With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity. However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust. The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.
Posted in Data Loss
The Year in Review
If there ever was a “year of privacy,” surely it was 2013. A year that ends with dictionary.com selecting “privacy” as “word of the year;” with privacy making front-page headlines in The New York Times and The Washington Post (not to mention The Guardian) on a weekly, indeed almost daily, basis; with cross-Atlantic ties stretched to the limit over privacy issues, the UN passing a privacy resolution and armies of lobbyists spinning BCRs and Do-Not-Track in Washington bars and Brussels cafes—ladies and gentlemen, 2013 was the year of privacy.
In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals. Some professionals where adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly. However, I believe the industry is maturing and the coverage options today are much better than just a few years ago.
Can you believe how many different state laws we privacy pros need to reference just to determine what is PII? I mean, how many definitions could there be for one short phrase? I am not talking about Pi, the mathematical term, but the acronym for the likewise complex concept of “personally identifiable information.”
The definition of PII is important because it is a trigger for breach notification requirements in 48 U.S. jurisdictions (that’s 46 states plus D.C. and Puerto Rico). But it varies so much that I find myself constantly referencing complex charts, links and statutes to check on its meaning in a given state. Thankfully, the spirit of Halloween has bestowed upon me some inspiration in my search for broader understanding of these definitions. I’ve clustered the 48 definitions of PII into seven groups with similar definitions and dressed them up for Halloween. It’s easier to get acquainted with these definitions when I imagine each cohort as a persona. These personae are the seven PII archetypes.
From the Tool Belt
The recent reports of terminations at Cedars-Sinai Medical Center following inappropriate review of celebrity medical records should serve as a reminder to every healthcare entity—and any company with sensitive information. You must police your own people. They need access to information to do their own job, but history has shown that they can’t be trusted entirely. You need a plan to make sure...
From the Toolbelt
Opening mail still carries the potential of discovering a treasure. Unfortunately for many organizations, the envelope may contain unpleasant information, namely an investigatory letter from the Office for Civil Rights (OCR), the entity that enforces the Health Insurance Portability and Accountability Act (HIPAA).
In early January, 2013, over half a million young Canada professionals awoke to discover—via online newspaper or blog most likely—that the personal information they handed over to the government as part of their university student loan application had been compromised. Human Resources and Skills Development Canada (HRSDC) admitted that anyone who was a client of the Canada Student Loans programs from 2000 to 2006 was at risk. More recently, in April 2013, the Investment Industry Regulatory Organization (IIROC) admitted that the personal information of 52,000 clients from dozens of investment firms had equally been compromised. In both cases massive reputational damage and high-profile lawsuits has ensued.
How did this happen, you might wonder?