Posted in Data Loss


Forget a National Data-Security Standard; I’d Be Happy with a One-Word Correction

I recently had the opportunity to watch recorded versions of the congressional hearings on cybercrime and the post-Thanksgiving data breaches. I came away confused and longing for a simpler time.

Not for a time, as you may think, when we didn’t have international computer hackers. I’m longing for a time when language didn’t fail us, when words would capture a concept and the definition would be so right that it addressed whatever future circumstances brought.

More from Jane Carpenter

Top 10 Data Privacy Tips for 2014 #DPD14

By Dana Simberkoff, CIPP/US

With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity. However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust. The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.

More from Dana Simberkoff

The Year in Review

2013: The Year of Privacy

Privacy Perspectives word cloud

If there ever was a “year of privacy,” surely it was 2013. A year that ends with selecting “privacy” as “word of the year;” with privacy making front-page headlines in The New York Times and The Washington Post (not to mention The Guardian) on a weekly, indeed almost daily, basis; with cross-Atlantic ties stretched to the limit over privacy issues, the UN passing a privacy resolution and armies of lobbyists spinning BCRs and Do-Not-Track in Washington bars and Brussels cafes—ladies and gentlemen, 2013 was the year of privacy.

More from Omer Tene

Cyber Insurance

Cyber Insurance: Three Common Myths Debunked

By Michael Bruemmer, CIPP/US

In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals. Some professionals where adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.  However, I believe the industry is maturing and the coverage options today are much better than just a few years ago.

More from Michael Bruemmer

Breach Notification

The Many Lives of PII

By Annie C. Bai, CIPP/US

Can you believe how many different state laws we privacy pros need to reference just to determine what is PII? I mean, how many definitions could there be for one short phrase? I am not talking about Pi, the mathematical term, but the acronym for the likewise complex concept of “personally identifiable information.” 

The definition of PII is important because it is a trigger for breach notification requirements in 48 U.S. jurisdictions (that’s 46 states plus D.C. and Puerto Rico). But it varies so much that I find myself constantly referencing complex charts, links and statutes to check on its meaning in a given state. Thankfully, the spirit of Halloween has bestowed upon me some inspiration in my search for broader understanding of these definitions. I’ve clustered the 48 definitions of PII into seven groups with similar definitions and dressed them up for Halloween. It’s easier to get acquainted with these definitions when I imagine each cohort as a persona. These personae are the seven PII archetypes.

More from Annie C. Bai

From the Tool Belt

Policing Your Own People

By Kirk J. Nahra, CIPP/US

The recent reports of terminations at Cedars-Sinai Medical Center following inappropriate review of celebrity medical records should serve as a reminder to every healthcare entity—and any company with sensitive information. You must police your own people. They need access to information to do their own job, but history has shown that they can’t be trusted entirely. You need a plan to make sure...

More from Kirk J. Nahra

From the Toolbelt

What Should You Do If You Receive an Investigatory Letter From the OCR?


Opening mail still carries the potential of discovering a treasure. Unfortunately for many organizations, the envelope may contain unpleasant information, namely an investigatory letter from the Office for Civil Rights (OCR), the entity that enforces the Health Insurance Portability and Accountability Act (HIPAA).

More from K Royal



In early January, 2013, over half a million young Canada professionals awoke to discover—via online newspaper or blog most likely—that the personal information they handed over to the government as part of their university student loan application had been compromised.  Human Resources and Skills Development Canada (HRSDC) admitted that anyone who was a client of the Canada Student Loans programs from 2000 to 2006 was at risk. More recently, in April 2013, the Investment Industry Regulatory Organization (IIROC) admitted that the personal information of 52,000 clients from dozens of investment firms had equally been compromised. In both cases massive reputational damage and high-profile lawsuits has ensued.

How did this happen, you might wonder? 

More from Daniel Horovitz