Privacy Monday - August 17, 2015: Three Bytes for End of Summer
It's Privacy Monday again - and summer is winding down.
Here are three bytes of privacy/security information to start your week:
1. House Committee Releases HHS Breach Investigation
If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction.
A report recently released by the House Energy & Commerce Committee reveleaed that hackers have breached at least five divisions of HHS -- including the FDA -- in the last three years.
“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”
The 27-page review of HHS information security found that the breaches were unsophisticated and the affected agencies "often struggled to provide accurate, clear and sufficient information on the security incidents" during the course of their investigation. According to the committee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks. “These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.
2. More FTC Enforcement of US-EU Safe Harbor
Have you looked at your privacy policy lately? Do you make claims regarding your company's US-EU Safe Harbor compliance that have not been reviewed in some time? You might want to take advantage of this opportunity to do so. The Federal Trade Commission (FTC) is still on the enforcement bandwagon. A release today from the FTC revealed enforcement actions against companies that either had let their US-EU Safe Harbor certification lapse, yet still claimed in their privacy policy that they were compliant, or made such claims and had never even made application to Safe Harbor.
Some good pointers from the FTC's Business Blog:
Express or implied statements about how you handle consumer data are claims subject to the truth-in-advertising standards of the FTC Act. Don’t think you’re making any claims about privacy on your website? Reread your privacy policy and check the certification logos or marks you display on your site. You may be making representations that have to be substantiated under Section 5 of the FTC Act.
When it comes to your privacy policy, a right click may be a wrong move. Many industry groups and others offer resources to help companies craft their privacy policies, but there’s no one-size-fits-all document. If you choose to use a template as a starting point, don't just cut ‘n’ paste. Go through line by line to make sure it reflects what actually happens at your business.
Be a tickler stickler. Once your company has complied with the Safe Harbor Framework’s self-certification requirement, use the tickler feature on your calendar to revisit it before your certification expires. Consider if any changes at your business have affected those seven privacy principles. If you’re still compliant, honor your annual obligation to renew your certification.
3. Privacy Webinar Reminder - August 26
Third party vendor risk is a difficult risk for companies to manage, and yet it is one of the most pervasive vulnerabilities in the security supply chain. Join us for a discussion of vendor risk management and data protection next Wednesday, August 26 at 1 PM ET. Since it's a webinar, you can even log in from one of those last days at the beach ... we won't ask.