About Us | Contact Us

Entire Site Articles Interviews Brain Trust

Home Small Business Radio Jim's Blog Articles Videos Small Business Experts: Jim's Brain Trust Ask Jim Motivational Minute Small Business Minute 3rd Ingredient® The Age of the Customer®

Twitter Facebook Blog RSS Google+

Recommended Sites About Jim Photo Gallery Books by Jim

Phishing Practices...

Last month, news stories revealed that hackers had posed as customers to obtain credit card data from a leading credit card data processor. Private information on thousands of individuals had been disclosed resulting increased instances of identity theft and fraud. The embarrassed data firm promptly took corrective action including notifying many credit card holders that their accounts likely had been inappropriately disclosed.

Another potential threat these days is a practice referred to as “phishing.” A hacker engaged in phishing sends an authentic appearing e-mail message to the consumer suggesting that the consumer’s account may have been tampered with or altered, and instructing the consumer to re-verify their account data. The consumer is referred to a phony web site that appears to be legitimate. Respondents who visit such sites and provide verified information soon find that their accounts have been accessed or their identity has been stolen for use in fraudulent purchases.

These stories demonstrate the need for individuals as well as organizations to exercise prudent care of financial, medical and personal data. Employers are urged to take steps to protect the confidential data held in company computers. Two important actions can help prevent this kind of unauthorized disclosure.

The organization's security officer or administrator should develop and implement a security incident reporting procedure. Any actual or potential security incidents should be recorded on a security incident report form.

It is important to clearly define who has access to private information and to spell out procedures for disclosure of private data when authorized. Violations can then be recognized. The security incident report form documents the incident and provides a basis to investigate and correct the situation.

In addition, it recommended that employees be trained to recognize and be alert for common security incidents. Security threats and proper responses can be covered in employee training.

Examples of security incidents may include one or more of the following:

actual or attempted theft of records, data, or system equipment;

actual or attempted access to records, data, or system equipment by an individual who is not authorized for such access;

actual or attempted disclosure of records, data, or system security controls by an individual who is not authorized to make such disclosures or such disclosures are made to unauthorized persons.

actual or attempted damage to or destruction of records, data, or system equipment;

accidental disclosure or damage or destruction to records, data, or system equipment or other incident causing actual or attempted disclosure or damage or destruction of records, data, or system equipment.

In the event of a security incident as described above, the employee should be instructed to immediately report the incident to the supervisor. The incident can then be documented on an Incident report and the Security Officer or Administrator can conduct an investigation into the incident.

William S. Hubbartt is President of Hubbartt & Associates, a St. Charles, IL consulting firm specializing in Preparation of policy manuals, privacy policies, and supervisory training. Mr. Hubbartt is author of “The HIPAA Security Rule – A Guide for Employers and Health Care Providers.”

Category: Human Resources, Healthcare, Benefits

Print page E-mail this page

ruby on rails developer