Blog Banner

Category Archives: Security

Examining Florida’s New FIPA Law for Data Breaches

Decorative image of the word privacyIn light of several recent massive customer data breaches, states have expanded their state information security laws to include different notification requirements.  Earlier this month, Florida enacted the Florida Information Protection Act of 2014 (“FIPA”), which replaced earlier version of a similar law.  While quite expansive, let’s take a brief look at the new FIPA—and see just how “new” a law it really is.

  1. FIPA’s definition of “personal information” is quite broad.  Most states define data breaches to be some identifying information (e.g. first initial and last name) PLUS some other data (e.g. bank account number, social security number, driver’s license number, etc).  FIPA has that as part of its definition.  What’s really new is that just a username/password combination constitutes “personal information.”  Suddenly thrown into the realm of data breach notification laws are the inclusion of bulletin boards and discussion sites.  A bit novel but not earth-shattering.
  2. FIPA requires notification to the Florida Attorney General when a breach involves 500 or more Florida residents.  This isn’t particularly novel as other states, such as California, Idaho, Louisiana, Maryland, New York, and New Jersey (plus a bunch of others) have had similar types of requirements for years.
  3. FIPA involves third-parties that hold or warehouse a company’s data, and then suffer a breach.  Again, this isn’t particularly new—Connecticut, for instance, has included a similar requirement since 2011.

Are these laws going too far and becoming too onerous for companies?  Certainly, that is the position of some attorneys and lobbyists.  Personally, I have very little sympathy for this position.  First, most laws (except some narrow outdated examples) provide a huge exception for encrypted data.  In other words, if your company gets hacked and suffers a data breach, there aren’t any notification requirements if that data is encrypted.  Given how robust modern encryption technologies are, this makes sense because the bad guys can’t access the underlying data.  Second, the enormous potential harm (e.g. identity theft, credit card fraud, etc.) and the comparatively low cost of data encryption shifts the burden squarely on the side of the companies holding customer data.

At the same time, there is one aspect of this issue where I do feel some sympathy for companies suffering a data breach—the confusing myriad of different state laws!  In this online age, it simply doesn’t make sense for more than 99% of online activities to monitor or even care about what state their visitors come from.  Yet the state where a customer resides makes all the difference in data breach notification.  Different states require different types of notifications to different people and at different times.  For all but the largest companies with the biggest legal teams, this is a nightmare.  This plethora of different state laws also makes non-compliance much more likely—which ultimately hurts consumers.  I would much rather see a uniform Federal data breach notification law.  Alternatively, professional organizations like the International Association of Privacy Professionals (IAPP) can create a model standard that states can choose to adopt—much in the same way that the American Bar Association’s Model Rules of Professional Conduct help shape different state bar ethical requirements.

Learn how HiSoftware’s automated encryption solutions help prevent data breaches.

SharePoint’s Most Wanted Governance Offenders

Earlier this year, we asked you to tell us about the biggest offenders in SharePoint who are constantly putting their organizations at risk, bypassing governance and training, and whose bad habits are frustrating their co-workers. Meet the 5 Most Wanted characters we uncovered in our new infographic, and learn a few helpful tips to stop them in their tracks.

Infographic image of Most Wanted Offenders

Download a copy of the SharePoint’s Most Wanted Governance Offenders Infographic.

 

Life, Liberty and the Pursuit of Compliance

decorative images of fireworksAs we head into this Fourth of July weekend in the US, I started thinking about the Declaration of Independence and the well-known phrase “Life, Liberty and the pursuit of Happiness”.

This got me thinking about the industries we support and the many regulations our customers must comply with in order to keep their customers and employees personal information safe. These compliance regulations are designed to help to support the idea that you will be free to pursue your life in an information-driven, digital world —  without jeopardizing your privacy.

Managing SharePoint Sprawl and Inherited Permissions – Webinar Wrap-Up

Image of too many locks on gate by Chris McNultyWe just wrapped up one of the largest webinars in HiSoftware’s history, “Reining in Sites and Permission with SharePoint”.  Let’s catch our breath.  And if you need to catch up, here it is.

As SharePoint has grown and matured over the years, so has its content.  For more than seven years, SharePoint has had the ability to apply item-level permissions to documents.  However, tactics that work well for a few hundred documents, are daunting for millions of mission critical documents.  Microsoft provides some native tools and techniques for managing capacity and governing unique permissions – but the result can still be almost untamable.

Our newest product, HiSoftware Site Sheriff™, solves many of these problems.  Among its highlights:

  • Dynamic access to content using business rules based on metadata and user claims.
  • “Deny” rules to ensure sensitive content is kept secure, regardless of local permissions in the library.
  • Controls the distribution and editing of documents by using a browser based secure viewer.
  • Limits user actions by dynamically trimming menus, ribbons and interfaces to precisely permitted actions.

Webinar: Do You Have SharePoint Site Headaches?

Decorative image of foldersEvery year, the volume of enterprise content in SharePoint grows. Now, more than ever, organization are also using SharePoint for mission-critical, confidential, sensitive or highly regulated documents.

Microsoft has made great strides in capacity and performance – but the scale of content management is daunting for most IT teams. Setting up individual permissions on each separate document is overwhelming; and the sprawling architecture of thousands of small redundant sites is just as challenging.
Some common problems include:

  • Keeping up with document growth while preventing site sprawl.
  • Using business rules instead of IT security to dynamically control access.
  • Keeping managed content inside SharePoint instead of email and unmanaged storage.
  • Streamlining the user interface and accelerating user adoption.

Is Permissions Inheritance the Best Method for Governing SharePoint Access?

Decorative image of Permission keyboardBusinesses are demanding technology that provides higher productivity and greater flexibility to provide value to their customers and generate new customers. It also needs to enable more effective partnerships and lower the cost of doing business. SharePoint is purchased for a number of reasons, but generally the primary purpose is to foster the collaboration and information sharing required to achieve these objectives.

Earlier this month we launched our latest product, HiSoftware Site Sheriff. We’ve published a new white paper that looks at SharePoint in the context of Microsoft’s recommended inheritance model. The paper examines and provides answers to the following questions:

  • Where does inheritance work and what are its limits?
  • How does the inheritance model fit in with the emergent era of claims and the demand for non-employee access?
  • Can using inheritance actually stop effective collaboration and cost SharePoint customers more in terms of time and administrative effort?

New Site Sheriff Brings Dynamic Access, Deny Rules and Secure Viewing to SharePoint

Screen Shot of Site Sheriff Console

Site Sheriff leverages dynamic access, deny rules and a secure viewer to allow a wide variety of secure sharing scenarios and keep confidential information in SharePoint.

One of a site administrator’s biggest challenges is who has access to what and who can see what is in SharePoint. They waste time and energy trying to balance how to maintain inheritance, while avoiding the continual proliferation of new sites in order to manage security and permissions. Even if security is well-configured, users can move or copy content to unsecure, unmanaged platforms like email and desktops, circumventing those controls.

To solve this issue, HiSoftware today announced HiSoftware Site Sheriff™, a new solution that leverages dynamic access, deny rules and a zero-footprint secure viewer to allow a wide variety of secure sharing scenarios and keep confidential information in SharePoint.

SPTechCon: SharePoint Compliance & Security, Chris McNulty Book Signing & More

Logo of SPTechConSharePoint security continues to be an ever present concern for organizations. Consider some recent stats on content security:

  • 46%, out of the 60% who indicated that their companies support BYOD, say that their companies do not use tools or policies to protect corporate data. Survey results reported by Bank Systems & Technology
  • Only 15% of respondents said their information governance plan is “in place, it’s important and it’s communicated and enforced.” AIIM survey of 548 members of its community

Next week, join HiSoftware at SPTechCon: The SharePoint Technology Conference in San Francisco to discuss these issues and how to keep SharePoint secure while maximizing your investment in the collaboration platform. Head on over to the HiSoftware Booth (605) to learn more about our award-winning solutions for secure collaboration and have some fun Sheriff style!

BBC Reports: 2014 the Year of Encryption

decorative image of padlockThe BBC reported that 2014 is the year of encryption. The article points out government surveillance and the threat of attacks from hackers as the main cause. Dave Frymier, chief information security officer at Unisys, a Pennsylvania-based IT company advised in the article:

Rather than encrypting everything, Mr Frymier advocates that companies identify what he believes is the 5%-15% of their data that is really confidential, and use encryption to protect just that.

He says employees should then be barred from accessing this data using standard desktop and laptop machines or their own smartphones or tablets, which can easily be infected with malware. Access would be restricted to employees using secure “hardened” computers.

Outside threats are a huge concern, but effective content security needs to be handled from the inside. Forrester reported that 75% of data breaches come from within a company. Of these, 63% result from an employee losing or misplacing corporate assets; 12% were breached with ill intent.

Powered by WordPress