resource. 3. Is Your PC Watching You? Find Out!: This article from CNN will help you figure out if your privacy is being violated through your PC. 4. Nameless in Cyberspace: Anonymity on the Internet: Find out why the right to anonymity online is so important to have by reading this article. 5. Consumer Privacy Guide: The Consumer Privacy Guide offers a variety of resources and information for protecting your privacy online. 6. This Email Will Self-Destruct: Learn about email security measures that you can take to protect your privacy. 7. Anti-Spam Resources: Visit this guide to learn how to stop receiving junk email. 8. All About Internet Privacy and Security: Read this guide to learn about security terms and Internet privacy settings. 9. Online Privacy: The Complete Guide to Protect You: WebUpon's guide discusses steps you can take to protect your online privacy. 10. Social Networking and Safety Online: Read this guide to learn how to practice common sense on social networking sites. 11. Internet privacy: Wikipedia's entry on Internet privacy offers a broad view at staying private o

"House lawmakers stepped up their questioning of companies that collect and store information about consumers both on the Internet and in real life. In a hearing today, lawmakers interested in drafting legislation that would place restrictions on how Internet and marketing firms collect consumer information, asked Wal-Mart, WPP and privacy advocates detailed questions about how personal information is gathered and used. Reps. Rick Boucher (D-Va.), Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) have been considering a bill, but a draft will most likely not be released until early next year. (See interview with Rush.) The House Energy and Commerce Subcommittees on Comerce, Trade, and Commerce Protection and Comunications, Technology, and the Internet held a joint hearing on the topic--although it was poorly attended by members. "We've moved from an era of privacy keepers to one of privacy peepers and data-mining weepers who want to turn our information into products," said Rep. Ed Markey (D-Mass.). "The product is our records, our privacy, our family's history. We wouldn't let the government do this, so we have to protect against companies that want to do this." "It is understandable that most Americans simply do not trust that their personal information is properly protected," said Rep. Doris Matsui (D-Calif.). "