Blog Banner

New PCI DSS Requirements to Reduce Third Party Risk

Decorative image of credit cardsThis month, the PCI Security Standards Council published supplemental guidance to help organizations and their third-party service providers (TPSPs) reduce risk around payment data storage, processing and transmittal. By better understanding their respective roles, entities can more effectively meet PCI DSS compliance and secure the cardholder data environment.

Protecting Data as Breach Costs and Penalties Rise

Image of dollar signIf you can put your hand over your heart right now and say that employees are completely following your data governance policies to keep customer, partner, and fellow employee information safe, then you do not need to read further. However, for the rest of us, we suggest you read on.

FTC the “Other” Data Security Sheriff in Town

Decorative image of yellow people standing with Doctors lab coatsInformation security is top of mind in light of recent high profile breaches impacting millions of consumers. If you’re a healthcare organization, the need to protect patient data is paramount. The laws are getting more stringent and oversight from agencies other than HHS is around the corner.

The examples of this are clear. Consider the case involving LabMD, a medical testing laboratory and a covered entity under HIPAA. In August last year, the FTC filed a complaint against LabMD alleging the company exposed the personal information of about 10,000 people in two incidents. LabMD responded with its own missive: a motion to dismiss the complaint on the grounds that the FTC enforcement action clashed with HIPAA’s information security regulations.

SharePoint 2013 Tips – Part 5 Co-Authoring and OneDrive

In my final post of my five part series on SharePoint 2013 tips, I’m focusing on co-authoring and OneDrive for business. You can also read my last four blogs here:

  1. Part 1 Scale, Sprawl and Control
  2. Part 2 Sharing, Sending and Storage
  3. Part 3 SharePoint Branding and ILM
  4. Part 4 New Collaboration

Co-authoring

Co-authoring, or letting multiple users edit a document simultaneously, was introduced in SharePoint 2010. But there were all sorts of rules – Excel only worked with the OWA browser client, whole PowerPoint and Word only allowed co-authoring from the desktop “rich” client.  In Office 2013, it doesn’t matter – you can mix and match multiple clients simultaneously.   Everyone can see the changes as they are made – and you can see who else is editing and see when updates are posted.   For example, in Word, the window chrome at the bottom of the screen is informative:

HiSoftware at eduWeb to Discuss Web Governance & Accessibility

Logo for eduWeb ConferenceThe legal landscape of Web accessibility in higher education has changed. Colleges and universities face the increasing chance of liability due to inaccessible Web content, yet achieving full accessibility is still a problem for many.

The University of Minnesota Duluth put together a summary of some high profile cases in October last year to outline the numerous lawsuits. Included within the list were Louisiana Tech, South Carolina Technical College System, University of Montana, Florida State University, Northwestern University, New York University, Penn State University, Law School Admissions Council, Arizona State, Princeton, Reed, Pace, Darden School of Business, and Case Western. Each of these colleges and universities has faced litigation for inaccessible Web content and technologies. Typical Web inaccessibility issues include inaccessibility of course materials, Web sites, Web content and services such as class assignments, live chat and discussion boards, videos without captions or even Google Apps.

Australian Privacy Act: How to Protect Against Penalties

Australian FlagIf the renewed Australian Privacy Act took you by surprise, you are not alone. The majority of 100 information security managers surveyed at medium to large Australian organizations were unprepared for the new privacy laws. That’s going to be a problem though for many as Privacy Commissioner Timothy Pilgrim plans to take a serious view of any business failing to protect personal data.

The new legislation dictates that both private and public sector data breaches must be reported to the Office of the Australian Information Commissioner (OAIC), and consumers must be informed so they can take proactive steps to protect their data. To help enforce the legislation, the Privacy Commissioner can impose penalties for a breach of up to $340,000 for individuals and $1.7 million for companies.

Join HiSoftware at SharePoint Saturday NYC

SharePoint Saturday NYC is right around the corner and we hope to see you during the show. While in NYC, head on over to the HiSoftware Booth to learn more about our award-winning solutions for compliance and secure collaboration as well as our latest solution for SharePoint access and permissions management.

Decorative image of sheriff badgeMeet Our New Sheriff

While you’re at the booth be sure to ask about our latest solution Site Sheriff that leverages dynamic access, deny rules and a secure viewer to help ensure that only the right users can access the right content and help you keep confidential information in SharePoint.

  • Manage permissions through dynamic access and claims
  • Control access independent of location
  • Add security trimmings to the ribbon to control distribution
  • Provide secure document viewing with a zero footprint reader
  • Prevent downloads to desktop and mobiles
  • Lower the cost of managing sites

Book Signing with Chris McNulty!

Be one of the first 30 people to stop by our booth during the Lunch break from 12-12:40pm to receive a free signed copy of Chris’s latest book: SharePoint 2013 Consultant’s Handbook: A Practical Field Guide. Already have a copy? Bring it by for Chris to sign.

Speaking Session

Join our CTO, SharePoint MVP Chris McNulty, for his session:

Optimizing and Accelerating Your SharePoint Farm
Level: 300
Track: Advanced IT Pro
Time: 4:00 to 5:15pm

Join Chris for a review of memory and service optimization, high performance designs, disk and database optimization, security, and caching techniques to make things better. He’ll also review how to measure and interpret SharePoint’s own key performance indicators.

Decorative image of talking headTalk to Us

We welcome the opportunity to speak to you during the show about our award-winning HiSoftware Sheriff solutions to rein in compliance and secure collaboration in SharePoint.

  • Keep mission critical documents in SharePoint
  • Enforce governance and compliance policies
  • Secure document viewing and distribution control
  • Dynamic access and claims-driven permissions
  • Simplify Governance and Increase ROI
  • Built on SharePoint for ease of use and deployment

Interested in setting up a meeting or demo at the show?
Fill out a brief meeting request form or reply to this email with your preferred meeting date and time.

Examining Florida’s New FIPA Law for Data Breaches

Decorative image of the word privacyIn light of several recent massive customer data breaches, states have expanded their state information security laws to include different notification requirements.  Earlier this month, Florida enacted the Florida Information Protection Act of 2014 (“FIPA”), which replaced earlier version of a similar law.  While quite expansive, let’s take a brief look at the new FIPA—and see just how “new” a law it really is.

  1. FIPA’s definition of “personal information” is quite broad.  Most states define data breaches to be some identifying information (e.g. first initial and last name) PLUS some other data (e.g. bank account number, social security number, driver’s license number, etc).  FIPA has that as part of its definition.  What’s really new is that just a username/password combination constitutes “personal information.”  Suddenly thrown into the realm of data breach notification laws are the inclusion of bulletin boards and discussion sites.  A bit novel but not earth-shattering.
  2. FIPA requires notification to the Florida Attorney General when a breach involves 500 or more Florida residents.  This isn’t particularly novel as other states, such as California, Idaho, Louisiana, Maryland, New York, and New Jersey (plus a bunch of others) have had similar types of requirements for years.
  3. FIPA involves third-parties that hold or warehouse a company’s data, and then suffer a breach.  Again, this isn’t particularly new—Connecticut, for instance, has included a similar requirement since 2011.

Are these laws going too far and becoming too onerous for companies?  Certainly, that is the position of some attorneys and lobbyists.  Personally, I have very little sympathy for this position.  First, most laws (except some narrow outdated examples) provide a huge exception for encrypted data.  In other words, if your company gets hacked and suffers a data breach, there aren’t any notification requirements if that data is encrypted.  Given how robust modern encryption technologies are, this makes sense because the bad guys can’t access the underlying data.  Second, the enormous potential harm (e.g. identity theft, credit card fraud, etc.) and the comparatively low cost of data encryption shifts the burden squarely on the side of the companies holding customer data.

At the same time, there is one aspect of this issue where I do feel some sympathy for companies suffering a data breach—the confusing myriad of different state laws!  In this online age, it simply doesn’t make sense for more than 99% of online activities to monitor or even care about what state their visitors come from.  Yet the state where a customer resides makes all the difference in data breach notification.  Different states require different types of notifications to different people and at different times.  For all but the largest companies with the biggest legal teams, this is a nightmare.  This plethora of different state laws also makes non-compliance much more likely—which ultimately hurts consumers.  I would much rather see a uniform Federal data breach notification law.  Alternatively, professional organizations like the International Association of Privacy Professionals (IAPP) can create a model standard that states can choose to adopt—much in the same way that the American Bar Association’s Model Rules of Professional Conduct help shape different state bar ethical requirements.

Learn how HiSoftware’s automated encryption solutions help prevent data breaches.

Powered by WordPress