Is your
organization responsible for complying with one or more of the many
privacy-related pieces of legislation that the U.S. government has enacted over
the past decade? It’s a good bet that it is.

Whether it’s the
Health
Insurance Portability and Accountability Act (HIPAA), which addresses
healthcare information, the Gramm-Leach-Bliley
Act (GLBA), which addresses financial information, or even the Family
Educational Rights and Privacy Act (FERPA), which addresses education
information, chances are good that one of these affects your organization in
some way.

Compliance is
nothing to fool around with, and it’s imperative that your organization
understand its responsibilities for safeguarding protected data. Protected data
is any information that someone could use to identify an individual. Information
protected by legislation can include:

  • Salary and fringe benefits (except
    for federal employees)
  • Terms of employment (including performance
    and disciplinary records)
  • Academic and educational history
  • Criminal investigation and arrest history
  • Employment history (including general
    or security clearance information)
  • Biographical history
  • Social Security information
  • Identification codes
  • Personnel profile (including home
    address and phone number)
  • Medical history

Your organization’s
network obviously contains and/or processes protected sensitive information. Unauthorized
disclosure of such sensitive information could adversely impact your
organization with both civil and criminal liabilities. To protect yourself and
your company, it’s vital that you implement some extra precautions.

Administrator responsibilities

If you’re
responsible for the security of your company’s network, then you’re also
responsible for overseeing the day-to-day collection, storage, and use of personal
data subject to such legislation. You must apply adequate data security
safeguards to protect data from the following:

  • Inappropriate disclosure
  • Improper use
  • Access by unauthorized or unapproved
    users
  • Data tampering

Individuals who
fail to follow specific requirements can face fines up to $5,000 per violation,
as well as misdemeanor charges. That’s one more reason your organization needs
to take appropriate security measures to protect sensitive information. But
don’t forget that security measures, no matter how solid, are only as good as
the educated employee who wants to do the right thing.

Employee responsibilities

An organization’s
users are potentially the weakest link in your security efforts. You’ve heard it before,
but it’s worth repeating: Educate your users.

To better protect sensitive data,
train all users to
do the following:

  • Label all media (e.g., disks and
    documents) containing sensitive information.
  • Securely store sensitive information.
  • Immediately notify supervisors of any
    security breach.
  • Don’t send unencrypted sensitive
    information via e-mail.
  • Log off or use a screen saver with a
    password when leaving workstations unattended.
  • Erase all data from hard disks before
    sending PCs off-site for maintenance.
  • Store data on network drives instead
    of workstations.
  • Be on the lookout for hardware
    keystroke loggers.

Final thoughts

Privacy-related legislation grew out of a concern over the potential misuse of the vast amounts and types
of personal information collected and maintained on corporate networks, which store,
manipulate, and transmit the data for a variety of reasons. Don’t become a
statistic in the news by mishandling protected information—protect that
information with adequate safeguards, and train your users to do the same.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.