National Data Breach Laws Move Through Senate: It’s about time!
The Personal Data Privacy and Security Ac.. http://bit.ly/08bbXGK27 minutes ago
Please RT & follow @curecancer09 - she is 13 has cancer,tweets from bed-might b in hospital, she wants followers 4 Thanksgiving. 5 hours ago
RT @profhorsley: Why do students ignore my comments when they revise their work? I'm practically telling them how to improve grade, but, no! 8 hours ago
RT @mograndpa: Thanksgiving Advice: Be sure to discuss politics at dinner, its not often everyone is together at the same time 8 hours ago
RT @scotthodge: people love the idea of change until they're the ones who have to change. 8 hours ago
RT @LeadToday: Authentic leaders recognize that it takes longer to regain trust than to lose it. They honor their commitments always. 12 hours ago
RT @eschreyer: RT @craigmo2: Some of the best lessons are learned from past mistakes. The error of the past is the wisdom of the future. 12 hours ago
RT @Billy_Cox: Public speaking fear? Every time you speak it will increase your confidence and break the chains holding you back. #com11023 hours ago
The Personal Data Privacy and Security Act would set standards for protecting sensitive personally identifying information and impose civil penalties for those caught violating them.
It would make it illegal for a company to conceal a breach if it resulted in unauthorized access to sensitive personal information. Entities that experience the breach of such data would have to notify the affected victims and consumer reporting agencies if the breach involves more than 5,000 individuals. They would have to notify the U.S. Secret Service if the intrusion involves more than 10,000 individuals.
The bill would also make theft of personal information subject to federal racketeering charges.
The second bill, the Data Breach Notification Act, would require entities engaged in interstate commerce to notify victims whose personal information is compromised in a breach — unless disclosure would harm national security or in some way hinder a law-enforcement investigation. Breached entities would have to notify the Secret Service if more than 10,000 individuals are affected by the breach, or if the breached database contains information on more than 1 million people, is a federal government database or is involved national security.
Forty-four states currently have breach-notification laws that require entities to notify residents of those states if any are affected by breaches of personally identifiable information. The laws, however, vary by state. Some require the breached entity to also inform a state agency, such as the attorney general’s office, if a breach occurs, which makes it easier to track breaches.
Do you think everything you publish on the internet is private? Think again…
Two Indiana teenagers have sued their school district after they were punished for posting suggestive photos on MySpace. The girls, 10th-graders at Churubusco High School in Churubusco, Indiana, say they were humiliated after the school banned them from fall semester extracurricular activities and forced them to apologize to the all-male Athletics Board (composed of varsity coaches). The girls also had to attend three counseling sessions.
The American Civil Liberties Union has filed the proposed class-action suit on behalf of the girls and all present and future students at the school who participate or may participate in extracurricular activities. The ACLU argues the district violated the girls’ First Amendment rights and should not have punished them for activities conducted outside school. The suit names the girls’ high school, school district and principal.
According to the complaint, the photos in question were taken at a slumber party that occurred during the summer school break. The girls were photographed “pretending to kiss or lick a large multi-colored lollipop shaped (like a) phallus.” Other pictures showed them in lingerie with dollar bills tucked into the underwear. The girls each posted the pictures to their MySpace pages. Only “friends” could view the photos on their pages. But after someone copied the images, they found their way to the school principal.
According to the school’s student handbook, the principal “may exclude any student-athlete from representing Churubusco High School if his/her conduct in or out of school reflects discredit” upon the school or creates a “disruptive influence on the discipline, good order, moral, or educational environment” at the school.
There are a lot of interesting comments attached to this article. Many of them get back to the age-old argument of whether or not the school has a right to suspend a student for something that happened off-campus. Even more interesting, the idea that these students (and whoever leaked the photos to the principal) could have been charged with distributing child pornography for posting pictures of themselves while underage and committing what would appear to be sex acts.
I’m pretty sure that when Al Gore invented the internet, he never considered anything like this would happen. Hat tip to Threat Level.
While HIPAA protects your personal healthcare data and mandates that you approve the release of said data to other healthcare professionals and your insurer, it appears that what these outside data management companies are doing is legal, even if it sounds distasteful.
When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records. But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
The revelation comes in a recent New York Times article about how so-called “scrubbed” patient data isn’t as anonymous as people think. The piece focuses primarily on how anonymized data can be cross-bred with other publicly available databases, such as voting records, which subverts the anonymity. Buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health care providers, but by third-party vendors who provide medical-record storage in the cloud.
As part of their contracts with the vendors, doctors are agreeing to let some vendors access and collect the patient data, scrub it of personally identifying information, and sell it in bulk to pharmaceutical companies and other buyers, the Times reports.
George Hill, an analyst at Leerink Swann, a health care investment bank, told the Times that the market for health record systems is $8 billion to $10 billion annually. About 5 percent of this income comes not from the sale of information systems but from the sale of data and analysis. As more physicians and hospitals — spurred by federal incentives — switch to electronic recordkeeping, revenue from the sale of health data could grow to $5 billion, Hill said.
Vendors say they re-sell the data for research purposes and scrub it of identifying information first to protect patient privacy. But in 1997, Latanya Sweeney, director of the Data Privacy Lab at Carnegie Mellon University, showed how she was able to pick out the medical records of William Weld (then the governor of Massachusetts) from scrubbed medical information published by the state’s insurance commission by simply correlating the anonymized data with birthdays, ZIP codes and gender information published in the state’s voter-registration rolls.
According to Sweeney, 87 percent of the U.S. population can be uniquely identified simply from their birthdate, gender and zip code. Patient advocate groups have called for greater oversight and regulation of the electronic health-record industry to control what software vendors can access and what they can do with the data.
The indictment charges that cyberthieves located in Egypt used classic phishing tactics to direct victims to phony Web sites, where they entered passwords, account numbers, and other data. That info was used to hack into accounts at two banks. Money was transferred from the compromised accounts to fraudulent accounts created by “runners” recruited by the U.S.-based co-conspirators.
Identity thieves are looking at your resume online to get information to impersonate you. Make sure that whatever dealings you have with companies on the internet that have access to your personal data are secured.
If Comcast is your ISP, it appears that they will start monitoring accounts to make sure you’re not part of a botnet, a network of computers that launch spam, denial of service and malware attacks on other computers without a user’s knowledge. Sometimes it is also called a zombie computer… this is the same type of infection that drove the Conficker scare earlier this year.
New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.
The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.
The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.
The lack of security around a fax machine amazes me. People don’t use cover sheets because they are lazy and in a hurry… well, maybe not, if there isn’t personal data on there.
But when people use a fax machine for personal use at work, they are generally sending information to banks, health insurers, and mortgage companies. Most of that information contains privacy-sensitive data, yet when you get your transmission sheet back and somebody dumps it on the pile, there is your SSN, bank account numbers, and address for all to behold.
The fax machine ought to be a secured item in your office. Here’s an example of what can happen in a real-world scenario:
Doctors’ offices in Tennessee have been accidentally sending patient information, including Social Security numbers and medical histories, to an Indiana businessman’s fax machine for the past three years. The sensitive medical information was supposed to be sent to the Tennessee Department of Human Services, but Bill Keith, owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him.
“This is a total breach of privacy,” Keith said. “This is supposed to be confidential, and it just so happens we have some scruples here and wouldn’t do anything with that information. We’ve shredded them, but you can have a file an inch thick in no time.” It looks like the trouble stems from the toll-free fax number. Keith’s number is close to that of the state’s Disability Determination Section, under DHS.
Keith’s fax rang 167 times in a month at the peak of the problem, he said. Keith said he hasn’t kept an exact count, but his office averages about five patient faxes a week and sometimes more.
This video was shared on Twitter. It’s funny and done in the style of a 1950s educational film. Obviously, this is all tongue-in-cheek, but it speaks a lot to how people treat relationships over the internet differently than they treat live relationships and how freely people publish personal information that probably shouldn’t be shared over the internet.
