Key Lessons From Serving on a Cybersecurity Panel at a Recent Conference
September 4, 2013
By: Robert J. Munnelly, Jr.
Robert Munnelly, Chair of the Murtha Cullina, LLP Information Security and Privacy Practice Group, served as a panelist on the subject of "Protecting Confidential Information from Cyber Thieves and Other Threats" at a national conference in late August 2013. The other panelists were the Chief Information Officer of a major international law firm and a Chicago-based technology expert. The following lessons learned from the conference panel discussions merit attention:
1. Hacking is Rampant. Anecdotal evidence supported by near-weekly reports and press accounts of major breaches across America, suggests that aggressive, sophisticated and, in many cases, state-supported efforts are being made to access electronic systems of many businesses to discover confidential information or to enable identity theft. Businesses should ensure strong external information technology ("IT") protections, test these protections periodically, and implement all software updates and patches. They should also consider employee training about "phishing" emails that seek to trick personnel into disclosing account information or downloading computer malware.
2. "Go Time" is Coming for New HIPAA Rules. Professional firms that are "business associates" (i.e., they receive personal health information ("PHI") from health care companies in order to provide services) will be subject to new "Omnibus" security rules effective September 23, 2013 and the potential for heavy noncompliance fines. By that date, business associates should: (1) appoint a "security officer" responsible for implementing the rules, (2) undertake an assessment and implement policies and procedures to protect PHI in their possession, (3) instruct the provider to furnish only the required "minimum necessary" PHI to perform services, and (4) be prepared to implement the new more objective test for determining PHI breaches.
3. Review Remote Device Security Policies. Requiring or allowing employees to use their personal communications devices for business purposes (Bring-Your-Own-Device programs or "BYOD") is common and raises security concerns if the phone, tablet, laptop, thumb drive or other mobile device is lost or stolen. Among other things, laptops and thumb drives containing sensitive information should be encrypted, devices that access business document and email systems should have automatic time-out periods and be password protected, and IT personnel should be able to wipe information remotely off lost or stolen devices.
4. Avoid Business Use of Drop Box and Other Free Cloud Sites. The terms of service for Drop Box, Google Docs and virtually all other free document management sites in the cloud are patently inadequate to protect confidential or sensitive business information or to assure recovery of the information at a later date; these sites may even reserve rights to use your data. Businesses should only place sensitive information on cloud sites with strong security protections – usually third party sites requiring an agreement and payment or those cloud sites hosted by the business itself with strong security protections in place.
If you have any questions about the information contained in this Alert, please contact your Murtha Cullina attorney or a member of our Information Security and Privacy Group.