Wilson Technology Group and More

Your One Stop IT and Telecommunications Firm

Leave a comment

Are You a Safe Internet User?

If you answer “Yes” to any of the following questions, you may be at risk:

1) Do you visit websites by clicking on links within an email?
2) Do you follow add links from a WEB site?
3) Do you reply to emails from companies or persons you are not familiar with?
4) Do you bank/shop online?
5) Do you reply to emails that offer deals/coupons or request your opinion?
6) Do you provide your personal/banking information as a result of an email notification?
7) Do you keep your Firewall and antivirus software up to date?
8) Do you use a non-secure logon and password?
9) Is your data unencrypted?

Find us at: http://www.wilsontechgroup.com
LinkedIn; Facebook

Leave a comment

More on Data Security

What questions do you need to be asking yourself?

When was your last Risk Analysis? Did it include a vulnerability scan? Pen test? On-site walkthrough?

Encryption? Are your portable devices encrypted?

BYOD – do you have signed agreements in place?

What is your policy on employee use of social media? The breach notification clock starts when “known or, by exercising reasonable diligence would have been known.”

What does your HIPAA training training say about security? Or does it only address privacy? For instance, passwords, use of mobile devices, proper use of email, etc.?

Do you have a contract with your vendors? Who is paying for breach remediation?

Find us on Facebook and LinkedIn

Leave a comment

New Florida Data Breach Law Section 501.171

Section 501.171 repeals and wholly replaces Florida’s existing data breach law and went into effect on July 1, 2014. It applies to every business that handles “personal information” of Florida residents and requires these businesses to take proactive “reasonable measures” to secure data.

The definition of personal information is quite broad and includes social security numbers, healthcare information, health insurance policy number, credit card numbers, and “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

It includes a data records disposal provision: “…Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”

There is no private right of action, but a “violation of this section shall be treated as an unfair or deception trade practice in any action brought by the Florida Attorney General…against a covered entity or third party agent.” Civil penalties are not to exceed $5000,000 and will go into the General Revenue Fund.

Find us on Facebook and LinkedIn

Leave a comment

The Office of Civil Rights (OCR)

The OCR has been quite active, particularly since 2011. Recent settlements include:
1) UCLA Health System $865,500 Workers were found snooping on celebrity patients
2) Alaska Dept. of HHS $1.7M Unencrypted portable media device was stolen from care of employee
3) Affinity Health Plan $1,215,780 Returned copiers to a leasing agent without erasing the copies hard drives

Who has obligations? Regulated businesses include healthcare and financial services.

Nonregulated businesses also have obligations. This includes the (FTC) Federal Trade Commission. They work for consumers to prevent fraudulent, deceptive and unfair business practices. They have the authority to pursue any company that has engaged in unfair or deceptive acts or practices in or affecting commerce. The FTC will take action against individual owners.

The Florida Information Protection Act (SB 1524) broadens Florida’s existing data breach law. It requires that each covered entity, governmental entity, or third party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.

What is personal information? An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual: SSN; driver’s license or ID card number; credit or debit card no. (with security code, access code, password); healthcare information; individual’s health insurance policy number, etc.)

What does it mean to take reasonable measures to protect and secure data in electronic form containing personal information? Businesses must address administrative, physical and technical safeguards.

Find us on Facebook and LinkedIn

Leave a comment

The BYOD (Bring Your Own Device) Movement

According to Forbes Magazine, “the primary business driver is getting work done. Business users do not want to compromise. They want convenience. They want to be able to do the work without being tethered to their laptops. People deserve and demand a great user experience.” Thus the BYOD movement.

As of May, 2013, 91% of US adults own a cell phone. This equates to 57% of all Americans going online using a mobile phone.

What else are people doing with their cell phones? Downloading applications!

The use of mobile devices have shifted from single use (one device for work and one device for personal) to dual use – one device for work and personal. Why? Convenience, increased integration of work and personal lives, less maintenance and increased cost savings are the reasons.

Leave a comment

The Focus is on Data Security

It is not difficult to understand why there is a current focus on data security. Target had 70 million records compromised along with 40 million cards. They are facing 100+ lawsuits and numerous investigations by the AG and FTC. HIPAA breaches have impacted more than 31 million individuals resulting in class action suits and government investigations.

The OCR (Office of Civil Rights) is becoming more active. They have settled 19 suits since 2011 totaling $22,546.500. These numbers will likely pale in comparison to the next 12 months.

What does the OCR look for? A few of the identified problems include: failure to conduct a Risk Analysis in response to a new environment; portable devices; and workforce numbers.

Employees need to be trained and trained on an on-going basis. Appropriate sanctions need to be applied. Security measures need to be installed to monitor unauthorized access such as workforce members repeatedly snooping on patients.

Portable devices need encryption and security measures. Policies and procedures are needed which address incident identification, reporting and response. Access to unauthorized users needs to be restricted.

Find us on Facebook and LinkedIn