Monthly Archives: December 2014

How Your Legal Department Can Prepare for a Data Breach

How Your Legal Department Can Prepare for a Data Breach

Contract

Source: freedigitalphotos.net

Data breaches, their prevention and responses to them are an IT problem, but there are other areas of a business that must prepare. A company’s legal department must be more invested with data breaches—by reviewing contracts, amending them if needed and participating in a breach response team.

Contract Review

These days, almost all contracts need language that defines each party’s responsibilities in preventing data breaches and responding to them. Failing to have such language invites finger-pointing and lawsuits when breaches occur. The contract language around data security must be in alignment with the company’s internal data security policies and with any relevant regulatory requirements (such as HIPAA for healthcare data) and third-party standards (such as PCS-DSS for credit card data).

Not all of a firm’s contracts contain such language, and those that do may be out of date. Forward-thinking legal departments have their contracts organized using a contract management software system that enables them to search through and quickly identify which contracts contain no data security provisions and which need to be amended when policy or regulatory requirements change. Companies without such systems face a more laborious task of reviewing each contract manually—and doing so repeatedly, given the fast-changing regulatory landscape.

Breach Response Planning

A disaster recovery plan, which is executed when a disaster such as a fire, earthquake or flood disrupts the operations of the business, identifies a disaster response team. This team comprises representatives from each part of the business and defines each member’s roles and responsibilities during a disaster.

Similarly, businesses should have data breach response plans and response teams. Team membership will vary from one firm to another, but typically involve the IT, accounting, public relations and legal departments, and the company’s senior leadership. These response plans outline the steps each team member must take to assess the scope of the incident, prevent further damage, investigate the cause and communicate with the media, customers, suppliers, law enforcement and (if applicable) shareholders.

The legal department’s role is to assess the firm’s contractual obligations regarding data breaches and ensure the company responds accordingly. Among the actions the legal department takes will be to determine, for each contract, whether the current data breach meets the definition in the contract and warrants action.

Disaster recovery planning experts recommend that disaster recovery plans be reviewed and tested regularly; testing includes having all the team members respond to a simulated disaster. The same approach should be taken for data breach response plans to keep strategies up to date and eliminate gaps or duplication of effort.

Data breaches—both those that involve hacking in from outside, and deliberate or accidental breaches from within—are on the increase, and it is highly likely that all companies, large and small, will experience sort of breach. Those that are not prepared may not survive to do it right the next time.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign Up

CTA Underground eBook

What Small Businesses Can Do to Prevent Data Breaches

What Small Businesses Can Do to Prevent Data Breaches

Although large-scale data breaches of major corporations make the headlines, smaller businesses may be more vulnerable to an attack and less able to recover from one. Here are actions smaller businesses can take to keep their data safe from hackers.

Audit Calendar

Source: freedigitalphotos.net

We’ve all heard about the high-profile data breaches at major retailers, such as the ones at Target and Home Depot that compromised millions of customers’ credit and debit card records. Such information is a natural target for hackers, who can profit by selling the stolen records. Some attacks, however, such as the recent breach at Sony Pictures, are less about financial gain than embarrassing the targeted company.

Large companies become targets because of the data they have; even a small breach can be profitable for a hacker. These companies also have the resources both to defend against such attacks and to respond when there is a breach.

Smaller companies do not possess the same treasure trove of data, which contributes to a false sense of security for these firms. This is a dangerous attitude to have, considering how much small- and mid-sized businesses must lose—they may not have the resources to pay for credit-monitoring services for all their customers, and might not withstand the hit on their reputations.

A few commonsense practices can make smaller companies less vulnerable to hackers:

  • Invest in a security audit. Have a professional analyze your systems for vulnerabilities and recommend actions to take to make them more secure.
  • Limit the customer data you store. You can’t lose what you don’t have. Look at your businesses processes and consider whether you can eliminate the storage of credit card numbers or other sensitive data. Most payment processors have ways to process credit card transactions without requiring local storage of credit card numbers.
  • Keep your systems up to date. Keeping your operating systems and software up to date can eliminate many vulnerabilities that hackers rely on. Often, these updates can be automated.
  • Instead of trying to keep all your sensitive-data business processes (such as payment processing) in-house, consider farming them out to third parties that assume the risk and have dedicated security teams. Do your homework, though: find a provider with a good reputation, positive references, and up-to-date security certifications, and examine their service agreement to aren’t liable in case of a breach.

While smaller businesses may not present as enticing a potential payoff to hackers, taking these few simple steps can make your small business an even less attractive target, and encourage hackers to set their sights elsewhere.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

CTA Newsletter

CTA Underground eBook

Accidental Data Breaches and How to Prevent Them

Accidental Data Breaches and How to Prevent Them

There are two basic ways that data breaches occur: Deliberately (where someone, within or outside an organization, intentionally and maliciously accesses the organization’s sensitive data), or accidentally. Within the “accidental” category, data breaches occur either by failing to follow procedures or by failing to implement and use technical safeguards. An effective data security plan incorporates both procedural and technical elements to prevent accidental data breaches.

Employee Made A Blunder While Working

Source: freedigitalphotos.net

A recent report by California revealed that accidental data breaches account for 47% of all data breaches reported to the state government. Although the accidental breaches accounted for only 7% of the compromised records, it’s still a significant number. It’s safe to assume that most or all could have been prevented by having comprehensive data security procedures in place and followed, and by implementing technical safeguards, such as encryption.

Often, sensitive data is released because employees fail to recognize that the information is sensitive and needs to be protected. Paper documents with Social Security numbers or credit card data are put in the trash or recycling bin instead of being shredded, or healthcare records are “temporarily” placed on USB flash drives or laptops then misplaced. Everyone in the organization must be able to identify sensitive data, and the criteria for classifying data must be spelled out. A simple rule to follow is that all data should be sensitive until proven otherwise.

In other cases, policies regarding how to protect sensitive data are nonexistent, poorly understood or poorly enforced. Procedures that don’t exist, are excessively complicated or haphazardly enforced will not be followed. These policies should be clear and easy to follow, and everyone should be trained on them—not just once, but on an ongoing basis.

Humans forget; they take shortcuts and they lose things. Technical safeguards can help where humans fail. Most computer operating systems can be configured to not only require user account passwords, but to require that the passwords meet certain complexity criteria and that users change their passwords periodically. Similarly, computers can automatically lock themselves when unattended.

Going further, many devices, such as laptops, tablets, smartphones, and flash memory, can be configured so data files are encrypted. The California report found that 26 percent of data breaches were due to lost or stolen physical devices, yet the data could not have been accessed had passwords been required.

Even more sophisticated (and expensive) technical solutions are available, such as monitoring software that automatically identifies sensitive files and prevents them from being copied onto flash drives, emails or web pages.

No data security plan should rely solely on policies and procedures or on technical solutions. The best plans incorporate both.

Dean

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

CTA NewsletterCTA Underground eBook

New Research Paper Excerpt – How Law Firms Are Affected By Cyber Threats

New Research Paper Excerpt – How Law Firms Are Affected By Cyber Threats

As corporations and governments are becoming more aware of the threat of cyber-attacks, they are taking more measures to increase the security of their sensitive data.

However, if the law firms that represent these clients do not similarly try to improve their cybersecurity, hackers will take the easy route and target the law firms to obtain the data. Eighty largest American law firms suffered a network breach in 2011.23 In 2012, Chinese hackers targeted Canadian law firms involved in the proposed takeover of the world’s largest potash producer by an Australian company to stop the takeover.24 One can easily imagine shoe designs being stolen from the patent lawyer for an apparel company or confidential emails being stolen from the defense lawyer for a white-collar criminal defendant.

Unfortunately, most law firms are woefully underprepared for defending against cyber-attacks. According to a survey by LexisNexis:

  • 77% of law firms use only a confidentiality statement
  • 22% of law firms use email encryption
  • 14% of law firms use password-protected documents
  • 13% of law firms use a secure file-sharing site
  • 4% of law firms take no measures to secure data. 25

However, the survey also revealed that 80% of law firms said a breach of privileged information would be consequential or very consequential. 26 The disconnection between the desire for security and the measures employed to provide security can be attributed to three factors: technological ignorance, a preference for simple sharing of information with clients, and a fear of substantial security costs.

25 PRWeb, “LexisNexis Survey Paints Problematic Picture of File Sharing in Law Firms,” May 28, 2014, http://www.prweb.com/releases/Law-firm/file-sharing/prweb11888131.htm (accessed August 16, 2014).
26 Id.

To read the rest of this research paper, click the download link below.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

CTA Newsletter

CTA Law Firms and Cyber Attacks eBook

Cloudy with a Chance of Lawsuits: Considerations in Cloud Data Storage

Cloudy with a Chance of Lawsuits: Considerations in Cloud Data Storage

There are numerous advantages to cloud-based data storage, but there are several potential pitfalls, including legal and security considerations. Companies considering a move to the cloud should carefully analyze their data and statutory or contractual limits on what data can be moved cloud-ward and what cannot, and should consider the practical and security aspects of such a move.

The cloud is a technical environment in which computing and data storage resources are housed in remote servers, but accessed as easily as if they were on a local desktop computer. A goal cloud-based computing is to make the experience so seamless that users neither know nor care that their computers are reaching across the Internet to access the data and programs they are using.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

There are many advantages of migrating to a cloud-based computing environment. Programs housed on remote servers can be kept up to date more easily than those on local computers, and there is less need for fully equipped and staffed local data centers. Remotely hosted data is more likely to be backed up, and sometimes the total shutdown of a remote data center presents no problem because other data centers are available to handle the load, and the handover is handled quickly and automatically with no impact on the end users, their data, or their programs. Data is more easily shared, not only within an organization but also with customers and suppliers.

However, the cloud has its drawbacks and unanswered questions. Legal, practical and security considerations must be addressed before company data is moved to the cloud:

Can I legally move my data to the cloud? Certain kinds of data, especially sensitive customer data such as credit cards, Social Security numbers or healthcare information, may be restricted by law from being housed on third-party storage servers. Sometimes, data stored in the cloud might cross international borders to get there, which can run afoul of export control laws. The legal landscape is not settled, and different jurisdictions (or even different judges) may look at the same question differently.

Individual contracts with customers or suppliers may also prevent certain data from being stored on a third-party server. These contracts should be checked carefully to see if they include open restrictions on cloud-based computing or terms that could be interpreted that way.

How secure is the cloud? When your data is on someone else’s servers, it is out of your control. Each cloud service handles security differently. Those worth their salt will have written security policies and remedies if security is compromised, and will allow independent security auditors to examine and certify their security practices.

What happens if there is a problem? Every cloud service provider should have a service level agreement (SLA) with its customers, which spells out what its obligations are when there is a problem of any kind. The SLA should tell you the service provider’s contact information, severity criteria and target response and resolution times for each type of problem.

Moving data to the cloud sounds tempting on the surface, but companies would do well to research the legalities before throwing their data into the care of a third-party provider.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

CTA Newsletter

CTA Underground eBook

eDiscovery: Beating the TAR Out of You?

eDiscovery: Beating the TAR Out of You?

As businesses and governments grow more reliant on computers for creating and storing documents and communicating, records management has become simultaneously easier and more complicated. Electronic storage makes it easy to store more information than ever before, but also reduces the incentive to properly disposition materials at the end of their useful lives. The thought process is that if storage is not taking up any space in a file cabinet, why bother conserving?

One of the dangers is legal liability. In a lawsuit, all documents can be fair game for discovery. With electronic discovery tools and technology-assisted review (TAR), attorneys can quickly find damaging documents that might have been overlooked in physical discovery.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Space Preservation

When business records, documents, and communication were in paper form, these artifacts had to be carefully stored so they could be found again if needed. Even when space-reducing technologies were used, such as microfilm and microfiche, storage media still had to be carefully catalogued and took up a great deal of physical space. This provided an incentive to implement and follow more effective records-retention policies to move out old documents and make room for the new ones.

Today, paper documents have largely given way to electronic ones, and you can store hundreds of thousands on a hard drive that fits in your pocket. Documents can be found by electronic searching, by both metadata (information about the documents) and full-text (information in the documents). Although this convenience makes documents easier to manage and store, the incentive to physically discard old documents is gone.

Firms now must shift that incentive to limiting legal liability, which is a less visible threat than running out of file cabinet space. Where litigation discovery at one time took an army of lawyers months to go through truckloads of documents, eDiscovery tools and TAR can examine terabytes of data order, eliminating redundancies and picking out the most likely relevant documents by using sophisticated search algorithms. If TAR picks up a key email you should have deleted years ago (had you only followed good record retention practices), you could face an uphill battle in court.

Better Record Retention Policy

So what does a good record retention policy look like? This answer varies from company to company and industry to industry. For some types of records, retention periods are defined by law or regulation; others should follow industry-standard best practices. Each type of record should be defined and the retention periods should be explicit. Usually retention periods are an absolute number of years after the records are created, or several years after some milestone.

Regardless of specifics, an effective record retention policy should be written out and kept updated, and also needs to be unambiguous and easy to follow so everyone with responsibility for business records finds the guidelines easy to know and understand. Some policies require record owners to certify that they have maintained their records under the retention requirements.

Firms not disciplined and rigorous about record retention put themselves at legal risk. eDiscovery makes those needles easy to find, even in the largest of electronic haystacks.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Cyber Security & Secure Digital Communications – Filtering Through the Noise

Cyber Security & Secure Digital Communications – Filtering Through the Noise

Over the past several years, we have seen an increase awareness of terms such as Cyber Security, Compliance, Privacy, and Data Breach. Terms that strike fear in the minds of management and operators alike. They are gatekeepers of sensitive and classified information. In the technology-driven world we live in, this affects almost every industry, and the Nuclear Industry is a perfect target.

In this article, we will summarize Secure Messaging and Secure Content Delivery. We will cover the concept, benefits and best practices.

The Concept:

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Secure Messaging & Secure Content Delivery is the ability to encrypt electronic communications and files between multiple parties. This is not a new concept, as solutions have been around for decades and more than likely, you have already participated in either sending or receiving an encrypted message in the past. What has changed is a renewed focus by vendors to offer solutions that are more user-friendly, offer better security, and with tighter integration within existing communication systems.

Secure Messaging is a small, yet critical piece of your Cyber Security policy. A framework provided by the U.S. Nuclear Regulatory Commission (NRC) assists in identifying electronic assets that must be protected from cyber-attacks.  Other federal regulators, including the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) also participate to ensure digital assets are fully protected. These electronic assets are critical digital assets (CDA)s and more information can be found in Title 10 of the Code of Federal Regulations, 10 CFR 73.54: “Protection of Digital Computer and Communications Systems and Networks”. It is mandatory that U.S. commercial nuclear plants provide proactive solutions to help protect communication systems.

NRC’s Regulatory Guide 5.71 stipulates products be free from known, testable vulnerabilities and malicious code through eliminating using malicious or undocumented functions that may allow either unauthorized access or use of systems.

Benefits and Best Practices:

It is easy to understand the value proposition of secure email. Besides providing multiple-layers of encryption, there are several features offered within systems that may align with operational and functional objectives. The requirement and ability to secure CDAs is relevant, yet perhaps any communication between peers, and co-workers should be encrypted, given the raised threat level and industry they work in. When communicating with external partners, business associates and customers, a renewed focus on Security, Privacy, and Compliance will only help to better train users and lower both Legal and Operational risks for the facility.

A growing concern for companies is in faxing. Fax solutions are not secure, using standard telephone lines to transmit sensitive information that can easily be intercepted using tools purchased from a local electronic store. Incoming faxes normally come to a central location, and may not be collected when delivered. This poses a risk as any persons who have access to the fax machine, will also have free access to send, receive, or read faxes.

Secure email is much safer than traditional faxing, and electronic faxing (e-Fax) solutions, as it offers useful intelligence and audit trails. Solutions exist where traceability and tracking features are embedded within messages. This not only ensures communication and documents are delivered, but can also verify that the intended recipients received them safely. Documents can be sent in their native electronic format, which saves the recipient from having to re-scan the fax document to store electronically. Finance and HR Departments are a two functional areas where native file formats are required.

Solutions also exist where large file size delivery is embedded within the system, allowing for more flexibility when sending large PDF or database files. This helps to reduce costs used in traditional courier and mailing services. Other intelligence features can include the ability to recall secure messages sent in error, or to set expiry periods to secure messages and/or attachments. Either feature provides granular control to users, minimizing financial and legal risks. Having unique abilities not traditionally offered in regular email communication systems offers organizations a distinct advantage when communicating both internally and externally. In the most subtle way, an organization can manage expectations and set accountability between users and parties. Adding additional layers of encryption will only enhance existing security policies and procedures followed today.

The next time you review your internal Cyber Security policies, understand how simple email communications are being protected. This should go beyond traditional desktop emails, and also include emails sent through both phone and tablet devices. Sometimes the most often used communication tools are taken for granted, which can lead to lack of procedure or process, which might lead to data leakage or mistakenly sending otherwise sensitive information to unintended recipients.

If you would like to review a solution or discuss this topic, please email desh.urs@ibridgellc.com.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Your Data and the Law: Unanswered Questions

Your Data and the Law: Unanswered Questions

In the U.S., the pace of technological advance outstrips the ability of the justice system to keep up. Courts are at a loss to fit new technologies into existing legal frameworks and theories. Judges are slow to extend traditional statutory and Constitutional protections to new industries and practices. Until the judiciary catches up, individuals should be careful with how they manage their personal electronic information.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

One technological issue that the courts only recently have addressed is that of electronically stored information (ESI)—the documents, photos, emails, posts, tweets and computer files of all kinds that now pervade most of modern American life. Numerous legal questions have seen conflicting legal rulings (or no legal rulings) and therefore remain unresolved. For example:

  • Who owns your data? If you store data in the cloud, does it still belong to you, or to the cloud-storage custodian you have entrusted it to? If it is lost, or corrupted, or stolen, who is responsible, and what are the fair and equitable remedies?
  • Who owns data about you, and what are their responsibilities regarding that data? As the Edward Snowden leaks revealed, federal government agencies have met no resistance from phone companies when asking for data regarding peoples’ calling histories. Even if you do not technically own that data, should you have a right to be informed when the data they are requesting is about you?
  • What—and how much—data can reasonably be seized and searched by law enforcement with a search warrant?

Cases that address these questions (and others) are making their way through the court system and will become settled law. It will take time for law enforcement, prosecutors, defenders and judges to understand the intricacies of these questions and the underlying technologies, and how the existing laws and regulations address them. In the meantime, there are things you should think about regarding your own data:

  • Convenience vs. risk: Although it might make life easier to have documents, photos and other files stored in the cloud, ask yourself: What if the cloud storage company goes out of business, or has a catastrophic technical failure that renders your files temporarily or permanently inaccessible?
  • Protection from snooping: What is the cloud storage company’s policy regarding government requests to access your data? What are the limits to that access? Unless the courts decide otherwise, law enforcement has the right, with a warrant, to access all of your data, including items that are unrelated to the investigation. Even if you have nothing to hide, could the files you store be manipulated, put together and interpreted in a way that makes you (or someone else) look like a criminal?
  • What about your devices? The U.S. Supreme Court ruled unanimously that law enforcement cannot seize or search your cell phone without a warrant. If they obtain a warrant, however, there is nothing to stop them from examining details that have nothing to do with the investigation. It is also unclear how the ruling applies to other types of devices, such as your increasingly computerized and connected automobile.

None of this should discourage anyone from taking advantage of the technological advances making lives easier, more efficient, more informed and more connected. But until the law catches up with the technology, it would be wise to put thought into where you put your data.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security numbers (SSNs) are a great way to identify people; almost every U.S. citizen, even babies, has one, and each is unique. However, collecting, storing and using them outside of approved contexts not only can put you on the wrong side of state and federal laws, it can also make you a target for hackers.

In the beginning of the U.S. Social Security program, the now-familiar XXX-XX-XXXX number was used to track workers’ contributions and benefits, and nothing else. Over the years, governments at all levels, schools, hospitals, lenders and myriad other organizations found it was convenient to use these numbers to uniquely identify people, for many purposes. There was a time when SSNs were used for tax IDs, student IDs, employee IDs, insurance IDs, and much more. Many even had them printed on bank checks without thinking twice.

Then the Internet happened.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Almost overnight, the convenience that made SSNs so broadly used became a liability. Someone with your SSN and not much else could open credit accounts in your name, assume your identity and ruin you financially. Because they were everywhere, SSNs were easy for fraudsters to get. And the Internet, coupled with lax data security practices, made it easy to obtain, distribute, and misuse them.

Governments and businesses got wise and started putting restrictions on the collection and use of SSNs and rules on how they were to be protected. The federal government and over 40 states now have laws that prescribe how, and for what purposes, SSNs may be collected, stored and used by businesses and governments. The laws vary from state to state, but boil down to prohibiting businesses from asking for SSNs except for employment, taxation, background checks and medical treatment. Some states further require businesses that can collect SSNs to meet certain security standards for storing them. Many states also restrict the use of SSNs on printed or electronic documents.

If your business—or a business you deal with—collects SSNs, you should be asking why. If to identify people, the liability you are opening yourself up to outweighs the convenience. Find another way to identify people; most computer systems are good at this.

If you have a legitimate need to collect and store SSNs (and check the laws on what constitutes “legitimate,” not only for your state, but for other states you do business in, plus the federal laws), you had better make sure they are protected. The rules published by the Payment Card Industry (PCI) group for protecting credit card numbers provide good guidance for protecting SSNs and other forms of personally identifiable information as well. Some states also require SSN-collecting businesses to have written policies in place to inform customers how and why their SSNs are being collected and used; you may need an attorney to help draft these policies.

The consequences of falling afoul of these laws can be severe, plus the civil and reputational liabilities incurred if a data breach occurs. Reduce your risk by examining your SSN collection and use practices and get rid of any that are not legitimately needed.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Electronic Health Records: Boon or Boondoggle?

Electronic Health Records: Boon or Boondoggle?

In 2009, the U.S. Congress passed the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act, which requires doctors’ offices and hospitals to implement electronic health record (EHR) systems. Facilities face penalties if they do not implement EHR systems meeting certain standards by 2015. The idea of EHR systems is to improve the quality of care by enabling patient health record interchange among doctors, nurses, and other healthcare professionals, to coordinate care, reduce duplicate tests and conflicting medications and reduce errors. Hospital IT departments have been working hard to implement EHR systems, and, as is often the case with large-scale IT projects, the results so far are mixed. Although nurses and doctors using some EHR systems are satisfied, in many other cases they feel that the systems are ineffective and difficult to use.

What sets the successful EHR implementations apart from the rest? The answer is no different for EHR systems than it is for other IT projects, large and small: Get the requirements right, and involve the end users.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Get the Requirements Right

A successful EHR project starts with a complete, correct set of user-level requirements. Although the HITECH Act provides a high-level framework to work within, many of the details of how users are to interact with the system are left to the system designers and developers. Getting these details right means considering all of the end users of the system (such as doctors, nurses, and facility administrators), the processes that must be supported, and the working environments in which the users will use the system. For example, a general practitioner working at a desk will use the system in a very different manner from a nurse working in a hospital emergency room. This is a formidable task, especially in large facilities with many departments (and possibly multiple locations), each of which has its own special needs.

Get the End Users Involved

So how do the designers identify, document, and validate all of these detailed user requirements? The end users must be involved in every phase of the implementation. They have to be observed in their working environments, they have to be interviewed, they have to review and confirm the documented requirements and they have to help test the system.

Apart from ensuring a complete set of requirements and getting the bugs out of the system before it is rolled out, keeping the end users involved gives them a sense of ownership and empowerment. The alternative—deciding for them and cramming it down their throats—is a recipe for low morale, high turnover, and difficulty in attracting talented personnel, plus poor-quality care for the patients.

Without good requirements and end user involvement (plus good project management), you can implement an EHR system that meets the letter of the HITECH law, but is a complete disaster for practitioners and patients alike.

Dean
Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.