The Health Insurance Portability and Accountability Act of 1996 (HIPAA) controls the privacy and access of all protected health information (PHI) in the United States.  One of the goals of the legislation is to help move the healthcare industry toward electronic health records (EHR).  The value to patients and providers is faster and more accurate care, since clinicians, insurance companies and all related business organizations will have access to the same information.

In 2009, the US Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to further clarify and address the privacy and security concerns associated with the electronic transmission of health information.  Language in the law extends HIPAA provisions to business associates of covered entities.  This means that any organization that works with a healthcare provider is also subjected to the same laws and penalties.

Since more health information has become electronic, more of it is susceptible to data breaches.  A recent study by Redspin, Inc., a California provider of IT security assessments, shows that 385 breaches of PHI affecting about 19 million records have been reported since August 2009 in the US.  Part of the HITECH Act stipulates that an organization must report any breach over 500 people to the US Department of Health & Human Services (HHS) within 60 days.  So these numbers don’t take into account smaller breaches.

A couple of statistics in the Redspin report stand out.

• 97% increase in total records breached since 2010
• 59% of all breaches involved a business associate
• 76% increase in records breached involving a business associate since 2010
• 39% occurred on a laptop or other portable device

If you look at the cost to a business of these breaches, it can be staggering.  The average number of patients per breach was 49,394, which is almost double the numbers from 2010.  The Ponemon Institute calculates that the cost per compromised data record is $214.  That makes the average cost just over $10 million per breach! 

Exposure to a healthcare provider is not just how it handles PHI, but also how any third-party vendors, suppliers, consultants and contractors manage it.  If a hospital sends patient information to a lab so the lab can do some blood work, the hospital has to make sure the lab has proper security measures to safeguard the patient information.  Currently the laws only penalize the covered entity, in this case the hospital.  If there is a breach at the lab, the hospital will ultimately have to pay for the lack of security.  Fortunately the breach notification laws provide for liability to extend directly to business associates by the end of 2012. 

Waiting on the legislative and enforcement process to deter breaches by forcing business associates to improve security will not solve the problem now.  Since a large percentage of breaches occur through the loss of a laptop or other portable device, safeguarding this information now is critical.  The only effective way to do this is by encrypting it. 

A lot of this information is most likely in spreadsheets, documents, image and audio files.  Protecting them with a persistent security policy that lets the creator of the information decide who can access it will help deter breaches.  If a hospital needs to share these documents with a business associate, it can encrypt the document with a policy that defines who can view the information and for how long.  If the document is accidentally shared with the wrong people or organization, the hospital can throw a kill switch and make the document unreadable by anyone.  If a hacker or other unauthorized person opens the document, it will look like random characters. 

Many business associates of healthcare organizations may not have the appropriate security in place to properly manage PHI.  With data breaches increasing at an alarming rate, healthcare organizations should take the initiative for that security by encrypting any files they share.  That ensures that only those people who need the information can access it.

As the saying goes, physician health thyself.

Love it or hate it, cloud computing is here and helping companies become more agile and competitive.  There are two common misconceptions about the cloud.  The first is it’s only for big companies.  The second is it’s only for small companies.

The truth is it’s for everyone regardless of the size of your organization or your industry.  That’s like saying that computers are only for big companies – I think most of us know how dumb that is.

Cloud computing has brought capabilities to everyone that only the largest companies could afford in the past.  Look at the poster child for cloud computing, Salesforce.com.  Years ago, the only way you could afford a sophisticated CRM system was if you had a large IT staff and budget to make it happen.  Today, anyone can afford CRM, whether it’s through Salesforce.com or the myriad other cloud offerings out there.

My company squarely falls in the SMB or SME (small to medium enterprise) camp.  We are a distributed company and in the past could not have afforded CRM, a good time and billing system or a way to electronically sign documents, to name just a few business functions.  Today, we can get that by signing up for a cloud service and paying for it by the user.  We don’t need to buy servers, hire IT staff, worry about backing up our data or rolling out a desktop application.  We just point a browser to a website, login and work.

UKFast, a UK hosting company, created a cloud computing infographic (below) based on interviews they did with numerous cloud experts showing why SMEs choose the cloud. The infographic shows that the main reasons for using the cloud are Flexibility, Cost savings, Increased efficiency and Space savings.

I concur based on my experiences.  Having the ability to add or remove users quickly is great.  Not having to invest in an IT infrastructure makes cash available for other uses.  Letting everyone work where they want, when they want and from any device increases productivity dramatically.

We are sold on the cloud.  How about you? 

Infographic by UKFast Hosting

Photo credit Henriksent

On January 28, 2012, the United States, Canada and many other countries celebrated Data Privacy Day.  This is a recognition that people, businesses and governments need to be aware of data privacy and how to protect it.  Last October, the US government marked the eighth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security.  That event helped educate people on the importance of internet security.  The two events go hand in hand.

Data Privacy Day is an annual international celebration designed to promote awareness about privacy and education about best privacy practices.  It began in the US and Canada in January 2008, as an extension of the Data Protection Day celebration that started in Europe in 2007.  In the US, the House and Senate passed resolutions recognizing January 28 as National Data Privacy Day.

January 28th also commemorates the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection, which recognizes an individual’s right to protection of personal information as a fundamental freedom.

With the announcement last week of Google’s proposed change in its privacy policies, it’s a good time for individuals and businesses to think about who is collecting information from us and what they are doing with it.  Just about everything we are and do is captured and stored somewhere.  Our identities, locations, actions, purchases, associations, movements, and histories are sitting in databases and servers all over the world.  If any of this information is sitting on a public server, Google, Bing and other search engines have crawled, catalogued and stored it so that anyone can access it.

The big questions you should ask are:

• Who is collecting all of this data?
• What are they doing with it?
• Who are they sharing it with?
• How can I protect my information from being misused?

These are not just questions for consumers, but for businesses and governments too.  Businesses have to question whether they are complying with laws and regulations requiring consumer privacy protections.  They know that customers have to trust them before they will use and pay for products and services.  Governments need to enact legislation that protects consumers but doesn’t stifle competition, innovation, progress and growth.  Technology is changing constantly and everyone needs to expect that personal information is kept secure and only those who need legitimate access to it, have it.

Here are a few tips on keeping your personal information secure:

• Before you enter your personal information online, decide if what you are getting is worth divulging that data.
• Look at the privacy settings in social networking sites and set them to limit who can access your information.
• Avoid sharing personal information publicly including: your date of birth, home address, phone numbers, social security number, financial information and travel plans.
• Enable a password to access you smart phone and make it a strong one.
• Use location based services with care, making sure you don’t divulge too much about your whereabouts.
• Secure your home Wi-Fi with WPA security and a strong password.
• Think before you text and send email.  Remember that a text and an email can be forwarded to anyone.

The unofficial motto for Google is “Don’t be evil”.  It’s written on its Code of Conduct page as part of its investor relations information. 

Google has 7 simple areas in this code of conduct that cover serving its users, respecting employees, avoiding conflicts of interest, preserving confidentiality, protecting Google’s assets, ensuring financial integrity and obeying the law.  If you read them, it sounds like the company intends not to be evil.

Google’s privacy policies and terms of service are what affect most of the users of its services and websites.  On January 24, 2012, in an effort to simplify the somewhat arcane policies of numerous Google services, it issued notices to users of a pending change in its privacy policies. 

The beginning of the notice is below:

Dear Google user,

We’re getting rid of over 60 different privacy policies across Google and replacing them with one that’s a lot shorter and easier to read. Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.

We believe this stuff matters, so please take a few minutes to read our updated Privacy Policy and Terms of Service at http://www.google.com/policies. These changes will take effect on March 1, 2012.

If you have ever read a privacy policy, your head might explode with some of the legalese and gobbledygook in it.  Google has a separate policy for all of its services.  If you use Gmail, Google+, Picassa, Calendar, Alerts, Reader or any of the other services, you have to slough your way through individual policies.  A lot of governmental agencies and privacy advocates have asked Google and others to simplify the somewhat onerous language into something that we mere mortals can understand.

To Google’s credit, it has done just that.  It’s replacing the separate agreements with one – “One agreement to rule them all”.  But what does this single agreement say?

The major changes affect any user logged into Google and how information is shared across services.  If you just perform a search without logging into Google, this doesn’t affect you.  Unfortunately many of us are logged in all day.  If you use an Android phone, you are probably logged into Google.  If you use Gmail or Calendar on any device, you are logged in.  Many people think it’s only when they are in a browser, but it’s also when you are on an Android device, iPad, iPhone and all the services that connect to Google. 

I use Thunderbird as one of my email clients and that’s logged into Gmail.  My calendar app on my iPad is too.  Calendar information moving between my PC, Mac and iPad also uses Google services.  And synching some information through Apple iCloud is using Google.  This doesn’t take into account services that let you authenticate by connecting to your Google account.

Sharing your own information between your own accounts may be benign, but time will tell when Google implements its new policy on March 1, 2012.  The “don’t be evil” mantra may be cracking because many people aren’t sure what will happen to this information.  The stated goal is to improve your services and search results, but Google is proposing to pass information back and forth.  And where will it actually go and who will use it.

Every time Facebook makes privacy and security changes, people scream because it becomes more complicated and we are less sure of our security.  Hopefully Google is not becoming Facebook when it comes to privacy and security.

If you haven’t looked at your privacy settings in your Google accounts lately, do it.  You can find them in your Google Dashboard.  Check on the following as a minimum, but look at the settings for all your accounts to make sure they are set as you intended.

1. Go to https://www.google.com/dashboard/ and log in with your Google id and password.
2. Next to Account, click Manage Account.
3. Check the section under Security to update anything.
4. Click on the “connecting your accounts” hyperlink under Connected Accounts to see what else you are connecting to.
5. If you have a Gmail account, click “Manage HTTPS settings” under it and make sure you have “Always use https” checked.
6. If you have a Google+ account, scroll down and click Edit profile. 
7. Click each item in About and check the settings.  You can choose Public, Extended circles, Your circles, Only you and custom.  Click on Photos and check the settings there too.
8. Go to Web History and click on “Remove items or clear Web History”.  You can turn this off, so no web history is kept when you are logged into a Google account.
9. If you have a YouTube channel, click on “Manage privacy settings” next to it to verify your settings.
10. Check all other services and click Manage privacy, Manage privacy settings or any Shared settings links to edit those settings.

My hope is that Google will simplify privacy and security settings when they implement this new policy in March.  Whether or not all our information will become more or less secure with the sharing of information across these services is to be determined.  While you are waiting, make sure your privacy and security settings are as locked down as you want to make them.  Darth Vader may be smiling as we devolve into the clutches of the new evil empire.

Photo credit Insight Forge

Two pieces of legislation before the United States Congress are intended, according to its supporters, to prevent Internet piracy and protect freedom and American jobs.  The Protect IP Act (PIPA) and the Stop Online Piracy Act (SOPA) are legislative responses to these threats.  Unfortunately, rather than protecting intellectual property and jobs, they would in fact impose bad regulations on American businesses and censor the Internet as we know it.

The stated goal of these bills is to stop copyright infringement by foreign web sites.  According to the Motion Picture Association of America (MPAA) and other groups representing the music and film industries, piracy is rampant and is negatively affecting their businesses.  They claim the only way to protect American jobs and businesses is with these measures. 

The processes stated in the bills to determine if piracy and copyright infringement exists are at best vague and the remedies very draconian.  They put the burden on website owners to police user contributed material and call for blocking of entire sites.  In essence, every website would have to police anything and everything that goes and comes from it to ensure that piracy and copyright infringement didn’t take place.  This includes links.  If anyone suspects them of infringement, they can be shut down with a simple complaint.  This puts a tremendous burden on small businesses and entrepreneurs who do not have the resources to defend themselves.

Harvard University professor Laurence H. Tribe released an open letter on the web stating that SOPA would undermine the openness and free exchange of information at the heart of the Internet and would violate the First Amendment of the US Constitution.  The letter says:

“The notice-and-termination procedure of Section 103(a) runs afoul of the “prior restraint” doctrine, because it delegates to a private party the power to suppress speech without prior notice and a judicial hearing. This provision of the bill would give complaining parties the power to stop online advertisers and credit card processors from doing business with a website,merely by filing a unilateral notice accusing the site of being “dedicated to theft of U.S. property” – even if no court has actually found any infringement.”

In other words, an alleged violating website could be shut down by someone filing a complaint.  This is like putting someone in jail just because I register a complaint against them.  No judicial process.

Aside from legal issues, there are technical issues.  The bills want to use Internet providers to shut down sites by manipulating DNS entries and asking “the Internet” to do DNS filtering.  To the uninitiated this might sound great, but it’s akin to playing whack-a-mole, since an offending website could put up a new domain name very quickly and get around this.  It also would impact legitimate websites who may be caught in the crossfire.  

There is also a misunderstanding of the opponents of SOPA and PIPA.  Proponents believe that if you are not in favor of the legislation, you are FOR piracy and copyright infringement.  That is not the case at all.  Many writers, websites and businesses that make their livings from content creation and protection are against it, including eBay, Facebook, Google, Twitter and Mozilla.  The idea to protect copyright is sound and should be done, but these bills do not really address the problem.

One problem is expressed well by Bill Wilson, president of the advocacy group Americans for Limited Government, who usually advocates for conservative and libertarian issues.  He says that SOPA has morphed into an Internet “kill switch.”  It would establish the “the precursor to a taxpayer-funded ‘thought police.”

As a business, a better way to protect your intellectual property is by using a persistent security policy.  This lets you encrypt documents and other content with a wrapper that lets you control who can access the information and how that person can use it.  If someone steals your product design or other valuable content, you can throw a “kill switch” on it and prevent any unauthorized person from seeing it.  You can do this with documents, pictures, videos and a whole range of file types.  Killing the content is a much better approach that throwing a switch on the Internet or a particular website.

Today, many organizations, such as Wikipedia, Google, Reddit and BoingBoing, are staging internet blackouts in protest of SOPA and PIPA. If you go to these sites, you are redirected to pages talking about this legislation and giving you options of how to contact your elected representatives to voice your opinion.  You can find detailed information in the Stop Online Piracy Act and Protect IP Act articles on Wikipedia, which are available during the blackout.

The White House and others are looking to rewrite these bills to make sense.  Let’s stop the problem by protecting the content itself, rather than trying to shut down the free and open Internet.  

Photo credit johnsnape

Here is a great video explaining why SOPA and PIPA may harm the open and free Internet and why it will ultimate hurt business.  It also won’t stop those people actually stealing intellectual property and your valuable content.

According to an announcement on January 11, 2012, after more than seven years of planning, the Internet Corporation for Assigned Names and Numbers (ICANN) has initiated a process that could trigger a dramatic expansion of the Internet.  Starting on January 12, 2012, ICANN will accept applications for new generic top-level domains (gTLDs).  This might sound like a great idea, but it could also be fraught with trouble.

ICANN is the organization that manages and controls the top level domains of the Internet.  They are the ones who make sure that we have .com, .gov, .org, .edu and 18 other gTLDs.  This new announcement intends to expand the top level domains to anything you want, including companies and famous brands.  There is an application process and $185,000 fee to request a name, so not everyone will apply.

ICANN believes this will open up the Internet to more innovation by providing an expansion to companies, brands and include words in non-Latin languages, such as Cyrillic, Chinese or Arabic.  So that means I could create a domain called .microsoft or .ford in addition to the existing microsoft.com or ford.com.  Unfortunately this makes it a lot easier to spoof people or run phishing scams.  This could be a hackers dream and it could cause problems for the legitimate companies.

Here’s why.  A hacker or criminal could spoof a known brand by directing people to any site that seems to be legit.  It’s bad enough with links in email that send you to a bogus site that looks real, but now the domain name could look real.  This makes it easy to deliver malware or collect sensitive information like credit cards numbers.  How do you know what’s legit and what’s not?

This also becomes a problem for companies.  They may have to monitor any site that looks like theirs.  Currently most companies buy their company name with .com, .org and .net.  If they are outside of the United States, they will also buy the country name upper level domain, like .ca or .jp.  With this new proposal, companies may have to buy all kinds of domains defensively to ensure no one can use them.  With potentially 1000 new top level domains available each year, this becomes a costly proposition.

Of course, a company can and should implement authentication and certification services to ensure its customers go to a legitimate site.  For anyone doing online transactions, they already use HTTPS and certificates, but that may not be enough. 

According to a report on NPR, Jon Leibowitz, chairman of the Federal Trade Commission (FTC), took issue with ICANN’s comments that there is pent up demand for this.  “My sense is that a lot of this demand is just absolutely artificial and largely imagined by the ICANN board.  We’re an agency that’s required to protect consumers, and from our perspective, this is a potential disaster and we have an obligation … to speak out.”

Last month, the FTC sent ICANN a long letter detailing its concerns, including the potential for an exponential increase in phishing and other scams.  Leibowitz says he is not assured by ICANN’s pledge to self-police or its promises to protect companies from brand infringement. The group’s existing database of website owners, Leibowitz says, already poses problems to law enforcement.

“[There are] websites registered to God, to Mickey Mouse, to Bill Clinton,” he says. “And of course, if you’re a scammer, if you’re in the business of ripping off consumers, why would you give accurate information?”

It will be interesting to see how this plays out, but expanding the Internet domain names like this doesn’t seem like the best idea.  I am all for expanding beyond Latin-based characters and adding more domains, but making things easier for hackers and criminals doesn’t make sense.

Photo credit ivanpw

The January 2012 issue of ENX Magazine features an article titled “Profiting by Helping Your Customers Get Through the Document & Data Security Noise” written by Dave Anastasi, CEO of eDocument Sciences.

In this article Dave looks at how companies need to focus on what their customers care about, not what they care about.  As many others have said, customers don’t care about you and your products.  They care about their business. 

Helping them navigate through the challenging world of data and document security will benefit them tremendously.  With the constant headlines of data breaches and breakdowns in company security, you owe it to your customers to help them survive the constant onslaught.

Click on the link below to read the article in its entirety.

Profiting by Helping Your Customers Get Through the Document & Data Security Noise

I grew up around the advertising business. My dad was an advertising executive who ran the creative departments for the two largest advertising agencies in New England. He won many awards and still today has a prestigious award named after him, even though he passed away over 25 years ago. He represented clients like John and Robert Kennedy, Wang, Lotus, John Hancock, Spaulding, Red Sox, Bruins and Celtics as well as many other organizations.

Early in my career I sold advertising for Warner Communications representing some of the most well known publications in the world (WSJ, Time, Newsweek, Business Week, Sports Illustrated, Readers Digest and others).

So you may ask what the heck does this have to do with Copying, Printing, Scanning, MPS and Document and Data Security, etc. A lot. When I was in college, majoring in marketing, I learned a very valuable lesson from my dad. He was working on a campaign that I told him I thought was terrible. Although being a very kind and even tempered man he said very sternly to me, “If you ever want to be really successful in business you should understand one thing, it doesn’t matter what you think.”

What he meant by this was that you had to identify your target market and the key decision makers and make sure your products, services and messaging was directed at what they thought, not what you thought.

He also told me, “Listen to them and learn what is important to them today and in the future; ultimately, what keeps them up at night?” Finally, “Understand that business environments are constantly changing and if you don’t learn to help your customers change with them, they and you will fail. Once that is understood, then become a student of their industry; learn so much about their markets, environment, competition, customers and organization that you become their go-to person.”

By the way, he won a major global award for the campaign I had criticized so strongly. I have never forgotten that lesson, and it has served me well over the years.

I eventually went to work for Neopost, Pitney Bowes’ largest global competitor, but certainly at the time a pimple on the proverbial elephant’s you-know-what. I started in sales and moved up to sales management, branch management and eventually National Sales Manager responsible for all field operations.

We sold postage meters, mail machines, folding and inserting equipment, shipping systems and mailroom furniture. At the time it was the inbound and outbound document flow for all organizations. Competing against Pitney Bowes we had to learn to offer more value to the customer. We did that by learning about their internal and external information flow and helping improve efficiencies as well as secure their most critical information. The major difference from today is that it was primarily manual. That said, the challenge was still the same; how do I get the appropriate information in the right hands as quickly and effectively as possible in a secure manner?

When I became National Sales Manager almost 20 years ago, by listening to our customers, we recognized a growing trend. How do they become more efficient with their document and data processing needs? We came to the conclusion that by partnering with Xerox Business Services we could create a more efficient environment and combined, manage their copying, printing, mail and shipping needs. It was the first managed services partnership in the industry. I remember many a time speaking to XBS people at their training center in McLean, VA.

I ended up at Captaris in 2001 whose largest businesses were RightFax, the world’s leading fax server, and MediaLink, a broadcast fax and e-mail business. Again, the common theme was how do we get appropriate information in the right hands as quickly and effectively as possible and in a secure manner?

We had a lot of positive things going for us: great brand, strong global channel and market with close to 25,000 implementations. However it was obvious that it was a maturing challenged business. If we wanted to grow, we would have to change our culture and expand our capabilities and solutions for our customers.

In evaluating customer feedback they were asking us to go beyond document delivery and help them with process improvement, data storage and retrieval and document and meta-data scanning on the documents that we were already touching. We took the steps and added those capabilities and grew the business from just over $50M to above $140M, also growing recurring revenue from about $7M to close to $40M. The most interesting part was our core fax business almost doubled even though many thought it was dying. One primary reason was in the customers’ minds the ability to encrypt files in transport was the most secure way they could send information. Also, it provided them with validation that information was delivered.

Many of you have grown your businesses from hardware to supplies to MPS, software solutions etc. If you look at the industry’s large manufacturers they are all hustling to become major players in the electronic document delivery arenas. I applaud those of you who have figured this out. It is a challenge to take legacy successful businesses and risk changing them and making investments in new areas.

So what’s next? As you look at expanding your business models in these areas realize that data security has become an extremely high priority for you and your customers.

If you don’t think so look at the number of data security hits below identified by Google searching some security terms directly related to your businesses. It can be overwhelming for your customers. But for you it is an opportunity!

Secure Document, Data and File Management
• Secure Printing – About 186,000,000 results
• Secure Copying – About 55,800,000 results
• Secure Scanning – About 35,200,000 results
• Secure Managed Print Services – About 19,400,000 results
• Secure Document Management – About 27,200,000 results
• Secure Enterprise Content Management – About 26,800,000 results
• Secure E-mail – About 473,000,000 results
• Secure Faxing – About 7,080,000 results
• Secure Document Collaboration – About 3,440,000 results
• Secure File Collaboration – About 3,020,000 results
• Secure File Transfer – About 24,900,000 results
• Secure Mail Management – About 123,000,000 results

Assessments
• Secure Printing Assessments – About 37,500,000 results
• Secure Copying Assessments – About 41,400,000 results
• Secure Scanning Assessments – About 11,500,000 results
• Secure Managed Print Services Assessments – About 6,620,000 results
• Secure Document Management Assessments – About 3,650,000 results
• Secure Enterprise Content Management Assessments – About 4,340,000 results
• Secure e-mail Assessments – About 63,100,000 results
• Secure Faxing Assessments – About 26,500,000 results
• Secure Document Collaboration Assessments – About 5,030,000 results
• Secure File Collaboration Assessments – About 4,060,000 results
• Secure File Transfer Assessments – About 5,000,000 results
• Secure Mail Management Assessments – About 3,970,000 results

With your current relationships you have the opportunity to assist your customers in sorting through this maze. You can become the go-to organization for them. As my good friend Jim D’Emidio from Muratec said in his partner meeting presentation, “Mark your territory; if you don’t someone else is going to.”

So how do you get started? Some of you already have, with the tools being provided by some of the hardware manufacturers and software and service solutions available in the market. The question is, are you developing a data security practice and making it part of your culture, strategy, products and services?

Outside of traditional network, virus and malware security from a simplistic point of view, there are several places that an organization really needs to focus on to protect their data, files and documents.

• Where the data, file or document is created (computers, laptops, PDA, tablets, servers, hand written etc.)
• Where the data, file or document is stored (computers, laptops, PDA, tablets, servers, printers, scanners, copiers, fax machines, cloud, filing cabinets, outside party offsite facilities etc.)
• When a data, file or document is transported (mail, e-mail, fax, courier, scanning, collaboration tool, file transfer, hand delivered etc.)
• When data, file or documents are altered (as once that occurs you have to look at the first three bullets again)

Here are basic beginning questions you can ask inside your own organization and your customers to get you started.

1. Does your organization have a data governance plan?
2. Does your organization have a records management program?
3. Who are the key decision makers and influencers when it comes to data governance and security?
4. Has your organization identified and prioritized types of data, files and documents based on sensitivity?
5. Does your organization have any special compliance requirements based on your industry or business?
6. Do you have data security training built into your recruiting, orientation, succession and ongoing training programs?
7. How often and where do you print, scan, copy or fax your organization’s, customers’ or partners’ confidential records or information?
8. Can unauthorized employees, partners, visitors, customers, cleaning staff or delivery people access your printers, scanners and copiers?
9. Are your printers, scanners, copiers and fax machines that deal with sensitive data in a secure area?
10. Do you ever find confidential files on printers, scanners, copiers or fax machines located in unsecured areas?
11. Has anyone ever taken electronic or physical documents that they were not authorized to have?
12. Can copying, scanning or printing tasks be performed without the user having to provide proper authentication?
13. Do you need to share physical or electronic data, files or documents with outside parties?
14. Do you dispose of confidential documents without shredding, cross shredding or pulverizing them?
15. Are all hard drives wiped clean from servers, computers, laptops, mobile devices, printers, scanners, copiers, fax machines etc. before disposal?

In next month’s article I will focus on some products and solutions available in the market for you to look at providing in a data security practice.

Photo credit flattop341

The amount of personal information compromised through data breaches was on the rise in 2011.  According to the Privacy Rights Clearinghouse, about 30 million records were compromised in 2011 in 535 separate breaches in the United States.  That’s up from 12.3 million in 2010.  The numbers are much larger when viewed globally.

Most people assume that hackers using sophisticated techniques are to blame for all the data breaches.  In most cases it’s the simple things that trip up organizations.  Some don’t encrypt information inside databases.  This was the case with Sony.  Sensitive information is accessible on the Internet because someone left a server wide open.  This was the case with the Texas Comptroller.  People don’t take care of backup tapes or laptops and someone may steal them from a car.  That has happened all too often.

It’s important for anyone keeping sensitive data to encrypt it.  All current databases have built-in encryption, but someone has to implement it.  All sensitive documents should be encrypted using a persistent security policy so the author can control who can access them.  And make sure you don’t leave the keys (literally and figuratively) out so that anyone can easily come into your organization and steal something valuable.

So to conclude this year, here are 7 of the worst data breaches for 2011.  Hopefully things will improve in 2012.

1. Sony – hackers compromised 100 million records

In two separate incidents in April and May, Sony suffered data breaches that prevented people from using the PlayStation Network, Sony Online Entertainment and its “Qriocity” music service.  Hackers compromised over 100 million records, including 12 million unencrypted-credit card numbers.  Because of the breach Sony shut down these networks and most likely lost millions of dollars of revenue.  The culprit was lack of basic security on consumers personal data.  Most information was not encrypted and left wide open.

2. Tianya – social networking site leaked user names and passwords

On December 25, hackers accessed some 40 million users’ names and passwords from the Chinese social networking site Tianya.cn.  All the data was stored in clear text format instead of being encrypted.  This followed other recent compromises of Chinese sites where millions more records were leaked.  This again points to a lack of basic security.

3. Steam (Valve, Inc.) – gaming download site leaked personal data

A database containing 35 million user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information was accessed by hackers in November.  Because the Steam online digital store, game library and multiplayer network is used as a consolidation point for many people who purchase games, this breach could affect a lot more than just this network.  Fortunately credit card information was encrypted, but the fact that hackers got in at all is troublesome.

4. Epsilon – email database of major US companies compromised

In April, this marketing company had its database of email addresses compromised and about 50 million records were affected.  Epsilon provides email marketing services for large companies, including, JPMorgan Chase, Marriott, Verizon, Best Buy, Citibank and Target.  All the affected companies had to send out emails or letters to customers apologizing for the incident.  These lost emails make people vulnerable to “spear phishing,” which occurs when a criminal sends an email that sounds and looks like it’s from a company to the customer.

5. Tricare – computer backup tapes stolen from a car

Last September, someone stole backup tapes from the car of an employee of Science Applications International Corporation (SAIC), a defense contractor for Tricare.  The tapes had documents with the social security numbers, addresses, phone numbers, and other medical information of approximately 5 million patients.  The patients affected were treated at military hospitals and clinics during the last 20 years.  The breach led to a $4.9 billion lawsuit, which aims to compensate the victims.  SAIC is supposed to physically secure the tapes during transport, but obviously didn’t.

6. Texas Comptroller – server files publicly accessible

The names, addresses and social security numbers of 3.5 million people were inadvertently left on a publicly accessible state server by the Texas Comptroller’s Office for a year or longer.  The data was from the Teacher Retirement System of Texas, Texas Workforce Commission and the Employees Retirement System of Texas.  This is another example of not doing the basics to lock down information on a server.

7. Sutter – a desktop computer was stolen from building

Last October, some people broke into the offices of Sutter Health and stole a desktop computer.  It had names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan names of about 3.3 million patients.  Another 943,000 Sutter Medical Foundation patients had descriptions of medical diagnoses exposed, too.  This was an old fashioned robbery.  Unfortunately nothing was encrypted so Sutter had to inform government authorities and everyone affected.

Photo credit 89_tintop

Imagine if the Founding Fathers of the United States had iPads when they were signing the Declaration of Independence or The US Constitution.  Rather than pulling out a big quill pen and dipping it in ink, each delegate could have walked up to the desk and signed the document with their finger.  In fact, they could have passed the iPad around to each other for signing rather than all walking up to the document.  That would have helped Ben Franklin, since he had gout and it was tough for him to stand up and walk.

If John Hancock and Thomas Jefferson used DocuSign Ink to sign an electronic version of The Declaration of Independence, not only would the iPad have captured their signature, but it would have put a time and date stamp along with the GPS coordinates of where they signed.  All of that information, including the document, would go to a secure storage area in the cloud and be retained.

If each of them had an iPad or iPhone, they could have routed the document from signer to signer and not even left their lodgings.  I know this would have ruined the pomp and circumstance around signing these historic documents, but it sure would have been more convenient.

Check out the short video below and join us on January 12, 2012 for an informative webinar on using electronic signatures in your business.  You might not be Ben Franklin, but signing your documents is just as important to you as signing The Declaration of Independence was to him. 

Photo credit Wikipedia