Health care CISO: Start protecting patient privacy at home

(Oct 16, 2018) Health care professionals should think beyond merely protecting the organization and start protecting patients' privacy at home, HealthITSecurity reports. "At some point, I'm going to have [to] start thinking about how to protect patients in their home," Christiana Care Health System Chief Information Security Officer Anahi Santiago said. "My information security program is not going to just be about the data center or the cloud but an extension into the patients' homes. So, we can be responsibl... Read More

US, EU regulators investigate Google privacy glitch

(Oct 10, 2018) Reuters reports New York and Connecticut attorneys general, the Irish Data Protection Commission, and Hamburg, Germany's data protection authority are all investigating a software glitch at Google that may have exposed the profile data of as many as 500,000 users. The probes come in the wake of a Wall Street Journal report from Monday on the incident. Sens. Mark Warner, D-Va., and Richard Blumenthal, D-Conn., have each expressed concern. Warner noted that since Google is under a Federal Trade Co... Read More

Google to clamp down on third-party access after discovering privacy glitch

(Oct 9, 2018) The Wall Street Journal reports Google found a "software glitch" in its Google+ social network that may have exposed user profile data between 2015 and March 2018. Google "opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed" by the Journal. "Internal lawyers advised that Google wasn't legally required to disclose the incident to the... Read More

Irish DPC awaits further details after Facebook data breach

(Oct 1, 2018) Late last Friday, Facebook announced up to 50 million users' information may have been exposed in a data breach. Though the company said it fixed the vulnerability and notified law enforcement, the identity of the adversary involved is not yet known. In response, several data protection authorities, U.S. lawmakers, consumer groups, and privacy pros all weighed in on the incident. In this report for The Privacy Advisor, Jedidiah Bracy, CIPP, rounds up the latest reaction and commentary, including... Read More

NIST releases draft IoT-risk internal report for public comment

(Sep 26, 2018) The National Institute of Standards and Technology's Cybersecurity for the Internet of Things and Privacy Engineering Programs has issued a draft internal report on managing cybersecurity and privacy risks in IoT devices. Draft NISTIR 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks is open for public comment until Oct. 24. The draft identifies three considerations that may affect IoT privacy and security and includes recommendations for organizations on their approach to Io... Read More

Venture capitalists increasingly investing in privacy tech

(Sep 12, 2018) The Information reports on increased investment by venture capitalists into consumer-facing and enterprisewide privacy-technology solutions. In 2017, venture capitalists invested more than $497 million in privacy-related startups, which, according to the report, more than triples the amount invested five years ago. Through the first three quarters of 2018, venture capital firms have invested more than $506 million. Bain Capital Ventures Managing Director Enrique Salem said, with privacy laws pro... Read More

The Privacy Advisor Podcast: How 57 women won a trip to DEFCON

(Sep 7, 2018) Ask anyone who frequents DEFCON, known as a sort of summer camp for hackers, and they'll tell you the attendee roster at the wildly popular white hat event is overwhelmingly male. Rachel Tobac, chair of the board at Women in Security and Privacy, has been going to DEFCON to compete in Social Engineering Capture the Flag for the last three years, and winning. She has gained some notoriety for it, including appearing on this podcast twice before. But noticing she was very much in the minority as a... Read More

ACLU: Carpenter ruling could inform state-level cases

(Sep 6, 2018) In a blog post, the American Civil Liberties Union looks at the ruling from the Carpenter v. United States case and how it could potentially impact a group of cases in Massachusetts and Maine. The Massachusetts and Maine Supreme Judicial Courts are hearing cases involving whether law enforcement needs to obtain warrants to track cellphone location data in real time and access location data from an ankle monitor, as well as whether constitutional rights would be violated if an ankle monitor shoul... Read More

Full disclosure: Benchmarking data reveals the human error in privacy incidents

(Aug 28, 2018) This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar Inc., a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here. In a previous installment of this benchmarking series, we discussed the differences in incident classification when using intent as a filt... Read More

Survey: 70 percent of health care organizations lack cyber insurance

(Aug 23, 2018) A survey conducted by Ovum on behalf of analytics firm FICO reveals 70 percent of health care organizations do not have cyber insurance, HealthITSecurity reports. Though health care was the industry that lagged the most, of the U.S. executives surveyed across industries, 24 percent said they have no cyber insurance at all. "It's great to see that progress is being made but still surprising, that nearly a quarter of U.S. firms surveyed have no cybersecurity insurance coverage," FICO Vice Presiden... Read More