Data Protection Laws and PIIs

Data Protection Laws and PIIs

Last week we discussed the overall concept of “Data Protection Laws,” which govern the handling and securing of specific data. While these laws are wide ranging, most of these laws reference Personally Identifiable Information (PII) This “refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” (https://www.gsa.gov/portal/content/104256) For example, if you possess an individual’s first initial and last name and store it with their credit card number, bank account, SSN or driver’s license number, that becomes a PII.

At the Federal level, the United States doesn’t have any overarching and comprehensive data protection laws of the sort that most European nations do, but they do exist and primarily affect individual sectors, such as healthcare. Presently 48 states in the US have some laws requiring private or governmental entities to notify anyone whose data has been breached. In other words, if you possess personal data, you may have a regulatory responsibility to report the breach to both a government entity and the individual victim. Failure to do so may mean you’re in violation of these laws and subject to fines and penalties.

So what does this mean for a small business? You need to be aware of the likelihood that you are regulated by such laws and that you have some responsibility to show that you have taken reasonable measures and put in place procedures to maintain the security and integrity of outside data.

As a responsible business owner, you have an obligation to be aware of any applicable laws, keeping in mind that your client or prospect data may include PII from those in other states or countries. You also have an obligation to protect that data. Keeping up with the best practices for protecting your important data from hackers and data thieves is an important responsibility of every small business. Contact a Managed Service provider to learn how they can support your business with a complete cyber protection plan.

Ransomware Part II

Ransomware Part II

In our last blog, we explained what ransomware is, and why it can be an especially troublesome virus. Today, let’s look at what you can do to avoid falling victim.Prevention is the best cure. Follow standard “data hygiene” principles that you probably hear about all of the time. Update your OS, software, and apps whenever a new release or patch is released. Do this ASAP. Some patches may be released solely as a result of the discovery of a vulnerability. Watch out for phishing scams. If anything looks “off” about an email, don’t open it. And never open links you aren’t totally sure of. If unsure, email back to the sender to verify they actually sent you a link. Unfortunately, human error is one of the biggest problems for data security. Employees unwittingly open links received via email or download information from insecure websites.

Beyond prevention, the most important thing you can do to make sure your data cannot be held ransom is strictly adhering to a regimen of backups. Routinely backup your data. However, with ransomware, even backups may not be foolproof. If your data has been infected and you are unaware of it, or the backup is not segregated from your network, your backups may also be corrupted. Given the severe consequences of a ransomware attack, consider having a security evaluation done by a managed service provider who will have the security expertise to advise on the best backup protocols for your situation. Ransomware presents some unique challenges that require more sophisticated data protection protocols. Contact a managed service provider for a complete security evaluation.

Ransomware part I

Ransomware part I

The daily reports of cybercrime are important reminders about the need to protect your business from malicious behavior that could threaten the success of your business. There are so many different things that can attack your computer, steal your data, and wreck your day. One of the most troublesome has been the development of ransomware. (FYI. Ransomware isn’t actually all that new– some version has been around for decades)  Ransomware is a type of computer virus that takes your data hostage and like any kidnapping scheme, demands money for the release of your data.

Why is ransomware so nasty? Because it steals the most important thing your business possesses. Data. Worse, once infected there isn’t generally a way out. No one can “disinfect” your machine. You aren’t going to be able to call in IT support to solve the problem. Basically, you have three options.

  1. Pay the ransom. This payment is usually via credit card or bitcoin (a digital currency). Some ransomware viruses even provide help lines if you’re having trouble. Of course there are no guarantees your will get access to your data–these are thieves you’re dealing with.
  2. Don’t pay and lose your data – This has its obvious downsides, unless…
  3. You have a safe, clean backup. In that case, you are stuck with the nuisance of restoring your data with the backup, but you aren’t out any money. However, this comes with a caveat: your backups have to be clean. The problem with ransomware viruses is that just making backups may not be sufficient to protect your data, as the backups can be infected also. In the next blog, we will address your need to add an additional layer of protection to handle ransomware attacks.

Humans cause so much trouble

Have you been focusing on software packages and anti-virus tools to protect your data from hacking? That may not be enough, because it overlooks one of the biggest causes of security breaches. All of the security software and expertise in the world is useless if you or your employees don’t remain vigilant about their behavior as it relates to hacking scams and data security. Human error remains the biggest cause of security breaches and data loss at almost all companies, large or small.

We just can’t remind you enough that you need to develop a culture of security among all of your employees. Changing passwords frequently, not sharing passwords, and learning to recognize and avoid opening nefarious emails are the top three lessons you need to reinforce with your employees. And don’t make it a once-in-a-while memo, make it part of your office culture, with ongoing reminders, links to articles explaining phishing scams, and routine reminders to change passwords. Contact your MSP if you’d like to learn more techniques to educate your employees about their data security responsibilities.