Posted by Daniel J. Solove
The frequent use of social media by employees has created a new domain of risk for employers – employees who reveal confidential or sensitive information or who otherwise say things that damage their institution’s reputation or create strife with their colleagues.
For example, in the healthcare context, in a number of widely-publicized incidents, employees revealed confidential information about patients on their blogs and social network profiles. For example, according to a Boston Globe story, an emergency room physician posted data online about the patient. The physician thought that it was safe to post about as long as she did not include the patient’s name. But others could identify the patient. There are numerous recent cases where hospital staff have posted photos and other information about patients online.
Posted by Daniel J. Solove
According to a stat in SC Magazine, 90% of malware requires a human interaction to infect. One of the biggest data security threats isn’t technical – it’s the human factor. People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors. A lot of hacking doesn’t involve technical wizardry but is essentially con artistry. I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks. He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.
There have been a number of good recent articles on data security and data security training. Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.” The article describes the increasing sophistication of phishing. The old misspelled lottery scam emails are now your grandfather’s phishing. Today’s phishing is more personalized – and much more likely to trick people. According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.” O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”