Last week we mentioned that over a million MA residents have been affected by data breaches since the Office of Consumer Affairs started keeping track in October of 2007.

If your business is based in Massachusetts or your company does business there, you may be affected by the new state encryption law starting March 1.  Kanguru has a new whitepaper available that explains the law and how to meet compliance requirements.

Learn more:

Kanguru Whitepaper – Massachusetts Data Encryption Law (PDF)

Kanguru Website – General compliance information for Public Sector, Financial Services and Healthcare organizations.

Data Security

In the last two years, 1,057,560 Massachusetts residents have been affected by reported data breach incidents according to a report released by the Commonwealth (PDF).

A new Massachusetts law, set to go into effect on March 1, 2010, will require that “personal information” stored on laptops and other portable devices must be encrypted. Personal information is defined under the law as, “a resident’s first and last name, or first initial and last name, in combination with any one or more of the resident’s: (a) social security number; (b) driver’s license number or state issued ID number, or (c) financial account number, or credit or debit card number…”

It is believed that with the new Data Breach Law,  

the incidence of security breaches caused by unintentional but careless practices will decrease, as will the potential damage to residents whose information is gathered by unauthorized persons, since their information will be guarded by more robust protections, including encryption of information.

Data Security

Bart Porter at (re)blog compiled a list of data breach greatest hits of 2009.  Many of the incidents have been noted on the Kanguru Blog including the MP3 Player containing US Army data, local school district mishaps and hospitals that lose USB thumbdrives.

The conclusion:

 There are many interesting details to note in this dubious line-up of data security breaches, including how many health care, government and education organizations are represented. Even more significant is how few business enterprises show up on the list. This may be a clear indication of what many in the data security industry realize and fear – that most businesses suffering a significant data security breach do not publicly acknowledge incidents as they occur.

We expect this to change as more and more data breach notification laws are enforced at the state level.  The landmark Massachusetts law will take effect in March, 2010.  Data encryption will become mandatory for portable devices that store customer or employee information.

Data Security

GCN reports that Congress may (or may not) pass federal data breach legislation this year.  The Senate Judiciary Committee is currently considering a bill that would set standards for protecting sensitive personal information.  Staffers are optimistic that something will get done this year.

A patchwork of state laws has grown up in recent years requiring organizations holding personal information to notify individuals when that information is exposed. This has been a big step forward in data protection, giving millions of potential identity theft victims a heads up when they might be at risk and highlighting identity theft as a major crime issue. But just about everybody agrees that a national standard would be an improvement, although there is concern that federal preemption of state laws could gut some of the stronger standards states have put into place and might limit citizens’ legal recourse.

It is not clear whether Federal legislation would specifically require encryption of sensitive data, similar to Massachusetts and Nevada state laws.  It’s certainly an effective way to avoid a costly data breach.

Data Security, Government

Dr. John Halamka, CIO of CareGroup Health System, shares his privacy and security lessons learned.  Dr. Halamka serves as Vice-Chairman of the federal Health Information Technology Standards Committee.

The workgroup’s recommendations include:

All data at rest on mobile devices must be encrypted. Encrypting all databases and storage systems within an organization’s data center would create a burden. But ensuring that devices such as laptops and USB drives, which can be stolen, encrypt patient-identified data makes sense and is part of new regulations such as Massachusetts’ data protection law.

See the full article for Dr. Halamka’s top five security lessons.

Data Security, Healthcare, Portable Storage

Version 2.2 of the Kanguru Remote Management Console (KRMC) has a new feature that will make provisioning secure flash drives easier than ever.  Administrators can now import directly from an Active Directory database and program Kanguru flash drives in an automated fashion.  The drives will then be hard-coded with Employee data that can be tracked and logged including Name, Email and Phone Number.

While built-in encryption goes a long way towards securing your USB thumbdrives, KRMC goes a step further by providing control and accountability even after the drives have been distributed to employees.  The logging and auditing features are extremely useful for showing compliance with HIPAA, GLBA, and a wide range of state laws that are popping up across the country.

The full press release is available at the Kanguru News website.

Data Security, Portable Storage

A new article at Search Security, “How to secure USB thumb drives“, mentions the Kanguru Remote Management Console as a way for businesses to get a handle on their thumb drive fleets.  As the article notes, even small businesses need to consider the implications of portable devices holding massive amounts of company data.  Most states have breach notifications laws that apply to businesses of all sizes.

Kanguru Remote Management is compatible with the Kanguru Bio AES and Defender series flash drives.  Find out more here.

Data Security, Portable Storage

Over the past several years, many organizations have switched from basic USB flash drives to a standardized solution using secure flash drives that automatically encrypt data.  This move has been prompted by security concerns about data breaches, which now come with substantial financial penalties due to new regulations.  While the data is more secure, the organization may be adding burdens on the IT Helpdesk and support teams.  Users forget their passwords, employees come and go, and devices periodically need firmware updates.  Enter Kanguru Remote Management Console (KRMC), an IT Admin’s best friend.  KRMC was designed with these issues in mind, helping to ease the Helpdesk burden and reduce IT costs by centralizing the management on an organization’s entire fleet of Kanguru flash drives.

KRMC and Password Support

Forgotten passwords are a regular occurrence in most organizations – according to studies, 30% of all helpdesk calls are related to password resets.  With most password-protected flash drives, the user is out of luck and will lose their data.  Some secure flash drives provide the Admin with a tool to recover drives, but the Admin needs to have physical possession of the device or provide a reset code over the phone (time intensive and vulnerable to social engineering attacks).  KRMC establishes a secure communication link between the device and admin console, allowing the Helpdesk to reset a user password from any location.  Even if an Admin and User are on opposites sides of the globe, the Admin can remotely reset the password without ever touching the drive.

Lower cost of Ownership

Kanguru’s KRMC platform reduces overall support costs beyond user password management.  KRMC can remotely update administrator passwords, automatically change and enforce security policies, and push new firmware updates out to all devices.  When the Admin creates a new action, the drive will automatically connect and update itself the next time that it is plugged in.  Your IT support team can set it and forget it.  Full featured reporting and auditing tools provide a record of drive usage and admin actions.

While encrypted flash drives are making portable data more secure, Kanguru allows you to increase security without hurting the bottom line.

Data Security, Portable Storage

On Friday, the Dept of Health and Human Services released new details on breach notification and the protection of personal health information.

There are two acceptable methods: encryption and destruction.

Encryption is the obvious method provided for securing ePHI, and the acceptable encryption methods were expectedly referencing NIST standards.

Using encryption may help organizations prevent public embarrassment and costly settlements. 

Breach notifications only need to be made for what falls under “unsecured” PHI. So, if someone gets hold of PHI that is encrypted using the referenced NIST encryption standards, then notification is not required.

Data Security, Government, Healthcare

Smaller companies often ignore or put off security concerns because their organization is not regulated by SOX or GLBA (regulations for large publicly-traded corporations).  You should be aware that even smaller companies are included in state data breach notice laws.  There’s only a handful of states left without regulations.

Data Security