Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Our adversaries are trolling social networks, blogs and forums, trying to find sensitive information they can use about our military goals and objectives. Therefore, it is imperative that all Soldiers and Family members understand the importance of practicing good operations security measures.

-Sgt. Maj. of the Army Kenneth O. Preston

The above quote is contained in the U.S. Army Social Media Handbook, (pdf) published January 2011, which lays out a comprehensive set of guidelines for soldiers participating in social media. According to the the Handbook: The Army encourages members of the Army Family to use social media to connect and tell their stories, but it also advises everyone to do this in a safe
and secure manner.

This move by the Army follows a February 25, 2010, Department of Defense Directive-Type Memorandum (DTM) which provided guidelines for military use of social media and acknowledged
“that Internet-based capabilities are integral to operations across the Department of Defense.”  The DTM clearly indicates that use of social media in the DoD is authorized.

While much of the specific policy governing soldiers' is left to Army leaders, the Handbook provides some familiar advice:

• Take a close look at all privacy settings. Set security options to allow visibility to “friends only.”
• Do not reveal sensitive information about yourself such as schedules and event locations.
• Ask, “What could the wrong person do with this information?” and “Could it compromise the safety of myself, my family or my unit?”
• Geotagging is a feature that reveals your location to other people within your network. Consider turning off the GPS function of your smartphone.
• Closely review photos before they go online. Make sure they do not give away sensitive information which could be dangerous if released.
• Make sure to talk to family about operations security and what can and cannot be posted.
• Videos can go viral quickly, make sure they don’t give away sensitive information.

Many of the technological and personnel issues that concern the Army apply in the private sector, although for obvious reasons there can be far different consequences for the military (and for us). Still, having clear policies and thinking through how social media can affect your business is critical for today's workplace. 

• Email This
• Print
• Comments
• Trackbacks

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks