Up Front

News, trends, and analysis from the leading records management and information governance experts, ARMA International.

RISK MANAGEMENT

Organizations Must Manage New Risks

Traditional risk management can’t keep up with the risks of cyberspace, according to the Information Security Forum (ISF), the global authority on information security and information risk management, in its recent report “Threat Horizon 2014: Managing Risks When Threats Collide.”

“To take advantage of technology and cyberspace, organizations must manage new risks beyond those traditionally covered by the information security function, including attacks on reputation and all manner of technology,” the report stated.

The report identified three major categories of threats to today’s organizations:

• External threats, such as cybercrime
• Regulatory threats that result from regulators’ demands for more transparency and protection of data privacy
• Internal threats created by implementing new technologies without a clear understanding of the related security risks

While any of these threats is significant by itself, they pose even greater risk when combined.

CYBERCRIME

E-HEALTH RECORDS

EHRs Linked to Lower Malpractice

A new study by Harvard researchers suggests that doctors who keep electronic health records (EHRs) have fewer
malpractice claims.

The scientists’ findings were summarized in a research letter published in the June 25 issue of Archives of Internal Medicine. The findings were based on surveys of 275 physicians in 2005 and 2007. By looking at the physicians’ use of EHRs and the number of malpractice suits filed against them, it determined the rate of claims when EHRs were used was about one-sixth the rate of when EHRs were not used.

The researchers noted that since EHRs improve documentation, make patient visits more efficient, reduce medication errors, and generally make it easier for healthcare practitioners to track and manage their patients, it’s only logical that this would lead to lower malpractice claims or, at least, make them easier to defend.

Of course, unmeasured factors may also contribute to the reduction in malpractice claims attributed to EHRs. “[P]hysicians who were early adopters of EHRs may exhibit practice patterns that make them less likely to have malpractice claims, independent of EHR adoption,” wrote the researchers.

To encourage investment in EHR systems, the government offered some serious incentives. Eligible professionals can receive up to $44,000 over five years under the Medicare EHR Incentive Program and even more if they provide services in a health professional shortage area. Professionals who participate in the Medicaid EHR Incentive Program (which is voluntarily offered by individual states and territories) can receive up to $63,750 over six years. Hospital payments are based on numerous factors, but they begin with a $2 million base payment.

Hospitals had to begin their 90-day reporting period “to demonstrate meaningful use” of EHR by July 3 for the Medicare program. October 3 is the deadline for eligible professionals.

PRIVACY

Canadian Pharmaceutical Legislation Ignites Privacy Fears

Earlier this year, British Columbia’s (BC) Minister of Health Michael de Jong introduced the Pharmaceutical Services Act (Bill 35) intended to lower the price of generic drugs. But, the bill would also allow researchers to access personal health information stored by the provincial government, which has prompted privacy advocates, including BC Privacy Commissioner Elizabeth Denham, to voice their concerns.

“I have concerns about the reduced transparency of government’s decision-making and the infringement of personal privacy that will result from this bill,” said Denham in a letter to de Jong.

Further, according to a May 2 article in The Vancouver Sun, she is concerned about the bill granting the health minister the unrestricted right to disclose personal healthcare information – a concern echoed by Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association. “What were sound protections are now being eroded,” Gogolek asserted in an interview with the newspaper.

The Sun article postulates that it was in anticipation of the bill’s introduction that former health minister and current member of the Legislative Assembly Colin Hansen wrote an opinion piece for the paper in March that advocated the benefits of allowing medical researchers access to the data.

According to the May article, Hansen has cited as an example a recent University of British Columbia research study of almost 1 million school children’s prescription records during an 11-month period. The study revealed that the younger students in a class are much more likely than the older ones to be diagnosed with attention deficit and hyperactivity disorders, suggesting that doctors are, according to the article, “medicalizing a normal range of childhood behavior.”

Hansen contends there are sufficient safeguards in place to ensure anonymity of the records and prevent their wider release. Gogolek advocates giving individuals the right to specify that their records not be released, even anonymously.

PRIVACY

Snooping on Staff Social Media Use on Rise

Gartner’s recently published “Business Gets Social” report projects that by 2015, 60% of organizations will be watching their workers’ social media use for security breaches – compared to less than 10% who do so today.

New technologies and services have made it easier for organizations to monitor this activity, but there’s increasing concern about the ethics of doing so and the potential for it to infringe on employee privacy.

As Gartner acknowledged in its report, “There are … times when accessing the information can generate serious liabilities, such as a manager reviewing an employee’s Facebook profile to determine the employee’s religion or sexual orientation, in violation of equal employment opportunity and privacy regulations. The problem lies in the ability of surveillance tools and methods to produce large volumes of irrelevant information.”

DATA SECURITY

BYOD Security Risks on the Rise

The jury is still out on whether bring your own device (BYOD) is a blessing or a curse for organizations today.

A survey of 600 IT and business leaders sponsored by Cisco earlier this year found that 95% of the organizations allow employees to use their own personal devices on the corporate network. One of the biggest challenges to organizations is supporting those devices. Thirty-six percent of the organizations surveyed support all BYOD devices, and 48% support some devices. The remaining 11% don’t offer IT support for personal devices.

Many organizations feel that BYOD is a positive because employees are happier and tend to be more productive when working with their own devices. Ensuring they remain productive is the reason so many IT organizations are supporting personal devices.

Another large challenge for organizations with a BYOD policy is dealing with the associated security risks. According to the Cisco survey results, 69% of BYOD users were using unapproved applications on their devices, which is difficult to detect. The recent staggering increase in Android malware magnifies this problem.

Trend Micro’s TrendLabs reported 5,000 new malicious Android apps were found in the first quarter of 2012; that doubled to 10,000 new apps detected in just one month during the second quarter. The most common type of malicious application is disguised as a highly popular legitimate app. For example, Trend Micro reported, Google’s application market, Google Play, was breached with 17 malicious applications, which were
downloaded 700,000 times before Google discovered and removed them.

“The growth in Android malware demonstrates sustained and focused criminal interest in the mobile platform and particularly in the Android operating system,” said Rik Ferguson, director of security research and communications at Trend Micro.

“Criminals have always followed user behavior and they continue to do so. As we move steadily to the mobile web, mobile devices offer new avenues for criminal revenue generation alongside the continuation of the old. Consumers need to use care when downloading and installing apps and should be considering installing antimalware on their mobile devices.”

These challenges are going to continue to plague users and IT organizations. Especially when there are expected to be 19 billion network-connected devices – including smart phones, notebooks, tablets, and other gadgets – by 2016, according to Cisco Systems’ annual “Visual Networking Index Forecast” released in June.

PRIVACY

‘Internet of Things’ Sparks Privacy Concerns

There are more “things” connected to the Internet today than there are people. According to an April European Commission (EC) press release, the average person has at least two objects connected to the Internet, and by 2015, that number is expected to grow to seven for a total of 25 billion wirelessly connected devices globally. This has some experts contending that the world is entering the age of the “Internet of Things.”

This means that protecting data is no longer an issue associated only with computers; according to the press release, it extends to “everyday objects, such as phones, cars, household appliances, clothes, and even food” that are “connected to the Internet through smart chips, and can collect and share data.”

That concern was made clear in the early results of a public consultation recently undertaken by the EC that is due to be completed this summer. The consultation could be the first step toward regulation.

According to Ryan Heath, spokesperson for the commission’s Digital Agenda, in an interview with German International broadcaster DW.de, it could take up to three years for a legislative proposal to emerge from dialogue between the European Parliament and European Union member states. The trick is to protect privacy without strangling innovation from the bottom up, added Martin Spindler, a strategy consultant based in Berlin.

In the United States, the U.S. Senate passed this spring S. 1813: MAP-21, a bill that would require yet another “thing” to capture data; it mandates all vehicles to have an event data recorder, or “black box,” installed as of 2015. The House is considering similar legislation, HR 14: MAP-21.

The black box would record a standard set of data, such as direction of acceleration and time of airbag deployment, in a standardized format. What data is to be captured, what it can be used for, who owns the data, and who can legally access it are all still in need of answers and are being heatedly debated in Congress, according to a May 15 article on Edmunds insideline.com. The fear expressed by many is that the data could be accessed by the government, making it easier to monitor its people in a “Big Brother” scenario.

The Edmunds article says the Senate version specifies that the data is owned and can be accessed only by the vehicle owner except by court order and by emergency medical personal responding to a crash.

DATA PROTECTION

European Commission Refers Hungary to Top EU Court

The European Commission (EC) took issue with some of the reforms recently made by Hungary’s president. One of the legislative changes of particular concern would give the government the ability to fire the head of the country’s data protection agency at any time and effective immediately.

The EC questioned whether this was a violation of European Union (EU) law and referred it to the EU’s highest court in a dispute over government reforms. According to an article by German International broadcaster DW.de, the EC says the laws infringe on the independence of the judiciary and data protection agency. If the court agrees, the EC will require Hungary to change the law accordingly.

DATA SECURITY

FTC Sues Wyndham Hotels for Data Security Failures

Over the course of two years, hotel operator Wyndham Worldwide experienced three network data breaches,
which ultimately led to $10.6 million in fraudulent credit card charges on consumers’ accounts and the export of 600,000 account records to a domain registered in Russia.

Three occurrences in two years was a clear indication to the U.S. Federal Trade Commission (FTC) that Wyndham Worldwide and three of its subsidiaries had failed to employ appropriate information security practices. In June, the FTC filed a lawsuit against Wyndham alleging the hotel chain failed to “maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

In the filing, the FTC’s allegations included that Wyndham:

• Failed to use readily available security measures to limit access to the network
• Allowed software at the hotels to be configured so as to store payment card information unencrypted
• Failed to ensure all hotels implemented adequate information security policies and procedures
• Failed to remedy known security vulnerabilities on network servers
• Failed to employ adequate password requirements and protection
• Failed to follow proper incident response procedures

How an organization responds to a breach is critical, said Mike Reagan, chief marketing officer at LogRhythm, in a CIO Today interview. Regan said the key question for executives is, “When a breach does happen, and know it will, how prepared are we to detect it and respond rapidly to minimize the damage?

“It’s unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations,” continued Reagan. “But for others, they’re recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses.”

DATA SECURITY

Security Spending on the Increase

Small and medium-sized businesses (SMBs) globally are forecasted to increase their spending on security products and services 10% annually through 2016. Spending is currently more than $19 billion a year. Cloud security services, which account for 17% of that spending, are projected to increase to 24% by 2016.

These findings, from the recent study by Access Markets International (AMI) Partners Inc. and published in the 2012 Global SMB Security Market Assessment, seem to prove that security is a growing concern for all organizations with fewer than 1,000 employees.

The key drivers behind this intensifying concern and for the adoption of cloud-based security services in particular, according to AMI-Partners, are:

• Proliferation of mobile devices, including BYOD [personal devices used for business in a “bring your own device,” or BYOD, scenario], creating significantly heightening security risk exposure, which is becoming unmanageable
• Use of devices by employees to access and disseminate organization data in the same way they do in their private lives – through a variety of social media
• Tabs on security for all these devices are a major challenge for information and communications technology (ICT) management teams
• Weak prevailing economic conditions and capital expenditure restraints that mean the cloud payment model offers a better way of procuring sophisticated ICT solutions and keeping them up-to-date

Those best positioned to take advantage of the cloud-related growth, according to AMI Partners, are hosters.

In fact, according to the AMI study, nearly a third of SMBs said they would quickly switch their cloud service provider if desired service levels are not met.

Hosters are especially well positioned in the fast-growing U.S. cloud services market, noted AMI’s report. Investments in cloud services (e.g., software-as-a-service, web hosting, and remotely managed IT services) in the United States are expected to hit $34 billion in 2012, of which 46% will flow through hosters.

DATA SECURITY

Worst Data Breaches of 2012

As of July 3, the Identity Theft Resource Center (ITRC) reported it had tracked 213 U.S. data breaches in 2012, exposing about 8.5 million records. The key targets among the exposed records were payment cards and data related to customers, university students, and patients.

Among the top 15 breaches this year:

• The New York State Electric & Gas Co. located in Rochester, N.Y., suffered a breach that ex- posed 1.8 million files that contained customer Social Security numbers, dates of birth, and bank account numbers. The breach was caused by a contractor’s unauthorized access.
• Utah Department of Technology Services located in Salt Lake City, Utah, exposed 780,000 patient files related to Medicaid claims when the information was stolen from a server by hackers operating out of Europe.
• Emory Healthcare located in Georgia had 315,000 patient records exposed after the information stored on 10 computer disks went missing from a storage facility. A class action lawsuit could cost the hospital $200 million.
• South Carolina Department of Health and Human Services experienced a breach when a former employee was arrested for transferring medical information via e-mail, exposing 228,435 records.

In the absence of national requirements for breach reporting, the situation is getting worse, it said. On a positive note, the ITRC noted that:

• 96 breaches (45.1%) reported in the first half of 2012 included the exposure of Social Security Numbers, which is a significant drop from the 64.5% of the breaches that included that information during the first half of 2011.
• 41 breaches (19.2%) involved credit or debit cards, dropping considerably from the 34.6% of the breaches involving credit or debit cards in the same time period during 2011.

HEALTH RECORDS

Australia Launches E-Health Records

Despite the recommendation to delay from the National E-Health Transition Authority (NEHTA), Australia launched its Personally Controlled Electronic Health Record Project platform on July 1. The NEHTA warned that the system, which includes a consumer portal where people can compile their own medical information, was unstable with 60 high-severity and critical bugs, according to a July 24 article in The Australian.

Indeed, according to The Australian, the system was offline and unavailable for consumers for three days in its first week of public operation. While a spokesperson said the system was taken down intentionally to test its performance, other sources said the system had crashed.

Enrollment in the system has been slow – just 320 had registered in the first five days of operation, according to a July 9 article in The Sydney Morning Herald.While several of that article’s readers commented on the difficulty of registering, others have expressed concerns about the privacy of their personal information. During its development, the system was hacked, and the breach was not detected for several months, according to The Australian.

The system will be regulated against future privacy breaches by the privacy commission and the Office of the Australian Information Commission (OAIC), according to a July 2 article from Computerworld. Both OAIC and the privacy commissioner have recommended amending the country’s privacy act to allow the OAIC to consider civil penalty provisions.

COMPLIANCE

Compliance Departments’ Role Expanding

More regulation means more demand for compliance and on the compliance department. According to speakers at the Compliance Week 2012 conference in June, organizations are finally realizing the value of their data. Consequently protecting that data properly is becoming a significant element of their business strategy.

To whom will the chief executive officer (CEO) and board of directors turn to ensure this is happening? Not surprisingly, the compliance officer.

According to PricewaterhouseCoopers LLP (PWC) and Compliance Week’s “State of Compliance 2012” report, the “role of the compliance department is evolving into something akin to a primary care doctor: the physician who sets broad goals of health, monitors overall vital signs, and – most importantly – coordinates more specific medical needs with the specialists. Likewise, the chief compliance officer steers the corporation’s efforts to manage compliance and other organizational risks, while ultimate responsibility for those tasks still resides (or at least, should reside) with the business units that have the resources and expertise to respond.”

The obstacles to compliance becoming a proactive, fully integrated function are fragmented IT systems, tight budgets, shifting and growing regulatory requirements, and the challenge of proving the compliance program’s effectiveness, according to the PWC report.

One purpose of the annual survey, which was conducted in early 2012 and directed to senior-level compliance officers at U.S. corporations with annual revenue of $1 billion or more, is to learn what types of issues are dominating the compliance department’s time. This year the survey found the compliance department is now involved to some degree in “virtually every risk or regulatory issue – anti-trust, anti-corruption, ethics, import-export, supply chain social media, codes of conduct, and many more.” Hence, the reason for the primary physician metaphor. The compliance officer is working with IT, legal, internal audit, finance, and other specialists to provide guidance on risk and regulatory issues.

As a result, compliance departments also reported increased budgets and staff. Last year, 31% of respondents had budgets of less than $1 million; this year it dropped to 20%. The percentage with budgets of $3 million to $10 million increased from 14% to 21% this year. More than half (57%) of respondents said their department grew at least modestly in the last year. Only one-third reported no change in staffing levels.

This year’s report also found that reporting relationships “are moving toward the ideal of an independent chief compliance officer who answers to the board.” About one-third (32%) report formally to the audit committee; about the same percentage (33%) report formally to the general counsel; 20% report to the CEO.

“This falls in line with the U.S. Sentencing Guidelines’ revisions from 2010, which favor an independent compliance function that preferably reports to the audit committee and board,” noted the researchers. “In addition, corporate integrity agreements or other enforcement orders often stipulate that the CCO [chief compliance officer] must report to the board or the CEO.”

ARCHIVES

Dead Heads Rejoice

The University of California-Santa Cruz opened the Grateful Dead Archive to the public in June. The scholarly archive comprises the band’s collection, which was donated to the university four years ago.

An article in SFGate reported that the Dead collection consisted of “600 linear feet of office papers and the conference table the musicians sat at while shuffling those papers.” The collection has continued to grow.

Nicholas Meriwether, the counterculture historian hired specifically for this collection, told SFGate he doesn’t know how many items are in the collection and probably won’t know for years. Thousands of items have been cataloged; Meriwether chose 250 of those items, including concert posters, photos, and a letter from Jerry Garcia, for the exhibit.

DATA SECURITY

Information Leaks When Employees Leave Organizations

What happens to your information assets when an employee leaves your organization? Is there a chance that the data could be leaving the organization along with the employee?

A 2012 study by Vontu Inc. and Ponemon Institute found that nearly 60% of employees steal organization information when they leave or are fired. Of those, 67% admit to taking the information to a new employer. Even more startling is the reported statistic that only 15% of the employers in the study performed any sort of review of digital or paper documents that the employees were taking.

“Organizations must become more aware of the source of information loss, and then they can adopt best practices to
address the issue,” said Joseph Ansanelli, chief executive officer of Vontu. “We believe that companies need to focus on not only preventing customer information loss, but also on the loss of other confidential information such as source code, intellectual property, merger and acquisition information, design documents, network diagrams, and marketing documents.”

The survey reports that of the top data security breaches:

• 39% involved confidential business information
• 27% involved personal information about customers
• 14% involved intellectual property, including software source code
• 10% involved personal information about employees

Information protection takes many forms – some directed toward ensuring that only authorized employees have access to particular types of information; others toward the protection of physical assets and storage locations, such as server rooms; and others toward preventing the leakage of information.

In addition to information being pilfered by departing employees, it can be leaked through e-mail transmissions or even through employees’ “sharing” on social networking sites.

Information governance professionals can take a number of steps to address any of these situations. Some actions are self-evident, such as restricting access to physical file server rooms and databases and establishing security authorizations so only authorized individuals can access sensitive information.

According to the Generally Accepted Recordkeeping Principles® (www.arma.org) published by ARMA International, organizations also should:

1. Establish clear-cut policies regarding the acceptable use of organization information. These policies should establish corporate expectations for how employees use social networking sites and, generally, how company assets are managed.
2. Establish procedures for appropriate information sharing outside the organization. Sometimes, it is appropriate for corporate information to be shared with external parties, such as regulators, a judicial court or party to a lawsuit, a citizen exercising freedom of information rights, a third-party storage vendor, or potential business partners. In any of these cases, a procedure should be established to outline the parameters of acceptable use to protect the organization’s ownership of the intellectual capital.
3. Use technology to protect information whenever possible. Put into place data loss protection controls to prevent sensitive information from being e-mailed externally or to alert IT if a significant volume of information is being transmitted outside the organization. Use controls to limit unwarranted access to company information, even by current employees. Use passwords, file encryption, and specialized software that can remotely control mobile devices if they fall into the wrong hands.
4. Establish and implement an employee exit process that addresses use of information. Terminate access to the organization’s network immediately. Change passwords on organization assets and with any third-party vendors that the employee may have access to. Retrieve organization-issued devices prior to the employee’s departure. If the situation is very serious, a forensics expert can be called in to investigate.

SOCIAL MEDIA

Smithsonian Embraces Social Media in a Big Way

If you think you have social media challenges, consider the challenges for the Smithsonian Institute, which has:

Each of these accounts, says the institute, focuses on a different audience and specializes in a unique topic. And each is considered to have historical value. So, of course, the Smithsonian preserves them.

First and foremost, the working group advised in a July 1 press release, organizations that plan to use cloud computing should conduct a comprehensive and thorough risk analysis.

Meanwhile, Central Africa announced that it is routinely tracking Internet hackers daily. At the recent Internet Governance Forum in Central Africa, the director general of the National Agency for Information and Communication Technology said it had assigned a team to monitor cyberspace on a daily basis in search of hackers.