Archive for the ‘PHI’ Category

Speaking at the “Security: The New Business Imperative” Event

February 16, 2010 Leave a comment

For those in the area, I will be speaking next week (on the 23rd Feb) at the Security: The New Business Imperative event at the Westin Diplomat Golf Resort & Spar, Hallandale Beach FL.

The topic will be a review of current regulations, and practical steps you can take not to fall foul of them.

You can reserve a seat by contacting, or (678) 653 9606

MA 201 CMR 17 Revisited..

February 2, 2010 Leave a comment

Though the deadline for MA 201 compliance has been extended until the end of the quarter, it’s a good time NOW to review what this regulation means to you and your business.

I must start with the usual “ask Gary” disclaimer – I’m not a lawyer, but the regulation is pretty easy to read (compared to many others) and I reccomend anyone subject to it prints it out and pays attention.

So, how do you know if you’re subject to MA 201 CMR 17 or not? Lets start from the top of the regulation itself: Read more…

83,000 Toronto Health users PHI exposed…

January 14, 2010 Leave a comment

Today it was announced that the personal information of 83,000 users of the Durham health systems became exposed when an unprotected USB stick containing their information was “lost”.

Not too uncommon you might think, but in this case, Ann Cavoukian, the Ontario privacy commissioner (who I had the pleasure of speaking with last year at than annual Privacy-By-Design conference), stepped in, demanding that they

“immediately implement procedures to ensure that any personal health information stored on any mobile devices [laptops, memory sticks, etc] is strongly encrypted.”

CBC news further reported that Commissioner Cavoukian expected every health authority in her province to follow suit.

Notable Breaches of PHI in 2009…

December 15, 2009 Leave a comment

This week, Network World posted an interesting slide show of some notable breaches of Health Record privacy from 2009. The mode of disclosure is telling, with internal misuse/fraud and stolen devices/media being prevalent.

The companies mentioned are: Read more…

Personal Data Breach Compensation Suit Thrown Out In Missouri..

December 8, 2009 Leave a comment

A knock to the campaign to ensure companies take better care of our personal data occurred this when when John Amburgy lost his case against Express Scripts in Missouri, USA.

John alleged that he had spent significant time and effort in protecting

his identity following Express Scripts’ breach back in October 2008. They offered free credit report monitoring services to the people who’s PII/PHI they lost, but only to those who proved they had been victims of identity theft.

Yes, it seems you have to be a victim of identity theft because of Express Scripts breach before Express Scripts will offer you help in protecting and monitoring your identity… Read more…

European Data Protection Law a possibility?

November 16, 2009 Leave a comment

The Register recently reported that the European Commission is considering passing EU-wide laws on data breach notification, along the lines of those in place in the USA already. Viviane Reding, the Information Security Commissioner said

The Telecoms Reform has put the issue of mandatory notification of personal data breaches firmly on the European Policy agenda.

The committee formed from Europe’s national data protection watchdogs (The Article 29 Working Party) has apparently also backed the idea. Read more…

Repeat Data Loss Offenders…

October 1, 2009 3 comments

I was doing some data mining this week on the excellent site and it occurred to me to dig a little deeper into where the risky places to give your PII/PHI to are. I was hoping to find that some segments are cleaning up their act, but it seems not. The fact we’re seeing multiple entries by people could have two possible meanings: Read more…

Categories: Data Loss, PHI, PII, Privacy Laws Tags: , ,

Updates to the Map of Crypto Law.

September 30, 2009 Leave a comment
Google Map of International Crypto Law

Google Map of International Crypto Law

There have been a few updates to the famous map of crypto laws lately, for those new to the map, or who have forgotten it I’ve linked the picture above to it.

Fell free to mail me with corrections and additions.

H.R 2221 – The Federal Data Accountability and Trust Act

September 30, 2009 Leave a comment

This week I’ve been working my way through H.R 2221 – the “Data Accountability and Trust Act” . This proposed legislation is making its way through the Committee on Energy and Commerce at the moment, and if passed, will rationalize data protection legislation across the USA at a federal level. Read more…

Missouri’s new Data Protection Disclosure Law.

September 21, 2009 Leave a comment

Although maybe unnoticed, a month ago Missouri finally joined that heady club called “States which have Data Privacy Laws”.

On 28th August, the “Missouri Data Breach Notification Law”, or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident”, because, as with the other 47 or so State laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Tinbuktoo, you are still required (under civil and actual damages) to comply. Read more…