Posts

Not to be outdone Alabama is the final state to pass a Data Protection Bill

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit. SB 318 , seemingly incorporates Health Insurance Portability Accountability Act's ( HIPAA ) terminology and some application. Class of protected The statute applies to individuals residing within the state. Individuals rights Individuals are afforded protection from the breach , which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data , in some jurisdictions. Data Protected The statute outlines the type of PII that is protected under the statute as “electronic data ” that can be any of the following : Identification number (military, driver’s...

South Dakota finally passes a data protection law

In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR .  Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party. Class of the protected individuals The bill applies to individuals residing in the state. Individual Rights Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach ). PII is defined as “ computerized data ” consisting of first name (or first initial) and last names AND one of the following : Identification number (such as social security num...

Common Privacy Terms

Controller –any person or entity that determines the purpose of data. Processor –any person or entity that processes data for the controller. Personally Identifiable Information (PII) information that can be reasonably linked to an individual, using persistent identifiers. Personal Data (EU term) data related to an identifiable natural person, who can be identified (directly or indirectly) by reference of an identifier: ID#, Location data, physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.   Encryption - turning data into an unreadable cipher text (ibid.). This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Breach (Data Breach) - unauthorized and sometimes unlawful access and or acquisition of PII. Health Insurance Portability and Accountability Act of 1996 (HIPAA) PHI (Protected Health Information)- identifiable health information including demographic data...

What is Personally Identifiable Information ?

What is Personal Data? In the US personal data is known as personally identifiable  information (PII).   Generally, it is defined as information that can be reasonably linked to an individual, using persistent identifiers.  Federal and State statutes determine a more specific definition of PII (GLBA, HIPAA, Privacy Act, ect). For example, under HIPAA there are 18 points of personally identifiable information . The pieces of identifiable information are as follows:  Name, address, city, county, zip, precinct, DOB, admission date, discharge date, date of death, ages over 80, Telephone/Fax #, Email address, SSN, Medical record #, Health plan #, Account#, Certificate/license #, Vehicle (VIN, Plate#), Device ID and Serial #, URL, Biometric ID (finger print, voice print), Full-face photographs,  and ny other unique identifiers. In the   EU (GDPR), personal data is defined as data related to an identifiable natural person, who can be ident...

Cross Border Transfer Mechanisms: Certifications

Certifications are yet another way that businesses doing business in the EU can achieve cross border transfers of personal data out of the EU.   Businesses can also demonstrate compliance with GDPR by instituting a certification mechanism. Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation. Certification can be issued by Data Protection Authorities (DPAs.) or accredited certification bodies. In conjunction  with the  harmonization goal GDPR,  Art. 42 encourages an EU-wide outlook for certification schemes. As of yet, there are no credential certification bodies, which presents a huge economic opportunity to the organization who applies and is approved as a certification body.   Certifications does not reduce a data controller's or processor's protection responsibilities. Controllers/Processors ar...

Cyber Threat Life Cycle

Image
A Target threat is when attackers make a conscious effort to attack a particular organization. So they take their time to study the origination systems and strategically plan the attack. There several common steps that an attacker takes during a targeted threat. Several Steps in a Target Threat Life Cycle: External Reconnaissance occurs when attackers collect intelligence on HOW to successfully attack. The look for unpatched systems, ip address ranges, open ports and target endpoints. Breach (Penetration of the permitter)  i s achieved using one of the many tactics used to gain access such as : social engineering , phishing, vishing, brute force attacks, tailgating, drive by download ect.  Internal Reconnaissance is when the attackers collect intelligence on the internal system, by reviewing the system and search for admin accounts that they can hijack. Lateral Movement phase occurs when the attackers take control of the clients, servers, active directory domain con...

How Does Social Engineering work?

Social engineering occurs when an attacker deceives and or manipulates a user into providing confidential and personally identifiable information (PII) t he for fraudulent purposes.  There are various ways that social engineer can occur. The following list the various types of forms of social engineering.  Phishing is achieved by sending  fraudulent emails purporting to be from a reputable company in order to induce individuals to provide credit card numbers, usernames, password, SSN and any other PII.  Spear phishing is act  of sending emails from a known sender for the purpose of inducing users to reveal confidential information and PII. An example of this is when, Attackers  personalize an email and impersonate specific senders and use other techniques to bypass traditional email defenses. The purpose is to fool users into clicking a link or opening an attachment. The attachments usually contain malware that affects the user’s...