Tags: compliance, Dr. Heather Mark, ESPN, Ethics, HIPAA, Jason Pierre Paul
add a comment
“HIPAA does not apply to news organizations” – ESPN Statement
Last night, a news story broke that combined two of my favorite things; compliance and American football. This is a rare occurrence, indeed. It seems that Jason Pierre Paul was celebrating the 4th of July, when he had a fireworks mishap, resulting in a major injury to his hands. As a football player that had recently been franchise-tagged, this is major news. Understandably, the sports reporters were anxious to get the story, as JPP, as he’s called, hadn’t yet signed his $14.8M dollar contract. One reporter, though, went so far as to tweet a copy of the player’s medical record, as proof of the procedure.As you can imagine, compliance professionals immediately hopped on this broadcast of Protected Health Information (PHI). This is an unscrupulous invasion of privacy, but does the tweet constitute a HIPAA breach? READ MORE.
Autocracy, Anocracy, & Democracy – “Verbal Masterba(bleep!)…” November 15, 2012Posted by Chris Mark in Laws and Leglslation, Politics.
Tags: anocracy, autocracy, Chris Mark, democracy, Dr. Heather Mark, facebook, mark consulting group, politics
1 comment so far
Election season in the US is always interesting. Passions run high and people are quick to proclaim their positions on government and politics. Unfortunately, as many will likely agree, election season also gives voice to many who should probably remain silent.
Recently I was taken to task on Facebook and lectured on the concept of governance and democracy by a particularly obtuse and offensive individual. When I attempted to explain that democracy should NOT be considered a strictly binary proposition and that the US was indeed a democracy, his attacks became personal and I was accused of (among other things) “verbal masturbation”. According to this master of the English language: “Most folks like me would call your ideas verbal masturbation. They sound good from the outside but are really kinda stupid”…he actually wrote: “Kinda”…somehow this person drew a line between my comments on democracy and his belief that the federal government would force parents to stand by while their 12 year old daughters got abortions without consent. I am at a loss as to the logic… But…I digress. Back to democracy!
To understand governance and democracy it is important to understand the concepts. One great resource is the Polity IV project. Democracy, while seemingly simple, can be a quite difficult concept to explain especially when considering the many different governments in the World. The Polity project attempts to quantify and qualify governance and code them based upon their level of autocracy to democracy.
First…let’s understand democracy. Wikipedia states that Democracy:
“… is a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Democracy allows eligible citizens to participate equally—either directly or through elected representatives—in the proposal, development, and creation of laws. It encompasses social, economic and cultural conditions that enable the free and equal practice of political self-determination.”
At its core, democracy is principle of government by the people. So why the confusion and what is the relevance of the Polity IV study? Good questions!
Democracy, as described by the Polity study, is defined by three factors. Each democratic government may implement these in different ways. Democracy requires the “…existence of Processes and Institutions through which citizens can 1) affect their government 2) constrain the power exercised by the executive and 3) guarantee civil liberties.” (BTW: You can read this in Dr. Heather Mark’s Dissertation found here.)
There are numerous forms and styles of democratic governments. There are direct democracies in which citizens take part in the process directly. There are representative democracies (like the US) where the citizens vote for representatives who then represent the interests of their constituents. Each of these general types of government then have sub-types. The US is a Presidential Republic, the UK is a Parliamentary Republic, and so on. It is much like dogs. All Rottweillers are dogs but not all dogs are Rottweillers. So is a Poodle more of a dog than a German Shepard? It is this type of question that the Polity study addresses. The Polity study ranks each form of government based upon the ‘democratization’ of the government. Countries can be more autocratic or more democratic. All governments will find themselves somewhere on the spectrum. Governments with a score of +6 to +10 are counted as democracies, with the higher scores representing more democratic governments. A perfect 10 is reserved for those that are absolutely democratic. Those who range from a -5 to a +5 are considered Anocracies. As Polity states: “Anocracies are a middling category rather than a distinct form of governance. They are countries whose governments are neither fully democratic nor fully autocratic but, rather, combine an, often, incoherent mix of democratic and autocratic traits and practices.” Those with a score -6 to a -10 are Autocratic with a -10 representing complete autocracy.
All governments will fall somewhere in the spectrum. Simply because the United States is a Presidential Republic does NOT mean we are NOT a democracy any more than the ugly dog down the street is NOT a dog because it does not look like my rugged, handsome, purebred Rottweiller (he is good looking but not very smart, sad to say…and still pees in the house!). While the US System of democracy is implemented one way, the UK system is implemented another way. There are benefits and drawbacks to each but each IS a democratic system of government.
“Boo!” – October 2012 issue of TransactionWorld October 30, 2012Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, Dr. Heather Mark, economics, PCI DSS, risk management, security, transactionworld
add a comment
I (Chris) am finally back in the US after traveling for the past two months. If you haven’t had a chance yet, please check out October’s issue of TransactionWorld and read articles by Chris Mark (Security Economics) and Heather Mark (Portable Security). If you don’t subscribe to TW, you should check it out. Everything you could want to know about payments. (well..not everything but quite a bit).
Beating an Old Drum October 27, 2012Posted by Heather Mark in InfoSec & Privacy, Industry News, Data Breach, cybersecurity.
Tags: cybersecurity, data security, Dr. Heather Mark, Heather Mark, InfoSec, mark consulting group, privacy, security
add a comment
It’s the end of what has already been a tough year for data security. And the news just got worse. South Carolina has announced that its Department of Revenue suffered a major breach. The breach is so massive, in fact that more than 75% of the state’s residents have been affected. The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents. Also included in the breach were about 390,000 payment cards. Most of those were encrypted, though.
This is disturbing on a number of levels. I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those). Consumers have built in protections on payment cards. As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions. The far more sensitive data, the social security numbers, were not encrypted, though. This defies logic. Consumers have little to no protection against misuse of SSNs. Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.
Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.” WHAT? If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold. After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.
Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data. It’s long past time states put forth the same level of protection. On the plus side, the state did comply nicely with its own data breach notification law.
Mobile Privacy October 12, 2012Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation, privacy.
Tags: Dr. Heather Mark, Heather Mark, Location Privacy Protection Act, mark consulting group, mobile privacy, privacy
add a comment
Smartphones have changed the way we interact with our world. They’ve introduced a new level of convenience, but they’ve also introduced a new potential threat to our privacy. As consumers, we should be informed about the choices that we make on our smartphones and how they might impact us. For example, I upgraded my iPhone to iOS 6 this afternoon. (I know. I’m a little late on that one.) Anyway, when I was done I got two prompts. The first asked if I wanted to enable location services. I said yes, knowing that meant that 1) I could use the “find my phone” app, as well as many other apps that come in handy for a frequent traveler, and; 2) that it meant that Apple would have access to my location data. The next prompt suggested that Apple could improve its products and services if I just allowed my phone to send occasional reports to headquarters. That one I declined. I don’t necessarily want Apple to have access to all of my activities on my smartphone.
Now, I’m not naive enough to believe that my simple selection means that I have safely secured my data and mobile behavior entirely. There are companies that are taking advantage of the fact that privacy laws have not kept pace with technology. We know for example, that there are companies that offer device fingerprinting services for fraud prevention that also happen to sell mobile device behavior analytics to marketers. Consumers don’t have any way of knowing that their behavior is being tracked and they have no way to opt out.
This week, Sen. Franken (D-Minn) and Sen. Blumenthal (D-Conn) introduced a bill designed to protect mobile privacy. The Location Privacy Protection Act of 2011 is meant to protect consumer privacy by informing users of how and with whom their location data is shared. There are four primary requirements of the bill. Distilled to their basics, those requirements are:
1) Gain consumer consent before collecting location data
2) Get consumer consent before sharing that data
3) Assist in understanding and investigating crimes that involve the misuse of location data
4) create criminal penalties for those that abuse location services or use so-called “stalking apps.”
While I applaud the move to ensure that mobile users are protected from entities divulging their location without the knowledge or consent of the consumer, I wonder if the law goes far enough in protecting consumer privacy. What about those device fingerprinting activities? Do you think the proposed bill goes far enough? Too far? What would you like to see in terms of mobile privacy protection?