A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud*, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services. The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others. The results are quite startling.
The study concluded that “the greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.
The first piece provides an overview of HIPAA and its evolution. The second involves an analysis of HIPAA’s strengths and weaknesses. Overall, I find HIPAA to be one of the most effective privacy regulatory regimes. HIPAA is very effective in large part because it requires privacy and security officials who have responsibility over these issues. These officials develop policies and procedures, perform assessments, and provide HIPAA training to employees, among other things. Privacy laws are not self-executing, and enforcement agencies have limited enforcement resources. The effectiveness of the law depends upon each organization taking compliance seriously, and this starts with a governance structure, awareness training, and things that create a culture of compliance. Many other privacy laws don’t realize this, and fail to include the robust governance components of HIPAA.
The entire issue is here. Copyright belongs to Journal of AHIMA.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.
In 2007, Seung Cho, a student at Virginia Tech, killed 32 students and faculty and wounded 17. He then committed suicide.
One of the most troublesome things about this incident was that it might have been prevented if school officials and employees had a better grasp of privacy law. Appointed by the state governor, the Virginia Tech Review Panel issued an extensive report revealing that several University officials and employees knew about Cho’s mental instability but failed to share what they knew with each other. And nobody ever told Cho’s parents about his problems, his stalking of a female student, and his dark writings and erratic behavior. Cho’s parents said that if they had known, they would have taken him home and made him go to therapy. This is what they did when Cho had problems in high school.
We have launched several new privacy training programs, including a series with brief introductions to privacy law. We have completed a privacy training program about US Privacy Law with a video and interactive material / quiz questions. And we just completed a training program about EU Privacy Law. This program has a 7.5 minute video (as well as an abridged version at 4.5 minutes), and there’s a separate excerpt on the Safe Harbor Arrangement for those who only want to cover Safe Harbor in their training programs.
We have begun producing a new program series about financial privacy. The first two programs are completed.
The first part is an overview video that discusses the importance of financial privacy and the various laws and regulations that regulate. These laws and regulations are discussed very broadly. The video concludes with some key best practices for protecting financial data. This video is made in a unique style — an animated piece of currency.
The second program focuses on the Gramm-Leach-Bliley Act (GLBA). The video discusses the GLBA’s scope, notice, confidentiality, data sharing, and security. The video also explains why protecting the privacy and security of financial data is important.
There are interactive materials and quiz questions to accompany the video.