security

Subscribe to security

I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, your title is “Manager of Money,” right? 
Continue Reading What if companies treated their money like their information?

My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. 
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.
Continue Reading I’m making a list, securing it twice…

Today the FTC announced a $100-million settlement of its most recent data security lawsuit against LifeLock, the ubiquitous B2C provider of credit monitoring and identity theft protection to consumers.  Despite years of litigation with the FTC and 35 states’ attorneys general, LifeLock has continued with a business model that taps into consumers’ visceral fear of identity theft, and also consumers’ persistent belief that such exposure can magically disappear… all for “less than $10/ month.” But while “Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world,” LifeLock’s settlement with the FTC is a reminder that there is no perfect protection against identity theft.
Continue Reading FTC v. LifeLock — sorry Virginia, there is no Security Claus

Yesterday the FTC announced it has settled its claims against Wyndham for inadequate data security, with Wyndham signing on to essentially the same consent order used by the FTC in most of its more than 50 concluded data security enforcement matters. The settlement marks the end of a three-year legal battle in which Wyndham attempted, unsuccessfully, to restrict the FTC’s authority to pursue companies for inadequate data security as an ”unfair” business practice under Section 5 of the FTC Act.
Continue Reading Wyndham checks out of FTC dispute

The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.

As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.
Continue Reading FTC v. LabMD – 50 shades of white hat

Talk about a “bank holiday” – under a settlement deal filed in court yesterday, Target will pay $39.4 million  to a litigation class of banks and credit unions to settle financial institution claims related to the retailers’ massive 2013 data breach, which compromised at least 40 million credit cards. The preliminary settlement is the first time a retailer has agreed to directly absorb financial institutions’ costs from a data breach, such as fraud losses and the expense of issuing new debit and credit cards.

Under the terms of this settlement, Target will pay up to $20.25 million directly to the settlement class and $19.1 million to fund MasterCard’s Account Data Compromise Program relating to the breach. The settlement will apply to all U.S. financial institutions that issued payment cards identified as having been at risk from the breach and that did not previously release their claims against Target by signing on to separate deals. A final approval hearing on the settlement is set for next year.
Continue Reading Target update: Happy holidays for banks

Only minutes passed between first learning of the Paris attacks and confirming that our son, studying abroad in France, was safe. But it seemed to last a lifetime. My wife and I were with him in Paris just two weeks earlier, strolling happily a few blocks from where slaughter would soon visit the Bataclan Concert Hall and La Belle Equipe. Then, like a sick, twisted Groundhog Day, it felt like 9/11 all over again.

The Paris terrorism has rekindled an ongoing debate over government surveillance power, personal privacy, and cybersecurity. In this crucial, consequential debate, it behooves us to remember that terrorism’s goal is to trigger emotional, extreme reaction, and that perspective and balance are the antitheses of violent radicalism.
Continue Reading Paris: privacy & cybersecurity déjà-vu

Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and then have our employees report their stats and progress in some kind of fitness competition, with cool stuff as motivating rewards. Premium costs down, flab down, fitness up, profits up… what could possibly go wrong?

Plenty will go wrong, unless the company takes a breather and checks the pulse of information-related risks and compliance issues. So, let’s run a quick information governance circuit drill.
Continue Reading IG perspective: Are wearable fitness trackers fit for the workplace?