$50$,QWHUQDWLRQDO ZZZ DUPD RUJ News, …...for e-mail and other electronic communications. Leahy...

budgets; the records managementprofessionals estimated savingsof up to 36%.

CYBERSECURITY

ReutersSocial MediaEditor Chargedwith Hacking

Federal charges were filed inMarch against MatthewKeys, a deputy social media

editor for Reuters, for allegedlyconspiring to hack the Los Ange-les Times website in 2010.

Keys is accused of giving thewebsite’s password to the notori-ous hacker group “Anonymous”through its chat room, encourag-ing the group to breach the news-paper’s website. One of thehackers followed up and alteredan archived article. The Los An-geles Times is owned by the Trib-une Co., which also owns aSacramento television station atwhich Keys used to work as a webproducer.

The U.S. Justice Departmentcharged Keys with one count eachof transmitting information todamage a protected computer, at-tempted transmission, and con-spiracy. If convicted, Keys couldface up to 10 years in prison ontwo of the counts, five years on athird, and a fine of $250,000 for

each count.As of press time,

Keys had not yet beenarraigned.

US. federal agencies – andtheir budgets – are beingoverwhelmed by the

amount of information they mustmanage, according to a recentstudy of federal records managersand finance professionals fromMeriTalk and Iron Mountain.

Published in March, the re-sults of the online survey of 100federal records managers and 100federal finance professionals con-ducted in September 2012, “Fed-eral Records Management:Navigating the Storm,” showedthat each federal agency spendsan average of $34.4 million a yearon records management, $5million – or about 17% –more than budgeted.

According to thesurvey report, recordsmanagement spendingwill likely more than dou-ble to $84.1 million by 2015 be-cause of a projected 144%increase in records per agency.

Some of the main reasonsfor the overspending are:• Too many records – asingle federal agencycurrently man-ages about

209 million records, which to-tals 8.4 billion records govern-ment-wide.

• Runaway information growth –the number of records peragency is expected to grow to511 million by 2015.

• Multiple information types –records are increasingly beingcreated in more varied formatsand sources.Add to this the race to comply

with the Presidential Directive onManaging Government Records,which instructs agencies to mod-ernize their records managementpolicies, predominantly by digi-tizing records and establishing anew infrastructure to minimizecosts and promote openness andaccountability.

The survey respondents saidadditional training, more fund-ing, and greater support forrecords management fromtheir agencies’ leadershipwould enable them to meetthe objectives of the directive.The federal finance profes-sionals estimated that fo-

cusing on these threefactors would allow

them to savean estimated24% of their

re co rdsmanage-ment

News, Trends & Analysis

6 MAY/JUNE 2013 INFORMATIONMANAGEMENT

GOVERNMENT RECORDS

Feds’ Budgets Out-Paced by Volume of Information to Manage

©2013 ARMA International • www.arma.org

Although business executives are generally well aware that information is an asset and that poorly man-aged information can be a potential legal and competitive liability, making enterprise information man-agement (EIM) a reality is another story.

According to the OpenText white paper “Unleashing the Power of Information,” a recent IDG Research sur-vey of nearly 140 chief information officers (CIOs) and other IT and business executives showed that the ma-jority believe in the benefits EIM can deliver, such as better data access and analysis, reduced costs, and betteralignment of IT with business objectives. Yet only 67% of the organizations represented said they treat EIM asa strategic priority.Part of the challenge is the overwhelming volume of unstructured data organizations are generating. Ac-

cording to the white paper, it is estimated that up to 80% of the information produced in organizations todayis found in documents, e-mails, social media, slide presentations, videos, and other unstructured data formats.This information is often mission-critical and resides in a number of different locations and devices. “Given the variability and complexity of today’s information landscape,” IDG wrote, “many companies find

themselves dealing with distinct and nonintegrated informa-tion silos. Information in these silos is often disorganized, datedor duplicated, and data that could identify key trends or de-liver critical insight is often buried under mountains of in-significant information.” That’s why 80% of the survey respondents said a compre-

hensive EIM strategy is critical or, at least, very important totheir organizations. Unfortunately, this recognition of the valueof that information has not translated into policy. Organiza-tions are not making EIM an institutional priority – eventhough it directly affects their ability to meet their top busi-ness objective: increasing business productivity, according tothe IDG report.

EIM

Enterprise Info Management Critical, But Not Priority

MAY/JUNE 2013 INFORMATIONMANAGEMENT 7

BIG DATA

With Big DataComes BigPrivacy Concerns

The potential of big data ishuge. It opens the door tosmarter decision making

and greater advances in every field– provided it is effectively managedand mined, of course. That potential in turn raises se-

rious concerns around protectingprivacy. Last year, the World Economic

Forum conducted a series of work-shops attended by government of-ficials, privacy advocates, andbusiness executives from theUnited States, Europe, Asia, andthe Middle East. The discussions

centered on three major areas: • Protection and security• Accountability• Rights and responsibilities forusing personal dataOut of those workshops came

the recently published report “Un-locking the Value of Personal Data:From Collection to Usage.” The re-port, which was prepared in collab-oration with The BostonConsulting Group, recommends anapproach that shifts focus awayfrom governing the usage of data togoverning the data itself; recog-nizes the importance of context be-cause there is no black and white,

only shades of gray; offers newways to engage individuals andhelp them understand how theirinformation is to be used; and pro-vides them with the tools to makereal choices based on “clear valueexchange.”For such an approach to be suc-

cessful, the participants agreedthere is a need 1) for principles tobe updated and enforceable in ahyperconnected world; 2) to in-clude technology as part of the so-lution – allowing permissions toflow with the data and ensuringaccountability at scale; and 3) todemonstrate how a usage, contex-tual model can work in specific,real-world application.



EHR

India Launches ElectronicHealth Records Program

The Jawaharla Institute of Postgraduate Medical Education andResearch (JIPMER) rolled out the “Partners in Prevention Pro-gramme” for the police department in Puducherry (India) in mid-

March as the first step in the country’s move toward electronic healthrecords. Medical records of the policemen who are screened at JIPMER will

be maintained online in a database accessible from anywhere in theworld. The patients are issued a “Meddrecords Online Card” with aunique identification number and barcode, which will enable them toupdate daily blood pressure, blood sugar level, family history, and otherdetails that their doctors could access as needed.According to an article in The Hindu, the

plan is to integrate the public healthrecords with the country’s rationcard, which would help them froma public health standpoint; it alsowould help them identifythose who had completedtheir immunization cyclesand various screenings.

BIG DATA

Report ExaminesTrends in Big Data

It’s been talked about and writ-ten about at great length, butto what extent are companies

actually addressing big datatoday?

A Tata Consultancy Services(TCS) survey of 1,217 companiesin nine countries in the UnitedStates, Europe, Asia-Pacific, andLatin America that was completedin January 2013 found that morethan half (53%) had undertakenbig data initiatives in 2012. Thecountries with the highest per-centage of companies with initia-tives were India, Mexico, theUnited States, and the UnitedKingdom. Japan, The Nether-lands, and Australia had thefewest percentage reporting initia-tives in place.

The level of investment in big

data initiatives varied greatly, thereport found: 15% of the compa-nies with initiatives spent at least$100 million per company on thoseinitiatives last year; 7% investedat least $500 million. On the otherhand, nearly one-quarter (24%)spent less than $2.5 millionapiece. The industries that spentthe most on the initiatives weretelecommunications, travel-re-lated, high tech, and banking. Lifesciences, retail, and energy/re-sources companies spent the least.

More than half (55%) of the in-vestments in big data initiatives

went toward four business func-tions that generate and maintainrevenue: sales (15%), marketing(15%), customer service (13%), andresearch and development/productdevelopment (11%). Only about aquarter (24%) of the investmentwent to IT (11%), finance (8%), andhuman resources (5%).

Forty-three percent of the com-panies that have invested in initia-tives anticipated a return oninvestment (ROI) of more than 25%in 2015. The business functions ex-pecting the greatest ROI were notsales and marketing, as might beexpected, given that they received30% of the funding, but rather lo-gistics and finance, which receivedonly 14% of the funding.

Companies reported that thebiggest obstacles to getting busi-ness value from big data were asmuch cultural as they were techno-logical. More specifically, it was thechallenge of getting business unitsto share information across organi-zational silos. A close second was atechnological issue: dealing withthe volume, velocity, and variety ofdata. The third was determiningwhich data to use for different busi-ness decisions.

“By applying Big Data in theright places in the organization,centralizing and nurturing talent,and building bridges to functionalmanagers who need data-driven in-sights to make superior decisions,companies will greatly raise theodds of keeping up in a world inwhich digital data-driven decisionsbecome the norm, not the excep-tion,” the TCS report concluded.



PRIVACY

U.S. ElectronicCommunicationsPrivacy ActAmendmentsProposed

When the U.S. ElectronicCommunications PrivacyAct was introduced in

1986, no one could have foreseenhow the Internet and mobile com-munications technology wouldtransform the world. To bring thelaw up to date, senators TomLeahy (D-Vt.) and Mike Lee (R-Utah) introduced a bill in mid-March that they believe willstrengthen the privacy protectionsfor e-mail and other electroniccommunications.

Leahy explained that the billstrives “to improve Americans’ dig-ital privacy rights, while also pro-moting new technologies – likecloud computing – and accommo-dating the legitimate needs of lawenforcement.”

The bill requires law enforce-ment to obtain a search warrantbased on probable cause to accesse-mail and other electronic com-munications’ content requested

from a third-party provider. Thereare “balanced exceptions” to thisrequirement in emergency circum-stances and to protect national se-curity under current law.

The bill would further requirelaw enforcement to “promptly no-tify” any individual whose e-mailcontent has been accessed. Thegovernment can ask the court fora temporary delay in notifying theindividual, however.

The bill would not affect thegovernment’s ability to use admin-istrative, civil discovery, and grandjury subpoena to access corporate e-mail and other electronic commu-nications directly from a company.

EHR

DoD, VAPullback on EHRsDraws Fire

Early this year the U.S. de-partments of Defense (DoD)and the Veterans Affairs

(VA) announced they were scalingback their plans to create a singleshared electronic health records(EHRs) system that would man-age service members’ and veter-ans’ medical records fromrecruitment to grave. They de-cided, instead, to build their sys-tem on existing IT architectureand programs, pointing out that itwould be more cost- and time-effi-cient.

The decision drew fire from thetop lawmakers on the Senate andHouse Veterans’ Affairs commit-tees, which had charged theagencies in 2008 with creatingand deploying an integratedhealth records system by 2017at a cost of about $4 billion.

Unfortunately, the projecthas reportedly met technologychallenges and delays. The newapproach will enable the depart-ments to exchange real-time data

by the end of the year and allowpatients online access to theirmedical records by summer. It isalso expected to save hundreds ofmillions of dollars, according toDoD Deputy Chief ManagementOfficer Elizabeth McGrath, ac-cording to an article in FederalTimes. The endeavor has alreadycost an estimated $1 billion.

House Veterans’ Affairs Com-mittee Chairman Rep. Jeff Miller(R-Fla.) was less optimistic. “Pre-vious attempts by DoD and VA touse disparate computer systems toproduce universal electronichealth records have failed and un-fortunately it appears they are re-peating past mistakes,” theFederal Times reported.

The new system is being builtwith the VA’s VistA EHR as itscore system and a more currentcore EHR system. VistA systemhas generally been considered a strong EHR platform, but there isconcern over its ageand its abilityto keep pacewith new-er systems.



CLOUD

The BestCountries forCloud Computing

Japan, Australia, the UnitedStates, Germany, and Singa-pore are the top five coun-

tries for cloud computing based ontheir policy environment, accord-ing to the BSA|The Software Al-liance (BSA) 2013 Global CloudComputing Scorecard.

The study rated 24 countries(which together account for 80%of the global information and com-munications technology market)based on their policies in sevenareas: • Privacy• Security• Cybercrime• Intellectual property rights• Data portability across borders• Free trade promotion• IT infrastructure

Singapore showed the mostimprovement (up five places fromlast year) due largely to its intro-duction of a modern, balanced pri-vacy regime. A late-comer toprivacy regulation, Singaporepassed its Personal Data Protec-tion Act in October 2012.

“That timing has helped thecountry develop a regulatoryframework that picks and choosesfrom the best parts of the Euro-pean Union and Asia-Pacific Eco-nomic Cooperation approaches to

privacy regulation andavoids much of the exces-sive legalese and admin-istrative complexityfound in other coun-try’s laws,” observedBSA in its report.Singapore took a

broad, principles-based approach to privacy

protection. It contains short sec-tions on notice, consent, security,access, correction, and data re-tention, all of which are based oninternational standards.

Brazil improved its rankingby finally passing cybercrime leg-islation last November. Thatchange alone moved it up twospaces and out of last place. Thatdistinction now belongs to Viet-nam.

Malaysia moved out of thegroup of countries still striving to-ward cloud-readiness by makinga range of changes in cybercrimeand intellectual property lawsand improvements in efforts to

improve digital trade.The United States moved up

one spot, not through major pol-icy improvements, but throughadvances in standards develop-ment for cloud computing and in-frastructure improvements.

Less positively, there contin-ued to be efforts to keep datawithin national borders. Ger-many was cited in last year’s re-port for some overly restrictivelegal interpretations that wouldkeep some data within its bor-ders.

This year, Indonesia under-mined any advantages it mayhave made from improving itsprivacy law by introducing regu-lations that would force someproviders to establish local datacenters and hire local staff.

In general, Indonesia, Korea,and Vietnam are taking steps toactually unplug from the globalcloud. This works against thegoal of making data more accessi-ble globally.

CLOUD

Thailand Takes First StepToward G-Cloud Computing

Thailand’s Information and Communi-cation Technology (ICT) Ministry andElectronic Government Agency (EGA)

and Cloud Security Alliance (CSA) recentlysigned a memorandum of intent (MOI) to es-tablish the official CSA office in Thailand. TheNation reported that EGA will handle thehuman resources budget issues to support CSA’s activities.“This effort aims to promote security system[s] for cloud computing

among users. CSA will support all activities and provide know-hows,”said Nattapong Seetavorarat, advisor to the ICT minister. The cloudcomputing system, especially G-Cloud, will build upon the GIN sys-tem currently in place. The system “can be scalable to Super GIN formore network expansion to other areas, availability of governmentdata with accessibility for related agencies and bodies.”The MOI was signed during the ASEAN CSA Summit 2013. Top-

ics discussed during the two-day event included cloud security, chal-lenges to cloud adoption, public cloud, cloud for education, cloudbusinesses, and applications of cloud for national crisis management.



EHR

Electronic Health Records: How Transparent Should They Be?

How much access should patients have to their electronichealth records? According to an Accenture study completedin December 2012, most (49%) physicians favor trans-

parency, but only 21% allow online access.“Many physicians believe that patients should take an active

role in managing their own health information, because it fosterspersonal responsibility and ownership and enables both the patientand doctor to track progress outside scheduled appointments,” saidMark Knickrehm, global managing director of Accenture Health.“Several U.S. health systems have proven that the benefits out-weigh the risks in allowing patients open access to their healthrecords.”

The Accenture study surveyed 3,700 physicians in the UnitedStates, England, Spain, France, Germany, and Singapore. U.S. doc-tors were marginally more open to allowing patients to update theirrecords online. There was a clear consensus among the respondentsthat, generally, patients should be allowed to update all or some oftheir information, from demographic details to lab test results.More than half of the responding physicians favored providing up-date privileges.

DATA SECURITY

Retailer Sues Visaover Data Breach

The Payment Card Industry’sData Security Standards(PCI DSS) are being put to

the test in a suit filed in earlyMarch by specialty sports apparelretailer Genesco against Visa.Genesco is seeking nearly $13.3million in fines that Visa assessedfollowing a breach of Genesco’s sys-tems that may have resulted infraudulent transactions.

According to Wired magazine,this is the first known case chal-lenging the PCI DSS. The regula-tions require merchants thathandle credit and debit card data tofollow certain security practices orface fines from the credit card in-dustry. Visa fined Genesco $13.3million for noncompliance to thePCI standards after Genesco an-nounced it had been hacked back in2010.

In the filing, Genesco statesthat although it found packet-sniff-ing software on its network at thattime, there was no forensic evi-dence of any card data having beenstolen. Genesco alleges it was neverout of compliance with PCI DSSregulations and, therefore, shouldnot have been fined.

The PCI standards state thatmerchants are not to store carddata, but may store some parts ofthe data, if necessary, as long as it’sencrypted.

“Visa is not the only card com-pany to go after Genesco and itsbanks. MasterCard did as well,” re-ported Wired senior reporter Kim

Zetter. “The two companies com-bined imposed $15.6 million in finesand assessments, but Genesco hasso far only sued Visa.”

Genesco is not the first com-pany to be fined, but it is the first tofight back against the credit cardcompanies. In Utah, a restaurantreportedly has sued its bank for

wrongfully seizing money from itsmerchant bank account to paycredit card fines. Visa and Master-Card levied the fines after allegingthe restaurant had failed to secureits network, leading to a databreach that resulted in fraudulentcharges on customers’ credit cards.That case is ongoing.

Source: Accenture Doctors Survey


E-DISCOVERY

ISO Starts Committee on E-Discovery

The International Organization for Standardization (ISO) recentlyestablished a committee to develop standards for e-discoveryprocesses. Its goal is to define procedures for technology compa-

nies, discovery providers, and their clients to follow when handling elec-tronically stored information.

“We’re not trying to impose requirements on lawyers or judges.That’s not the intention of the activity,” Hitachi Data Systems’ EricHibbard, co-editor of the project and international representative on aU.S. contingent to ISO, told Law.com. “It’s really intended to help themsort through some of the technology issues that are really nebulous.”

The standards will refer to product auditing and will describe howdiscovery services and software should operate. They will also cite ISO9001 quality control procedures, which means e-discovery companiescould then achieve ISO 9001 certification and promote their products asbeing ISO 9001-compliant.

Other organizations, such as the American Bankers Association,are also working on legal technology standards. Reactions to plans to de-velop standards in this area have been mixed. While many fully supportit, others think it premature.

“A lot of us think that standard-setting for an area in which thetechnology has not yet matured is a little bit premature,” Steven Tep-pler, an attorney and data security expert, told Law.com.

CYBERSECURITY

EuropeanCommissionLaunchesCybersecurityStrategy

The European Commission(EC) and the High Repre-sentative of the European

Union for Foreign Affairs and Se-curity Policy recently introduced acybersecurity strategy for the Eu-

ropean Union (EU). Part of thestrategy included a directive onnetwork and information security,a draft of which was released inconjunction with the strategy.

The strategy aims to clarify

the principles the EC believesshould guide the cybersecurity pol-icy in the EU and internationally.Those principles are:• The EU’s core values apply inthe digital world the same as inthe physical.

• Protection of fundamental rights,freedom of expression, personaldata, and privacy

• Access for all• Democratic and efficient multi-stakeholder governance

• A shared responsibility to ensuresecurityIt is predominantly the task of

member states to deal with cyber-security challenges; however, theEC strategy established fivestrategic priorities with bothshort- and long-term activities forthe government, industry, andmember states. Those prioritiesare:1. Achieving cyber resilience2. Reducing cybercime drastically3. Developing cyberdefense policyand capabilities related to theCommon Security and DefensePolicy

4. Developing the industrial andtechnological resources for cy-bersecurity

5. Establishing a coherent inter-national cyberspace policy forthe EU and promoting the coreEU valuesOn a related note, proposed

changes to the European Data Pro-tection Directive introduced aboutthe same time the EC launched thecybersecurity strategy have comeunder heavy fire. Wired.co.uk re-ported that UK Information Com-missioners past and presentdenounced the changes as beingbad for business, and they said theyshould be thrown out.

Among other things, the EUdirective is being described as “tooprescriptive in terms of its admin-istrative detail.”




The consensus in the industryis that regardless of how youfeel about the bring your

own device (BYOD) trend, youcan’t afford to ignore it.

A 2012 Nielsen study foundthat almost half (49.7%) of U.S.mobile subscribers own smart-phones. According to Nielsen, thisis an increase of 38% over 2011. It’sa safe bet to expect a large per-centage will want to connect totheir company’s wireless network.They’ll forward documents to theirpersonal accounts to read at homeor while traveling.

With this increased access come increased security risks. Potentiallysensitive corporate data is being sent to less-secure sites.

In a recent BizTech article, IBE.net co-founder Richard Minney sug-gested an alternate BYOD strategy in which the company actively allowsBYOD, specifies what data can and cannot be transferred to and storedon those devices, and installs an app or two to provide some level ofprotection.

He added that the company may also want to insist that all devicesused for work purposes be registered with the company’s mobile devicemanagement (MDM) solution, which applies policy and security manage-ment capabilities across many operating systems or platforms. These ap-plications are typically modeled after the client server architecture wheresoftware is centralized on a back-end server and a client component re-sides on the end system device.

Another option is for the company to allow employees to choose the de-vices they want, but the company supplies and owns them.

DATA SECURITY

Keep Your Data from WalkingOut the Door

CLOUD

Cloud Adoption in India Grows

Arecent report by ARC Advisory Groupshows that the cloud market growth ratein India is outpacing the global market

by a wide margin. Almost all the IT vendors inIndia have cloud offerings, as do many globalplayers.The report cites the country’s growing IT in-

dustry, currently valued at $100 billion. The in-dustry’s rapid growth is due largely to thedemand from global companies. But even micro,small, and medium businesses are turning tothe cloud to reduce the cost of ownership.



ELECTRONIC RECORDS

CIOs’ Top Priorities for 2013

Ask 100 healthcare CIOsand senior IT executiveswhat their top priorities are

in 2013 and you’ll hear networksecurity issues, IT infrastructureupgrades, and electronic healthrecords (EHRs) implementation.Those were the findings of an in-dependent research study by Level3 Communications.

Those surveyed were less in-clined to focus on mobile-enabledhealthcare (mHealth) and slow toadopt cloud computing.

Other findings include:• 56% were only “somewhat confi-dent” in their ability to preventa privacy or security breach ontheir network.

• 80% agree the EHR-based sys-tems will improve patient care.

• More than 60% think EHR and

“meaningful use” mandates are a“good idea” to support better qual-ity patient care.

• 76% plan to upgrade their net-work infrastructure in the nexttwo years.

CYBERSECURITY

Report FindsData BreachesMainly InvolveOutsourced IT

Arecent report published byTrustwave revealed that64% of security breaches it

analyzed last year involved IT out-sourcing providers. The findingsdrive home the need for enterprises

to be more awareof the securitymeasures out-

sourcing providershave in place beforecontracting with them.“We are not saying

outsourcing is bad,” ex-plained John Yeo, director of

Trustwave’s SpiderLabs unit in Eu-rope, the Middle East, and Africa,“but what we are saying is thatthere may have been a lack of duediligence in the selecting of out-sourcing providers.”

The UK’s Data Protection Actrequires data controllers to take“appropriate technical and organi-zational measures” to avoid “unau-thorized or unlawful processing ofpersonal data and against acciden-tal loss or destruction of, or dam-age to, personal data.”

Some feel more clarity isneeded from regulators as to whatsort of security standards can beconsidered as compliant with the

Data Protection Act. Also, toomany senior business executiveslack sufficient knowledge or un-derstanding of cybersecurity risks.

Other trends revealed in theTrustwave report include:• Businesses are getting slower atcontaining cyber breach inci-dents, taking an average 210days in 2012 compared to 175days in 2011.

• Businesses tend to rely on thirdparties to tell them they’ve beenhacked: 24% detected the breachthemselves, while 48% were dis-covered by regulatory bodiesand 25% by law enforcement.

• There were 400% more samplesof mobile malware affecting theAndroid operating system lastyear than in 2011. Yeo said thecompany had not found a casewhere a smartphone was beingused to hack a corporate net-work, although it could happenand may already have hap-pened.

Source: Level 3 Communications



HIPAA

HIPAA Final Rule Tightens Data Security Requirements

On March 26, the final ruleto the Health InsurancePortability and Accounta-

bility Act (HIPAA) went into effect,ending the more than three-yeareffort to overhaul the provisions ofthe 1996 law. Most of the changeswere required by the 2009 HITECH Act, which incentivized theimplementation and use of elec-tronic health records andprompted the development of stan-dards, implementation specifica-tions, and certification criteria forthe exchange and use of electronichealth information.

The new rule expanded thedefinition of “business associates,”requiring more entities to take amore proactive role in complyingwith HIPAA. Previously, the lawrequired healthcare providers andother “covered entities” to contrac-tually require that any organiza-tion that handles protected heathinformation (PHI) on behalf of thecovered entity (business associate)also to comply with HIPAA.

Under the new rule, the busi-ness associate must take full re-sponsibility for ensuring itcomplies with HIPAA’s data secu-rity and privacy rules. This meansthat business associates will alsobe subject to annual civil penaltiesfor each HIPAA violation, whichcould be as much as $1.5 millionper violation.

Breach notification require-ments were also addressed in thenew rule. The proposed rule de-fined a data security breach as the“acquisition, access, use, or disclo-sure of [PHI] in a manner not per-mitted [by the Privacy Rule] whichcompromises the security or pri-vacy of the [PHI].” It went on to saythe standard should be whetherthere was a “significant risk of

financial,reputa-tional, orother harmto the indi-vidual.”

The finalrule, however, re-quires that the entitytrying to avoid breach notificationobligations conduct a risk assess-ment that considers the following:1. The nature and extent of thePHI involved and how easily itis or could become identifiable

2. The unauthorized person whoaccessed the PHI

3. Whether the PHI was actuallyacquired or viewed

4. Whether and to what extent therisk to the PHI has been miti-gatedIf it can be shown that there

was a low probability that the pro-tected information was compro-mised, it would not be considered abreach. If that can’t be proved, thebreach notification requirementsmust be met.

The other area addressed bythe final rule limits the sale of PHIfor marketing purposes. Bottomline is that protected informationmay not be sold or used withoutthe individual’s consent. Addition-ally, the covered entity or businessassociate must disclose the natureand extent of its relationship withthe third party.

The compliance deadline forthe final rule is September 23.Contracts entered into before Jan-uary 25, 2013, that complied withthe previous HIPAA Data Securityand Privacy Rules will be consid-ered compliant until September22, 2014, as long as the contractshave not been renewed or modifiedduring the grandfathering period.



CYBERSECURITY

Preventing 9/11 in the Cyber World

The evidence that cyberthreats are very real andgrowing is ubiquitous. Ear-

lier this year, U.S. Department ofHomeland Security (DHS) Secre-tary Janet Napolitano warnedCongress that a “cyber 9/11”could be imminent and stronglyurged lawmakers to pass legisla-tion governing cybersecurity,which it failed to do last year.

President Obama made itclear that cybersecurity is anissue to be taken seriously bysigning an executive order thatdirects the National Institute ofStandards and Technology to de-velop cybersecurity performancestandards and methods to reducerisks to the country’s critical in-frastructure (CI). Among otherthings, it also directs DHS andagencies to proactively encourageCI owners and operators to vol-untarily adopt the standards.

Given the increased volumeand strategic nature of cyberat-tacks, many are convinced theyare state-sponsored, and manyare pointing fingers at China asthe origin of the most sophisti-cated hackers. It’s becoming a po-tentially lethal weapon of modernwarfare.

For example, Team Cymru, aFlorida-based Internet securityfirm, recently revealed to TheVerge that its analysts have un-covered a massive overseas hack-ing operation in which oneterabyte of data is being stolen ona daily basis.

A study released by theAmerican computer security firmMandiant detailed that com-pany’s efforts to track down agroup of “cyber commandos” re-sponsible for hacking the net-works of hundreds of Americancompanies over several years tosteal trade secrets. Mandianttraced members of the group back

to a Shanghai-based militaryunit. The claim is supported byreports from other security firmsand all 16 of the U.S. intelligenceagencies, according to the NewYork Times.

The group in question,dubbed “Comment Crew” bysome of its U.S. victims, has al-legedly stolen terabytes of datafrom companies such as Coca-Cola and reportedly is focusingincreasingly on companies in-volved in the U.S.’s CI, its electri-cal power grid, gas lines, andwaterworks.

China’s government has re-peatedly denied that it has en-gaged in computer hacking,stating that it has been the vic-tim of such attacks, as well. Chi-nese officials claimed that theyexperienced, on average, 144,000cyberattacks per month againstits military sites in 2012. Theyblame the United States for al-most two-thirds (63%) of them,saying that there are many hack-ing groups inside the UnitedStates as well.

The war of words between thetwo countries escalated when the

White House warned China toend its campaign of cyberespi-onage against the United Statesor risk derailing efforts to buildstronger ties between the twocountries. China responded byagreeing to enter into dialoguewith the United States about cy-bersecurity.

In the meantime, tension con-tinues to build around the issue.In late March, attention shiftedto Korea when South Koreanbanks and top television broad-casters were simultaneously par-alyzed by a cyberattack.Speculation at the time was thatNorth Korea was involved in theattack. The network paralysistook place a few days after NorthKorea accused South Korea andthe United States of a cyberat-tack that shut down the country’swebsites for two days.

“This needs to be a wake-upcall. This can happen anywhere,”James Barnett, former chief ofpublic safety and homeland secu-rity for the U.S. Federal Commu-nications Commission, told FoxNews following the attack onSouth Korean networks.



E-DISCOVERY

Information Governance Key toContaining E-Discovery Costs

Asthe volume of informationgenerated by enterprisestoday continues to grow ex-

ponentially, so do the potentialcosts of e-discovery.

“One of the best ways to avoidexcess costs of discovery is a rea-sonable dialogue with the otherside,” Magistrate Judge AndrewPeck, of the Southern District ofNew York, recently told a Legal-Tech New York audience.

Senior Judge Michael Bayl-son, of the U.S. District Court forthe Eastern District of Pennsylva-nia, agreed, pointing out that “‘Idon’t want to cooperate’ may be alegitimate strategy, but it’s goingto cost them money in the longrun.”

Peck added that IT is usuallythe best source of reliable infor-mation when it comes to estimat-ing what it will require togenerate the necessary informa-tion.

Document review is thelargest expense associated with e-discovery, at 73% of the total, ac-cording to a 2012 study by RANDCorp. Thus, finding ways to re-duce the volume of docu-ments that must bereviewed is vital.

Many are lookingto predictive coding,which is a type ofcomputer-catego-rized review applica-tion that classifiesdocuments based onhow well they matchthe conceptsand terms insample docu-ments, as asolution forreducing in-formation vol-

ume. RAND reported that studieshave found that the reduced man-hours required to search fewer doc-uments can cut document reviewcosts by as much as 80%.

Peck encouraged federaljudges to learn from the GlobalAerospace Inc. v. Landow AviationL.P. case, in which predictive cod-ing was ordered despite plaintiff’sobjections. “That was a very, verysuccessful use” of predictive cod-ing, Peck said.

Perhaps more importantly,though, Peck foresees a much-needed shift toward informationgovernance. “If 2012 was the yearof predictive coding or technology-assisted review, 2013 or ’14 seemsto be information governance,” hesaid.

“Despite the economy, compa-nies are going to realize that it’simportant to get their informationretention, their information gover-nance, under control; get rid of thedata that has no business need andmine the data that has businessneed…in ways that will improvethe company’s bottom line on thebusiness side and reduce costs onthe e-discovery side as a benefit aswell,” predicted Peck.

He also stressed the needto train judges, especially atthe state and local levels, on e-discovery technologies. Thecourts currently receive littleor no training on e-discoverytechnologies and on how Eu-ropean data privacy laws canconflict with discovery obliga-

tions here. “I would ad-

vise lawyers toassume that theyneed to educatethe judge,” hesaid. END


$50$,QWHUQDWLRQDO ZZZ DUPD RUJ News, …...for e-mail and other electronic communications. Leahy...

Documents

Transcript of $50$,QWHUQDWLRQDO ZZZ DUPD RUJ News, …...for e-mail and other electronic communications. Leahy...