Posts

Showing posts from June, 2018

Not to be outdone Alabama is the final state to pass a Data Protection Bill

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit. SB 318 , seemingly incorporates Health Insurance Portability Accountability Act's ( HIPAA ) terminology and some application. Class of protected The statute applies to individuals residing within the state. Individuals rights Individuals are afforded protection from the breach , which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data , in some jurisdictions. Data Protected The statute outlines the type of PII that is protected under the statute as “electronic data ” that can be any of the following : Identification number (military, driver’s...

South Dakota finally passes a data protection law

In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR .  Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party. Class of the protected individuals The bill applies to individuals residing in the state. Individual Rights Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach ). PII is defined as “ computerized data ” consisting of first name (or first initial) and last names AND one of the following : Identification number (such as social security num...

Common Privacy Terms

Controller –any person or entity that determines the purpose of data. Processor –any person or entity that processes data for the controller. Personally Identifiable Information (PII) information that can be reasonably linked to an individual, using persistent identifiers. Personal Data (EU term) data related to an identifiable natural person, who can be identified (directly or indirectly) by reference of an identifier: ID#, Location data, physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.   Encryption - turning data into an unreadable cipher text (ibid.). This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Breach (Data Breach) - unauthorized and sometimes unlawful access and or acquisition of PII. Health Insurance Portability and Accountability Act of 1996 (HIPAA) PHI (Protected Health Information)- identifiable health information including demographic data...

What is Personally Identifiable Information ?

What is Personal Data? In the US personal data is known as personally identifiable  information (PII).   Generally, it is defined as information that can be reasonably linked to an individual, using persistent identifiers.  Federal and State statutes determine a more specific definition of PII (GLBA, HIPAA, Privacy Act, ect). For example, under HIPAA there are 18 points of personally identifiable information . The pieces of identifiable information are as follows:  Name, address, city, county, zip, precinct, DOB, admission date, discharge date, date of death, ages over 80, Telephone/Fax #, Email address, SSN, Medical record #, Health plan #, Account#, Certificate/license #, Vehicle (VIN, Plate#), Device ID and Serial #, URL, Biometric ID (finger print, voice print), Full-face photographs,  and ny other unique identifiers. In the   EU (GDPR), personal data is defined as data related to an identifiable natural person, who can be ident...

Cross Border Transfer Mechanisms: Certifications

Certifications are yet another way that businesses doing business in the EU can achieve cross border transfers of personal data out of the EU.   Businesses can also demonstrate compliance with GDPR by instituting a certification mechanism. Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation. Certification can be issued by Data Protection Authorities (DPAs.) or accredited certification bodies. In conjunction  with the  harmonization goal GDPR,  Art. 42 encourages an EU-wide outlook for certification schemes. As of yet, there are no credential certification bodies, which presents a huge economic opportunity to the organization who applies and is approved as a certification body.   Certifications does not reduce a data controller's or processor's protection responsibilities. Controllers/Processors ar...

Cyber Threat Life Cycle

Image
A Target threat is when attackers make a conscious effort to attack a particular organization. So they take their time to study the origination systems and strategically plan the attack. There several common steps that an attacker takes during a targeted threat. Several Steps in a Target Threat Life Cycle: External Reconnaissance occurs when attackers collect intelligence on HOW to successfully attack. The look for unpatched systems, ip address ranges, open ports and target endpoints. Breach (Penetration of the permitter)  i s achieved using one of the many tactics used to gain access such as : social engineering , phishing, vishing, brute force attacks, tailgating, drive by download ect.  Internal Reconnaissance is when the attackers collect intelligence on the internal system, by reviewing the system and search for admin accounts that they can hijack. Lateral Movement phase occurs when the attackers take control of the clients, servers, active directory domain con...

How Does Social Engineering work?

Social engineering occurs when an attacker deceives and or manipulates a user into providing confidential and personally identifiable information (PII) t he for fraudulent purposes.  There are various ways that social engineer can occur. The following list the various types of forms of social engineering.  Phishing is achieved by sending  fraudulent emails purporting to be from a reputable company in order to induce individuals to provide credit card numbers, usernames, password, SSN and any other PII.  Spear phishing is act  of sending emails from a known sender for the purpose of inducing users to reveal confidential information and PII. An example of this is when, Attackers  personalize an email and impersonate specific senders and use other techniques to bypass traditional email defenses. The purpose is to fool users into clicking a link or opening an attachment. The attachments usually contain malware that affects the user’s...

Cross Border Transfer Mechanisms: Codes of Conduct

Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced. (1) Who Responsible for drawing up codes of conduct (a)    Governments and regulators can encourage the drawing up of codes of conduct. (b)    Codes of conduct may be created by trade associations or representative bodies. (c)    Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99). (d)    Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB). (e)     Existing codes can be amended or extended to comply with the requirements under the GDPR. (2)    Codes of conduct may cover topics such as: (a)  ...

Information Security: Defining Cookies

A Cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognize a user’s device. Cookies are categorized in two ways, the extent of data they store and the website that places the cookie on the user's device. A session cookie is one which is erased when the user closes the browser. Session cookies are considered to be less privacy intrusive than persistent cookies because they expire after a browser session so would not be stored longer term. For example, session cookies can be used for security when a user is accessing internet banking or to facilitate use of webmail. Persistent cookies differs from a session cookies. A persistent cookie remains on the user's computer/device for a pre-defined period of time. Persistent cookies are stored on a users’ device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across di...

Health Information Technology for Economic and Clinical Health (HITECH)

Health Information Technology for Economic and Clinical Health (HITECH) is the also known as the HIPAA (healthcare) security Rule. The purpose of this rule is to ensure the confidentiality, integrity and availability (CIA) of all Personal Health Information (PHI) the Covered Entity (CE) and or Business Associate (BA) creates, receives, maintains and transmits. In order to achieve this, the CE or BA must implement safeguards. An example of a physical safeguard are locks on a door. An example of a administrative safeguards is a Privacy Officer assigning role base access of PHI for employees. So that only employees who are involved in the patients care can access the PHI of that patient. Technical Safeguards include : configured computer servers and the encryption of PHI during transmission or at rest.  Further, HITECH requires CEs to provide notice to individuals IF there is an unauthorized disclosure of that PHI and there a risk of harm that exposu...