There are laws and regulations to regulate how organizations must handle and protect sensitive information. Some of the most notable include the following:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Payment Card Industry (PCI) Data Security Standard
Family Educational Rights and Privacy Act (FERPA)
There are Breach Notification Laws currently in place in forty-two states and the District of Columbia which govern the notification of an individual whose personal information has, or may have been disclosed. The State of Iowa recently enacted a data breach notification law which went into effect July 1, 2008. The law requires that organizations with a data breach involving personal information notify individuals affected by the breach. The notification provision (set out in Senate File 2308) requires that notices include:
–A description of the breach
–The date of the breach
–The type of personal information disclosed in the breach
–Contact information for consumer reporting agencies
–Advice for reporting identity theft
Organizations and individuals must take proactive measures to minimize the risk of data breach. Everyone in an organization has a role in protecting information. The following are examples of steps you can take to help prevent data disclosure:
Follow your organization’s cyber/information security policies
Know how your organization has classified information and adhere to the appropriate controls in place
Follow proper procedures for the destruction or disposal of media that contain sensitive data
Participate in security awareness training.
Remember, cybersecurity is everyone’s responsibility. Don’t be the weak link in the chain.
Hacking is one method of obtaining data such as Social Security numbers and credit card accounts.
Attackers may also use social engineering, phishing or other similar attempts to gain access.
These activities can translate into very large sums of revenue for those in the organized crime world.
While very sophisticated techniques are sometimes used to steal sensitive data, one of the most common threats comes from within the organization itself.
According to Deloitte’s 2007 Global Security Survey, 65 percent of respondents reported repeated external breaches.
Of those incidents, 18 percent stemmed from unintentional data leakage. The report also indicates that some of the surveyed data breaches went undetected for extended periods.
The loss or theft of data is not limited to electronic data loss or computer hacking.
Other possibilities include theft or loss of laptops, tapes and flash-drive devices or improper disposal of hard copy documents and computer equipment.
Data breach generally refers to instances where personal information is lost, stolen, hacked into, or accessed without permission.
Organizations and individuals have the responsibility of protecting confidential or sensitive information in their care and proper safekeeping of this data is vital.
Failure to do so can result not only in a breach, but also lead to damaged reputation, significant fines or loss of revenue, and other negative consequences.
Data breaches occur all too frequently, in both large and small organizations. The public and private sectors have been affected by data breaches.
The scope of this issue is large with more than 227 million records nationwide involved in a breach since February 2005.
This figure represents only those breaches that have been reported, so it may reflect only a portion of the actual occurrences. This is an issue that everyone must be aware of and take steps to mitigate.
In addition to data breach concerns, we must also recognize that data manipulation is a potential threat.
If we cannot trust the integrity of our data, and know that it has not been altered inappropriately, our ability to carry out our mission and serve our customers becomes impaired.
Some examples of data that must be protected include the following: Customer/employee information such as names, Social Security numbers, credit card numbers; Passwords and other computer security-related information; Intellectual property; Financial information; and Health records of individuals.
Anti-virus files by removing viruses and worms. Some anti-virus may quarantine infected files in order to keep a virus from spreading on your computer. Some anti-virus software can repair infected files so you can use them without fear of damaging your computer or spreading a virus to others.
Without anti-virus software, you can leave your system wide open for every kind of bug, worm, and virus that are hosted on the Internet. These viruses can cause your computer to malfunction, perform poorly or steal your personal identifiable information (PII).
Install anti-virus software on your families or personal computer. Be sure to run daily updates. There are many vendors that support anti-virus software. Cost can vary. Check with your Internet Service Providers (ISP) to see if anti-virus protection is included with your subscription.
A computer with a properly installed anti-virus software usually will prompt you to update the program every once in a while. Look for common anti-virus software on your machine (Symantec, Sophos, McAfee etc.)
Confidential data is personal identifiable information (PII) that you don't want anyone to obtain without your permission. This may include:
–Social Security number
–Phone numbers of friends/family/colleagues/students
–Driver's license numbers
–Bank account numbers
–Tax information
–Passwords or passphrases
–Home address or phone numbers
–Employee ID number
–Digital images
–Any personal electronic documents containing personal text
If any PII information you are storing is stolen, the perpetrator could alter the information and use it to commit identity theft.
Only store confidential information on your computer if it is absolutely necessary.
Secure any portable media (CD, flash drive) in a locked cabinet when it is not being used. Once not needed have the media shredded.
Encrypt files containing PII. Most operating system provides some type of data encryption. Refer to your operating system for instructions.
Physically secure your computer (laptop or desktop) to the desk where it sits.
Set your computer to ask you for an account password at login
Disable the "Guest" account. The use of this account can be untraceable.
"Phishing" (pronounced "fishing") refers to a type of attempts to acquire sensitive information. Phishing is used to steal usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
The most common of the communication types is email or text. Usually it involves the user to click a link in an email or text message and then enter information on a webpage.
Usually, there is no legitimate reason for anyone to request a password/passphrase or other sensitive data via email or text. and you should never respond to any such message.
Take a deep breath.
Change your passwords.
Contact the organization that was spoofed.
Scan your computer for viruses.
Watch our for warning sings of identity theft.
File a report with the FTC.
Protect yourself against future phishing schemes.
Contact the 24/7/365 Security Operations Center (SOC) via phone at (515) 725-1296 or via email at soc@iowa.gov.