Security MSP Option for Small Business Owners

As pointed out by this article, when it comes to network security, small business owners are often “hampered by a lack of resources, fewer qualified security personnel, less money to buy necessary products, and more difficulties complying with regulations that often were written without companies of their size in mind.”  And, as pointed out in this article, a small business can be more of an attractive target for “spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.”  In fact, as reported by Business Week, some small businesses can even become victims of identity theft.

Unfortunately, given the increase in sophisticated attacks made against small business owners, it is becoming more and more difficult for these owners to deploy suitable resources.   One available option today to smaller companies is the “outsourcing” of security to a managed service provider.  MSPs who are focused on security and IT management for small business owners have network security resources and expertise built as their core competency.   Although it may seem to be the last thing a company would want to do, i.e., have another company take ownership over its network security, so long as the MSP is properly vetted and has clear staying power, there is little difference between using a MSP for data security or using a bank for financial security.

Is Privacy Really Dead?

According to this article, Facebook founder Mark Zuckerberg recently said that “privacy was no longer a ‘social norm”’.   This convenient point of view comes less than a month after Facebook changed the way it organizes user information.  Under the old system, people had the option of being  placed into regional networks like “North Jersey”, while the new system removes this distinction so that your information can be visible to any Facebook user and not just those in your network.   

As well, the new “Everyone” setting doesn’t just limit your page to Facebook users – it allows access to everyone on the Internet, including Google , Yahoo! and any other search engine spiders.  In other words, if you use the Facebook default settings – which many new users do – you will end up posting to anyone with online access and you may now also end up on a search engine results page.  LinkedIn has been doing this for years now.  This increase in exposure is obviously the goal behind the recent Facebook changes.  In other words, Facebook will be able to grow it’s user base beyond its already staggering 350 million users.

There is obviously a simple solution:  Limit your visability to those who are friends and curtail what you post on your page that is made visible to non-friends.  Go to this site for detailed information on how to set your Facebook privacy settings.  Privacy is not dead – unless you choose to let it die.

Planning for Disaster

Today is the one year anniversary of the “Miracle on the Hudson” – the day a plane landed in the Hudson River after its engines ate too many geese and shut down.  All of this took place literally shouting distance from New York City’s skyscrapers.  The captain of the plane as well as a group of passengers each wrote a book detailing this amazing story.  

The key takeaway from this event is that planning for disaster – whatever that might be for your business – is not a waste of time.  According to an account reported in his book, Captain “Sully” actually studied beforehand an ocean ditching similar to the one he performed in the Hudson River.

Law Firm Suing Chinese Developers Suffers Attack

Although law firms have been hit with network security attacks over the years and sustained significant losses in the process, it has never been the case that they were targeted simply because they chose the wrong side in a litigation.  That is until now.   According to this report, an exploit took place weeks after “filtering software firm CYBERsitter announced that it had retained Gipson Hoffman & Pancione to sue the Chinese government, two Chinese software developers and seven PC makers for allegedly distributing its software code as part of the Chinese state-sponsored filtering and monitoring program known as Green Dam Youth Escort.” 

There are reports of other attacks that were recently launched against Google and Yahoo! in order to retrieve account information regarding Chinese dissidents.   According to a report in The Economic Times, McAfee has stated that the Google attack exploited an Explorer flaw.   It will be interesting to see how these “China” exploits pan out in the coming weeks.

Are you ready for Data Privacy Day?

On January 28, 2010, the United States, Canada, and 27 EU countries will celebrate the second annual Data Privacy Day.  If you go to the Data Privacy Day website, you will see links to some helpful privacy resources.

It is with no small bit of irony that Data Privacy Day will also approximately mark the one-year anniversary of the Heartland Payment Systems data breach, the largest privacy data loss in history – potentially impacting over 100 million credit card transactions.   Heartland recently negotiated a $60 million Visa settlement fund that will be used to reimburse Visa’s issuing banks.

Data Breaches, Encryption and ICs

In 2009, there were 498 reported breaches involving over 222 million records.   And, of these 498 incidents, only six firms reported that they had deployed encryption or another strong security to  protect the exposed data.   This is not surprising given that most notification laws provide a safe harbor for encrypted data.  In other words, there would not have been a need to report. 

As well, of the reported records impacted by the breaches, 59% could be attributed to the conduct of independent contractors.  Last year, over 45% of all breached records – 16 million – were compromised by the actions of independent contractors. In fact, the Ponemon Institute reports that 29% of all breaches are caused by third-party negligence.   As the year progresses and budgets continue to be squeezed, the due diligence that was once used to vet vendors will unfortunately slip a bit. And, when vendor engagements start favoring pricing over controls, the resulting increase in vendor data loss may prove staggering.

Improving independent contractor due diligence by employing only those small business vendors with sound data protection practices in place will go a long way in improving your risk profile.  Moreover,  in addition to being a sound way to better protect sensitive data, encryption deployment has the added benefit of protecting you from notification laws and resulting lawsuits.  The public notices speak for themselves.

Data Theft by Former Employees

With unemployment now stretching past 10%, the Ponemon Institute “Data Loss Risks During Downsizing” survey conducted last year is more relevant than ever.  This survey found that 59% of employees who leave or are asked to leave a company are stealing proprietary or sensitive corporate data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data. Not surprisingly, 67% of respondents used their former company’s proprietary information to leverage a new job.

Still Looking for Guidance on EHR

Electronic health records (EHR) should be on the risk management fast track.  First, the FTC promulgated regulations that will require most hospitals to implement a written ID theft prevention program by June 2010.  California  and a few other states have already started requiring that healthcare providers implement technical and physical safeguards to protect patient medical information.  And now, Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), has its implementing regulations just now starting to change the EHR landscape. Thankfully, the HITECH Act provides significant funding for the development of this nationwide health information technology infrastructure.  Specifically, the law provides financial incentives through the Medicare program to encourage physicians and hospitals to adopt and use certified EHR .

The keys to the EHR kingdom turn on whether you are actually a “meaningful EHR user”.  Although some guidance was provided by a HHS working committee in June 2009, and further guidance in the form of a proposed rule was provided on December 30, 2009, a final rule on the definition has yet to be delivered.

According to the HHS December 30, 2009 Press Release, “The proposed rule would define the term “meaningful EHR user” as an eligible professional or eligible hospital that, during the specified reporting period, demonstrates meaningful use of certified EHR technology in a form and manner consistent with certain objectives and measures presented in the regulation.  These objectives and measures would include use of certified EHR technology in a manner that improves quality, safety, and efficiency of health care delivery, reduces health care disparities, engages patients and families, improves care coordination, improves population and public health, and ensures adequate privacy and security protections for personal health information.”

What exactly does this nested and partially circular definition mean to someone looking for guidance?   Not very much.   Until such time as the term “meaningful EHR user” is finalized, the door remains open as to just how far-reaching the HITECH Act will become.

CIT Group Bankruptcy

Down 38.49% in 2008, the S&P 500 experienced its worst performance in over seven decades.  In 2009, the S&P 500 bounced back and was up 19.67%.  Notworthy S&P news for small business owners, however, is the fact that CIT Group was booted from the index when it filed for bankruptcy – the 5th largest in U.S. history.   CIT was a HUGE lender to small businesses around the country.   As CIT’s marketing materials put it, “For more than 100 years, CIT has provided capital to small business and middle market customers. These sectors continue to play a vital role in the US economy and in overall employment, representing more than 90 million jobs.” 

Although the bankruptcy was a quick “pre-packaged” filing that had little real impact on its day-to-day operations, the impact on small business remains to be seen given the new shareholders of the company will be debtors, i.e., large financial institutions, and the most recent board members have a financial pedigree that favors big business interests.

Use Your Existing Providers to Reduce Litigation in 2010

It should come as no surprise that our current deep recession has been  boosting corporate litigation.  According to a CFO article published earlier in the year, “[l]egal wrangling is erupting across the board as aggrieved plaintiffs battle over breached labor contracts, unwarranted executive layoffs, dubious financial disclosures, broken supply chains, ailing strategic partnerships, ravaged 401(k) plans, unjust competitive practices, intellectual-property infringements, and curtailed credit lines.”  In fact, New York State’s courts will close out 2009 with 4.7 million cases – the highest tally ever – so the general litigation climate could probably not be any worse. 

Finding ways to cost-effectively manage this uptick in litigation can be a great challenge for shrinking or non-existent in-house departments.   You should tap into your existing service professionals.  It is never too late to use your existing providers – whether in insurance, law or accounting – to assess and implement loss control and prevention techniques and initiatives, advocate on your behalf with claims adjusters regarding existing claims, and coordinate existing litigation with outside counsel.  Much of this work should be included in your current service contracts or should be at a minimal additional charge.

Intellectual property and data breach counsel