- Patient Story about Privacy Loss: “Julie” bravely tells how she was harmed when her sensitive mental health information was used by staff members of a Boston health care system without her consent.
- Louis D. Brandeis Privacy Awards: You can watch as we honor Ross Anderson, Congressmen Joe Barton and Ed Markey and Professor Alan Westin with the first-ever Louis D. Brandeis Privacy Awards.
- Best Privacy Technologies of 2012: You can also watch us present IDExperts, Jericho Systems, and TrendMicro with awards for the Best Privacy Technologies of 2012.
- theDataMap™: Seeing Latanya Sweeney present theDataMap™ is a real eye-opener as she explains this critical project to map the hidden flows of health data.
- All Keynotes and Panels: The keynotes and panels include national and international academics, advocates, government officials, health care providers, industry executives, technology experts, and more, discussing the major technical, legal, and cultural threats and solutions to privacy and patient control over personal health information in electronic health systems and data exchanges.
Wednesday, August 01, 2012
“We don't need no stinking badges!”
“We don't need no unpredictable elections!”
Privacy commissioner ‘deeply disturbed’ by Election Ontario’s handling of voter data
Caroline Alphonso reports:
Elections Ontario ignored security measures and went right back to using memory sticks without enabling the encryption software just days after personal information of as many as 2.4 million voters – contained on two USB keys without the necessary safeguards – vanished from one of its warehouses, the province’s privacy commissioner charged.
Read more on The Globe and Mail.
The Commissioner’s formal statement on the investigation can be found here.
(Related) We may need to follow “Best Practices” just like we require second class citizens to do.
TSP head expresses regret over cyberattack
Kellie Lunney reports that the recent TSP breach has inspired at least one Senator to try to require all federal agencies to have a breach notification policy in place. You’d have thought they would have one already, wouldn’t you, but apparently not….
The head of the Thrift Savings Plan expressed regret on Tuesday over not having a policy in place earlier to notify participants of security breaches to their retirement accounts.
The Federal Retirement Thrift Investment Board implemented a breach notification plan in June, Gregory Long, the board’s executive director, said during a hearing on Capitol Hill. That was about two months after the board learned of a 2011 cyberattack that led to the unauthorized access to the accounts of as many as 123,000 plan participants and other recipients of TSP plan payments.
Long blamed “a lack of resources” for the board’s inability to develop a plan to inform TSP participants of security breaches when they occur. [“We had enough budget to do part of our job, just not the important stuff.” Bob]
Sen. Daniel Akaka, D-Hawaii, said he was concerned the board did not have a breach notification policy when the agency learned about the cyberattack in April. Akaka, who chairs the Senate Homeland Security and Governmental Affairs federal workforce subcommittee has asked the Government Accountability Office to determine how many other agencies have failed to incorporate OMB’s guidance and whether sufficient oversight of compliance exists. Akaka was one of 43 members of Congress who was affected by the security breach. He has offered an amendment to the 2012 Cybersecurity Act, which the Senate is considering Tuesday evening, that would make it mandatory for every federal agency to have a breach notification policy in place.
Read more on GovExec
(Related) “Apparently we need more security than we thought.”
Dropbox Reports User Accounts Were Hijacked, Adds New Security Features
Rip Empson reports:
Several weeks ago, reports started to trickle out that a number of Dropbox users were under attack from spam. Since then, Dropbox has been investigating those attacks (with some help from a third-party) and today gave the first update on the progress, saying that some accounts were indeed accessed by hackers, but that it is now adding two-factor authentication and other security features to prevent further problems.
Read more on TechCrunch.
(Related) Will this too be ignored?
GAO: Federal Law Should Be Updated to Address Changing Technology Landscape
July 31, 2012 by Dissent
GAO-12-961T, Jul 31, 2012
What GAO Found
Technological developments since the Privacy Act became law in 1974 have changed the way information is organized and shared among organizations and individuals. Such advances have rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all personally identifiable information collected, used, and maintained by the federal government. For example, GAO has reported on challenges in protecting the privacy of personal information relative to agencies’ use of Web 2.0 and data- mining technologies.
While laws and guidance set minimum requirements for agencies, they may not protect personal information in all circumstances in which it is collected and used throughout the government and may not fully adhere to key privacy principles. GAO has identified issues in three major areas:
• Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act’s protections only apply to personal information when it is considered part of a “system of records” as defined by the act. However, agencies routinely access such information in ways that may not fall under this definition.
• Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
• Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
The potential for data breaches at federal agencies also pose a serious risk to the privacy of individuals’ personal information. OMB has specified actions agencies should take to prevent and respond to such breaches. In addition, GAO has previously reported that agencies can take steps that include
• assessing the privacy implications of a planned information system or data collection prior to implementation;
• ensuring the implementation of a robust information security program; and • limiting the collection of personal information, the time it is retained, and who has access to it, as well as implementing encryption.
Read the full GAO testimony.
As the private sector gets better (still not good) at security, the remaining “low hanging fruit” may just be those huge government databases.
Data breaches up 19 percent, GAO reports
Federal data breaches jumped 19 percent last year, the Government Accountability Office said Tuesday.
There were roughly 13,000 incidents reported by agencies in 2010 involving unauthorized disclosures of personally identifiable information — last year, that figure shot up to 15,500, Greg Wilshusen, GAO’s director of information security issues, told the Senate subcommittee on government management oversight Tuesday at a hearing.
On email privacy, Twitter’s ToS and owning your own platform
July 31, 2012 by Dissent
Alex Howard discusses the recent uproar on Twitter after journalist Guy Adams’ account was suspended for tweeting the email of an NBC executive to whom viewers could complain about NBC’s Olympic coverage. The account has been reinstated, and Twitter broke its usual silence on individual cases to discuss what had happened and why. But that’s not the end of the conversation. Alex writes:
I see at least three different important issues here related to electronic privacy, Twitter’s terms of service, censorship and how many people think about social media and the Web.
Is a corporate email address private?
Washington Post media critic Erik Wemple is at a loss to explain how tweeting this corporate email address qualifies public (sic) rises to the level of disclosing private information.
Can a corporate email address based upon a known nomenclature used by tens of thousands of people “private?”
Read Alex’s thoughtful discussion on O’Reilly Radar.
More on Privacy
By Dissent, August 1, 2012
The Health Privacy Summit has made materials and videos available online for its recent conference, “Is There an American Health Privacy Crisis?” Check them out at http://www.healthprivacysummit.org/d/3cq92g/6X
You can also visit the agenda and click on any session to see more about the panel and the live video.
“Is There An American Health Privacy Crisis”, was jointly hosted by The O’Neill Institute for National and Global Health Law and the Patient Privacy Rights Foundation.
Aug. 1, 1949: FCC Gets in on Cable TV
Perspective The Digital Universe?
For my Math students
For all my techies...
Do you have a Word document that you quickly and painlessly need converted into an Excel document? Well then, you should consider taking a look at Convert Word To Excel.
Before you can begin using it, you need Microsoft Silverlight installed and enabled. Then just click on “File” and then “Open”