Kroll Fraud Solutions Blog – A Dialogue on Data Security

In the world of data security, high profile cyber hacking cases seem to be all the rage right now. There have been myriad government entities, social networking sites, industrial conglomerates and private companies of all stripes that have reported cyber breaches this year. With that in mind, it may not be the “in” thing right now, but we’d like to take a moment to point out that cyber hacking is probably the least of your organization’s worries. In fact, the factors that offer the biggest threat are downright low tech.

It seems as though there has been a renaissance recently in the fine art of notification critique. This has most likely been caused by the increased incidence of high profile breaches this year, followed by ubiquitous reprinting of notification letters in various media outlets – the perfect storm to stir up that process whereby every sentence, and sometimes every word, is picked apart in open forum.

At this time of year, travel-related identity theft gets a lot of attention, and with good reason. The increase in travelers means more opportunity for thieves, who know to step up their activities during the summer months – such as the recent increase in hotel pretexting that the Better Business Bureau has warned of that’s also making headlines. And as the line blurs between work and personal life, many of us carry our jobs with us even when traveling for pleasure, bringing along laptops, smartphones, and other mobile devices to stay connected to what’s happening at the office. These travelers bear a double burden – protecting their own sensitive information as well as that of their company.

As mentioned in the previous post, HB 300 covers lots of ground. One item that’s received a lot of public attention is the fact that the law includes a ban on selling personal health information (PHI) for profit. Violators of the ban could face fines of up to $5,000 per violation, and a $1.5 million cap for civil penalties. Also affecting consumers directly is a provision that requires covered entities utilizing electronic systems with sufficient capability to fulfill requests for health records within 15 business days.

It would appear that the state of Texas has taken the lead in the race to tighten existing health information privacy and security laws. HB 300, an amendment to the Health and Safety Code, was signed into law back in June by Governor Rick Perry. It adds significant restrictions and responsibilities over and above what’s required by HIPAA.