BYOD leads to data breaches in the workplace
While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use. With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy. However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization. Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level. If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services.
Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen. Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices. The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines.
Unfortunately, this troubling trend doesn’t just affect the medical industry. In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practic
Key statistics from the survey:
84 percent use the same smartphone for personal and work usage.
47 percent don’t have a password on their mobile phone.
51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen.
49 percent said their IT departments have not discussed mobile/cyber security with them.
Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach. As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs. Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.
Controversial Cyber Security Bill Passes The House
Despite President Obama’s January signing of an Executive Order (EO) which outlines national cyber security policies in protecting U.S. companies and government agencies against cyber threats, the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was passed in a 288-127 House vote sending it now to the Senate.¹
CISPA supporters say the act will help facilitate information sharing between private businesses and intelligence agencies since it legally protects businesses that shares suspicious data with agencies about its employees and customers, including email and social media activity. Under the mandate of “protecting the national security of the United States,” intelligence agencies are also allowed to collect personnel information from businesses as needed. However, CISPA drew heavy criticism from civil liberties groups and technology companies regarding its lack of consumer privacy protections. Vague language and fear of unaccountable surveillance spurred opposition from civil liberties groups who felt CISPA was more “surveillance legislation” than data protection and security legislation and gave too wide a berth to private information gathering under the guise of national security.
On the other hand, the Executive Order allows government data to be shared with private companies but does not include legal immunity for private sector companies that share people’s personal information with government agencies. Instead, it mandates that government agencies monitor the civil liberty impact of their cyber security programs and report on its effect on personal privacy.
In the current act, the rejection of four amendments regarding protecting privacy and personal information frustrated data privacy advocates. One of the rejected changes to the act exempted the National Security Agency, the Department of Defense and all military branches from receiving cyber threat information from private companies. Another rejected suggestion would have given consumers the right to hold companies legally responsible for misusing their private information or any misuse leading to a data breach. A proposal for a President-selected officer to establish government policies and procedures on the “retention, use and disclosure” of shared data was also shot down. However, the rejected amendment that was most disappointing was one proposing that companies should make reasonable efforts to remove all Personal Identifiable Information (PII) sharing information with the government.
CISPA still has some hurdles to cross before becoming law. Members of the Senate voiced opposition to the failed passing of the PII amendment and expressed concern that the bill gives too much liability protection to companies that share information with the government. Even if CISPA reaches the White House, President Obama has already released a statement that he will veto the bill in its current form citing the same concerns as the Senate. In 2012, the original CISPA act also met with opposition from the Obama administration who now also has its own Executive Order to support.
As the debate over which piece of legislation ultimately becomes our nation’s cyber security standard, what’s clear is that there is a fine line between gathering data security information in the name of national security and privacy protection. Ultimately, the legislation that wins will be the one that recognizes the importance of both data security and personal privacy while providing defined boundaries for both.
OTHER EXPERIAN SAMPLES:
Cyber Security Act of 2012 dies as an executive order is born
Secure your outsourcing practices to prevent data breaches
MMR Strategy Group provides clients with claim substantiation research and consulting intended to make sure that claims made on ads, package labels, and other marketing communications are supported by data.
When It Comes to “Up To” Claims, Make Sure You Have the Right Substantiation
We’ve all heard ads that make “up to” claims, such as “save up to 50%,” or “lose up to 10% of your body fat.” This post describes what these claims mean and how claim substantiation is conducted with these types of claims.
What are “up to” claims?
“Up to” claims, like other types of claims, are governed by the Claims Substantiation Principles set forth by the Federal Trade Commission. These principles for claim substantiation dictate that companies must be able to substantiate statements made in their advertising. In other words, if your company makes a claim about your product, it must be able to back up the claim.
An “up to” claim is a statement used to advertise a product containing the phrase “up to” in reference to an outcome generated by the product. Like other types of claims, the FTC’s position on “up to” claims is that before a company can make a statement about its product, the company must have a “reasonable basis” to support the claim.
What does the FTC say about “up to” claims and advertising substantiation?
The FTC’s definition of a “reasonable basis” depends on several factors relevant to claim substantiation. For example, the product, the type of claim, the cost of developing substantiation for the claim, the benefits of a truthful claim, the consequences of a false claim, and the definition of “reasonable” by experts in the field are some of the factors taken into consideration in claim substantiation (or advertising substantiation) matters.
The FTC’s position references a published study they commissioned in May 2012 examining how consumers responded to “up to” claims. The study was conducted in conjunction with an FTC matter involving five home window replacement companies who claimed their product would save homeowners “up to 47%” in energy costs.
According to the FTC, the study shows that when a company makes “up to” claims, many consumers are likely to expect that they personally will achieve the maximum “up to” results. This FTC ruling led the commission to implement a new standard on “up to” claims. As of today the FTC’s position is that marketers “who advertise these claims should be able to substantiate that consumers are likely to achieve the maximum results promised under normal circumstances.” In a future post, we will provide information about how the study was done and give our opinion.
Why is claim substantiation important to advertisers?
The FTC released the “up to” study to provide guidance to companies regarding how to make claims. They also sent out a clear message to advertisers to expect some scrutiny when using “up to” claims. Companies who use “up to” claims should proceed with caution and make sure that they have evidence to fulfill the “reasonable basis” requirement. Among other sources, such evidence can come from advertising substantiation surveys.
This article is online at:
http://mmrstrategy.com/when-it-comes-to-up-to-claims-make-sure-you-have-the-right-substantiation/
This article is online at:
http://mmrstrategy.com/why-you-should-almost-never-use-the-van-westendorp-pricing-model/
vickychoywrites 