Data Privacy Regulation & Management - Latest Comments

Re: Privacy is not Security

Stephen Meltzer — Tue, 22 Mar 2011 11:43:47 -0000

Thanks for the thoughtful response Jason. I also read your blog posts about the interview. Perhaps it is a dynamic tension between two strong leaders coming from the two different disciplines that is the best solution for organizations like this. I think a "privacy engineer", as referenced in the IAPP Report, is best placed as a functional role in service of the two separate disciplines acting differently but with the same mission. Each of the two roles needs the basics to understand the other, but not "be" the other.

Re: Privacy is not Security

Jason Cronk — Tue, 22 Mar 2011 11:24:03 -0000

I recently interviewed with this company for the position you mentioned (as you can see the job is still open 7 months later). I would like to agree and disagree with your characterization. As you properly point out, the company views the position as 50% privacy and 50% security with a strong emphasis on the technical security skills. On the other hand, their is a desire by at least some people at the company to focus on privacy at an early stage. Not many startups are hiring for privacy positions and I think it took 5 years or more before Facebook had a decicated CPO. In other words, their heart is in the right place even though they may be misguided.

Re: South Africa privacy law impacts mobile phone subscriber numbers

Asbestos Lawyer — Fri, 10 Dec 2010 09:03:04 -0000

Great post. I have been searching for this exact info for a while now. I will bookmark it in the public bookmarking sites to get you more traffic.

Re: Obama to name Howard Schmidt as cybersecurity coordinator – washingtonpost.com

Judi — Thu, 09 Sep 2010 11:30:52 -0000

Finally!!!!!! Congress is doing SOMETHING! An official cybersecurity coordinator. Hmmmmm Congress has struggled with these issues long enough! We need a computer guru in there who can hack into anything and he/she can tell us what kind of security we need, and help see that it is put in place. Is that Mr. Schmidt? He's been around since the Bush administration, and we are still struggling. What does that tell you? In the mean time the Internet has taken on a life of its own. What about database trespass? Hmmmmmmm I hope it's not too late to "get the cow back in the barn".

Re: Privacy is not Security

Stephen Meltzer — Mon, 16 Aug 2010 08:39:00 -0000

I agree. As you could probably tell from the post, I hit a boiling point. The confusion is fairly common - it's when it gets systemic that really put me over. When senior management can't, or just doesn't, make the distinction we are all put in jeopardy. Thanks for contributing.

Re: Privacy is not Security

Al Raymond — Mon, 16 Aug 2010 08:30:19 -0000

I agree with your demarcation of the two disciplines. People mistakenly confuse the two and lump them conveniently into one silo. I see the same confusion with the use of 'disaster receovery' and 'business continuity.'

Re: Secretary Sebelius Announces Final Rules To Support ‘Meaningful Use’ of Electronic Health Records

Medicaid Doctors — Mon, 26 Jul 2010 12:53:06 -0000

Thanks for information, I'll always keep updated here!

Re: FTC Exploring Privacy Roundtable Agenda

ChristopherBPurrowes — Sun, 11 Jul 2010 14:38:23 -0000

That newer car will probably cost more, so even at a lower interest rate your payments could be higher than the union bank california payments on a less expensive older model at a slightly higher interest rate. Of course, your individual credit-worthiness will impact the loan rate you are quoted, as with any other financial product. Be sure you ask, too, if the credit union is sponsoring a used car sale any time soon. These events can give you a great place to comparison shop for dozens and dozens of vehicles. The prices are usually marked on (or in) the cars, and may be purported to be “non-negotiable.” But ask anyway. You may be able to negotiate a lower price, so why not check it out?

Re: New Massachusetts Privacy Laws – Computer Security

Remove Spyware — Fri, 25 Jun 2010 06:07:46 -0000

But there are still many virus infecting computer:(

Re: Analyst Report: PCI DSS Compliance Survey – companies still struggle

Car Shipping — Tue, 22 Jun 2010 14:07:33 -0000

Privacy is key in my industry. I'm a transporter and I have many other transporters trying steal from me. This is very helpful. Thank you guys again for the website.

Re: Heartland, MasterCard Settle Over Data Breach

Stephen Meltzer — Sun, 23 May 2010 16:13:42 -0000

Thanks janice33rpm, I will check definitely check out IT Wars.

Re: Heartland, MasterCard Settle Over Data Breach

janice33rpm — Sun, 23 May 2010 12:24:48 -0000

Great article highlighting the need for everyone to have a much higher computer/data security awareness. Some great free reading is available that reflects what’s in the article. Check a book we use at work, "I.T. WARS" (you can Google to it, a good part of it is available online at Google Books; Amazon too). It has a great Security chapter, and others that treat security, content management, policy, etc. Highly recommended. Great stuff.

Re: Digital Medical Records’ Privacy a Problem

Vista Health Solutions — Wed, 05 May 2010 11:59:23 -0000

A much wiser idea is to take a long hard look at the entire health insurance industry and then work to remedy the situation by taking out the waste and creating new, innovative ideas that would be a benefit for all.

Thank you for sharing this post.

Re: Laptop with Belize birth certificate information stolen

birth records — Sat, 24 Apr 2010 09:47:29 -0000

i think it's a more valuable site!

Re: Data breach by Anglo Irish Bank affects UK clients

Charlotte — Wed, 24 Mar 2010 08:41:47 -0000

Anglo Irish Bank seemed to tolerate low standards in high places I am aware that they currently have on a debtors list a current sitting high court judge who is using his clout to prevent his name been released The same judge has set himself up a Foundation for £82m sterling using his wife’s name and his late mother in law’s date of birth The address for residency he is using is currently been investigated to see if the house is occupied or empty and the registered business address appears to be one where correspondence is just sent on to the person

It is very much a case of low standards in high places as this judge is one of the most prominent judges in the central criminal courts and he is overseeing justice to others yet his fellow judges consider him fit to practice on the bench

Re: New Massachusetts Privacy Laws – The WISP

Stephen Meltzer — Thu, 11 Mar 2010 20:04:17 -0000

Al,

Have you done a complete assessment or are you relying on someone else's analysis of where there is PI? Are you approaching this from a "digital asset" approach only or are you looking at all of the business processes and assets?

The reason I ask these questions is because I find that IT folks seem to focus on information technology only and fail to see (or even look for) personal information and/or highly sensitive information in processes and information flow if it falls outside of information technology assets. (I do not even know your perspective). I would be very careful to completely understand all of the the functions of the organization before determining too quickly that the PI is only in HR and that it is locked down. Privacy protection is more of a human challenge than it is a technology challenge - don't let technical security cloud a true assessment of information vulnerability. Sorry but I feel preachy tonight.

The planning and implementation for a proper ISMS for the 1,500 employee college would probably involve hundreds of hours of work between HR, IT and legal.

Re: New Massachusetts Privacy Laws – The WISP

Al — Thu, 11 Mar 2010 19:15:22 -0000

Thanks Steve. For me small would be 100 employees PI just in HR dept. employee data well control. Medium would be small college 1,500 students and faculity, PI in various depts.

Al

Re: New Massachusetts Privacy Laws – The WISP

Stephen Meltzer — Wed, 10 Mar 2010 21:56:37 -0000

Hi Al:

Define small to medium. Also, there is great variation among types of businesses and their use and control of personal information. The least amount of time I have spent (or, I should say, was spent by me and a board member combined) was probably about 3 hours for a small fully volunteer non-profit organization with a few small fundraisers each year.

On the other hand, 20 to 25 hours were needed to draft a plan for a small law firm (3 lawyers and 2 staff) and for a small CPA firm (4 CPA's and 5 staff) - both with extensive electronic and paper data processes and storage.

Two-thirds to three-quarters of the time spent was in the assessment phase.

The best answer, therefore, is "it depends."

Re: New Massachusetts Privacy Laws – The WISP

Al Chatman — Wed, 10 Mar 2010 21:29:55 -0000

Steve,

How many hours have you typically spent or the range of hours in creating a WISP for small to medium sized companies?

Thanks
Al

Re: Heartland Announces $60 Million Visa Settlement

Stephen Meltzer — Tue, 12 Jan 2010 18:28:42 -0000

Thanks for the recommendation. I will definitely check IT Wars out.

Re: Heartland Announces $60 Million Visa Settlement

Janice Gaines — Tue, 12 Jan 2010 14:39:56 -0000

Using it - thank goodness someone wrote a book that "business" will actually read. We have a BIT team, with all of the attendant ethics and culture (re-inforced by our CEO), and things are much smoother.

Re: Heartland Announces $60 Million Visa Settlement

johnfranks999 — Tue, 12 Jan 2010 14:38:02 -0000

Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

Re: HITECH Act: Business Associates Unprepared for the Longer Arm of the Law

jackanderson — Fri, 08 Jan 2010 10:13:08 -0000

For more information how to help business associates get compliant, stay compliant, and prove compliance take a look at me blog at www.complianchelper.com/blog

Re: Countrywide settlement over ID theft gets initial OK

Settlement Nevada — Wed, 06 Jan 2010 12:27:59 -0000

This settlement seems to small for the trouble that could of been caused by the security breach.

Re: Blue Cross Blue Shield in the Data Breach Crosshairs

Stephen Meltzer — Wed, 16 Dec 2009 20:48:51 -0000

Thank you Mary for the update. I'm glad, as I am sure many BCBS members are as well, that the the number of affected members was less than originally reported. Feel free to provide updates in these comments as you feel appropriate. I can also update the post as a new story if the news is significant.