Phishing Practices...
Last month, news stories revealed that hackers had posed as customers to obtain credit card data from a leading credit card data processor. Private information on thousands of individuals had been disclosed resulting increased instances of identity theft and fraud. The embarrassed data firm promptly took corrective action including notifying many credit card holders that their accounts likely had been inappropriately disclosed.Another potential threat these days is a practice referred to as “phishing.” A hacker engaged in phishing sends an authentic appearing e-mail message to the consumer suggesting that the consumer’s account may have been tampered with or altered, and instructing the consumer to re-verify their account data. The consumer is referred to a phony web site that appears to be legitimate. Respondents who visit such sites and provide verified information soon find that their accounts have been accessed or their identity has been stolen for use in fraudulent purchases.
These stories demonstrate the need for individuals as well as organizations to exercise prudent care of financial, medical and personal data. Employers are urged to take steps to protect the confidential data held in company computers. Two important actions can help prevent this kind of unauthorized disclosure.
The organization's security officer or administrator should develop and implement a security incident reporting procedure. Any actual or potential security incidents should be recorded on a security incident report form.
It is important to clearly define who has access to private information and to spell out procedures for disclosure of private data when authorized. Violations can then be recognized. The security incident report form documents the incident and provides a basis to investigate and correct the situation.
In addition, it recommended that employees be trained to recognize and be alert for common security incidents. Security threats and proper responses can be covered in employee training.
Examples of security incidents may include one or more of the following:
In the event of a security incident as described above, the employee should be instructed to immediately report the incident to the supervisor. The incident can then be documented on an Incident report and the Security Officer or Administrator can conduct an investigation into the incident.
William S. Hubbartt is President of Hubbartt & Associates, a St. Charles, IL consulting firm specializing in Preparation of policy manuals, privacy policies, and supervisory training. Mr. Hubbartt is author of “The HIPAA Security Rule – A Guide for Employers and Health Care Providers.”