Posts

AI and Privacy Issues: Data Leaks and Breaches

We recently posted about the AI warning we received from a partner about the use of AI tools and protecting their confidential information. Beyond the specifics of the warning, we quickly saw a much broader context. Using AI tools, if not managed carefully, will result in unauthorized data disclosures, breaches, or leaks. These disclosures may easily violate laws, regulations, industry standards, and contractual obligations. Before exposing your business to unnecessary liabilities, understand how your AI tools and services manage, and ensure, data privacy.

Scope of the AI and Privacy Problem

To gain a better sense of the issue, we decided to look into the data privacy practices of meeting assistants.  Meeting assistants are one of the most commonly used AI tools for small and midsize businesses.  Traditional meeting assistant tools transcribe discussions. Newer versions use AI engines to capture action items, summarize discussion points, and analyze the attitudes and sentiments of participants. We reviewed the terms of service, privacy policies, and FAQs for several services.

Here are some excerpts from our findings (company and service names redacted):

AI Terms of Service

Do not use the service if you need to keep protected or confidential information private:

You hereby represent and warrant to [Company] that your User Content … (ii) will not infringe on any third party’s copyright, patent, trademark, trade secret or other proprietary right or rights of publicity, personality or privacy; (iii) will not violate any law, statute, ordinance, or regulation (including without limitation those governing export control, consumer protection, unfair competition, anti-discrimination, false advertising, anti-spam or privacy);

The [Company] is not liable if you use their services:

… the user understands and accepts the risks involved with the use of AI or similar technologies and agrees to indemnify and hold [Company] harmless for any claims, damages, or losses resulting from such usage.

Allowing an AI engine to analyze your information, or allowing a service to use your information to train their AI-based services, is a disclosure:

When you post or otherwise share User Content on or through our Services, you understand and agree that your User Content … may be visible to others

AI Privacy Policies

Using AI tools has inherent risks:

By utilizing [Company]’s services, the user understands and accepts the risks involved with the use of AI or similar technologies and agrees to indemnify and hold [Company] harmless for any claims, damages, or losses resulting from such usage.

Some tools have service options, at added costs, to ensure data privacy:

… customers that want their data to be strictly segregated (for example, customers dealing with PHI) can choose the [service] option to exercise complete control over their compute and data infrastructure, ensuring that their data is separated per their compliance requirements.

Some services explicitly tell you that sharing confidential information violates their privacy policy:

You may also post or otherwise share only Content that is nonconfidential and that you have all necessary rights to disclose.

The Risks and Challenges with AI

With justifiable concerns about data protection and privacy, we have been trained to think about data leaks and breaches in terms of cyber attacks. We also look at “insider threats,” which are often human errors such as accidentally sharing files externally or putting confidential information in an unsecured email.

The use of meeting assistants and other AI-powered productivity tools creates a new category of risk.  In order to learn and improve, AI tools need to train using information. The easiest way to provide information to train an AI tool is to capture information provided by the users.  The users get their results; the AI tool trains, learns, and improves.

While this works for the AI tool or service provider, it creates a data breach platform for the users unless the tool has specific policies and services to ensure compliance with data privacy laws and regulations. 

Using an unsecured AI meeting assistant creates an incidental, if unintentional, breach. 

Some examples of incidental breaches caused by unsecure AI meeting assistants:

  • Two doctors discuss a patient consult, disclosing personal health information (PHI) to third parties in violation of HIPAA
  • You discuss project details with one of your clients, disclosing confidential intellectual property in violation of your contract
  • Your financial advisor discusses your financial holdings and accounts with you, disclosing personally identifiable financial information in violation of industry regulations and standards

Protect Yourself and Your Business from AI and Privacy Issues

From our review of several AI meeting assistant services, very few will keep your information private. Those that do will charge additional fees.

When you get on a video meeting or conference call, ask the host if their meeting assistant is secure. If not, or if they are unsure, ask them to turn it off.

More generally, take a step back and plan your approach to AI.

  • Consider how and when you want to use AI in your business
  • Make sure you and your team understand your contractual and regulatory responsibilities with respect to information privacy
  • Assess the AI tools and services you plan to use:
    • Understand their data privacy commitments
    • Match privacy policies and commitments against your business and legal requirements
    • Opt-in to agreements that ensure data privacy, even if it requires paying for the service,

With an understanding of your requirements and AI services, AI can add value to your business without introducing significant avoidable risk.

We Can Help

To discuss your technology service needs and plans, click here to schedule a call with a Cloud Advisor or send us an email.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Our First AI Warning: Why Using AI Services Can Breach Your Contracts

We recently received our first AI Warning. This was not a a general warning such as, “anything built for good can be use for evil” or “AI can replace you.” We received a direct warning about specific uses of artificial intelligence services and our contracts. The warning we received applies to you as well.

Some Background About this AI Warning

Cumulus Global is known for our professional services, including our ability to successfully manage cloud migrations from a variety of local environments. We often provide these services to other technology firms that need our expertise and experience to solve specific client needs. We have standing partnership agreements with several of these firms.

The AI Warning came from one of our partners.

The AI Warning

The warning we received centered on our potential use of AI services and the implication for confidential information belonging to our partner and their clients. The warning stated that providing this data to any AI system or tool is a likely violation of our contract, confidentiality, and non-disclosure agreements.

Specifically:

  • Providing confidential information to any AI system or tool is an authorized disclosure unless we have a contractual agreement in place with the AI vendor that ensures all data remains private and confidential.
  • The use of any confidential information for feeding or training AI system or tool is considered an authorized disclosure. Even if the AI system or tool is private the confidential information will be used outside the scope of any project, work, or need.

In addition to clearly defining limits on the use of their data with AI services, the warning included the company’s intent to pursue any and all contractual and legal methods to prevent, or in response to, disclosures.

Bigger Context

While this AI warning was specific to one business relationship, we see a bigger context. The current flood of AI services is exciting, and the potential uses and benefits are great. If we want to engage, however, we need to be careful. Whether we are deliberately training an AI system or creating prompts and providing feedback to refine answers, we are placing information in the hands of others. Unless we take explicit steps to ensure privacy with AI tools, our expectation must be that the information we provide will be used train the AI service, effectively placing the information in the public domain.

We must also recognize that the generative nature of AI increases the risk of improper disclosure. While we may not intend to disclose information, AI engines can recognize and correlate information. In other words, AI services can piece together data to create and share  information that should be private.

Your Action Plan to Prevent AI Issues

Take a step back and plan your approach to AI.

  • Consider how and when you want to use AI in your business
  • Make sure you, and your team, understand your contractual and regulatory responsibilities with respect to information privacy
  • Assess the AI tools and services you plan to use;
    • Understand their data privacy commitments
    • Match privacy polices and commitments against your business and legal requirements
    • Opt-in to agreements, even if it requires paying for the service, that ensure data privacy

With an understanding of your requirements and AI services, AI can add value to your business without introducing significant avoidable risk.

We Can Help

To discuss your technology service needs and plans, click here to schedule a call with a Cloud Advisor or send us an email.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Expect an Increase in Cyber Attacks

Data Protection & SecurityThe U.S. Cybersecurity & Infrastructure Security Agency, part of the U.S. Department of Homeland Security, is warning businesses to be prepared to defend against cyber attacks originating from Russia. “Every organization—large and small—must be prepared to respond to disruptive cyber activity,” the agency says in its warning.

Our security vendors, analyzing aggregate data, are starting to see a definitive increase in the number and frequency of attacks.

Fortunately, you have a range of tools at your disposal to protect you business:

  • Next-Gen endpoint protection
  • Advanced threat protection
  • Multi-factor authentication
  • Cyber-awareness training
  • DNS/Web protection
  • Third party breach monitoring

These services, paired with recovery and continuity services, can prevent your business from succumbing to an attack. And, if you do fall victim, ensure your business can be back up and running on hours, not days or weeks.

Please contact us if you have any questions or would like a no-obligation review of your security footprint.  You can also schedule a call with one our Cloud Advisors, below.


Business Email Compromise: 10 Stats; 5 Solutions

Business Email Compromise (BEC) is a type of phishing-related fraud with far-reaching consequences. Not only can BEC attacks hurt your business, companies you work with can be damaged as well. BEC threats are hard to detect and mitigate, given the a byzantine structure of the attack.

Here are 10 statistics that demonstrate the increasing risk of BEC attacks, along with 5 solutions that reduce the chance of your business becoming a victim.

10 BEC Statistics

1Business email compromise rose by 14% overall in 2020 and up to 80% in some sectors
265% of organizations faced BEC attacks in 2020

3In 2020, BEC costs increased rapidly, from $54,000 in Q1 2020 to $80,183 in Q2.
4The energy and infrastructure sector topped the 2020 list with 93% of attacks
560% of the information on the dark web could potentially damage businesses

6In 2020, 80% of firms experienced an increase in cyberattacks

762% of BEC scams involve the cybercriminal asking for gift or money cards.
8The most common type of BEC scam is invoice or payment fraud
9Payment/invoice/billing scams skyrocketed by 155%, in 2020

10The average amount requested in wire transfer-based BEC attacks nearly doubled to $75,000 in the fourth quarter.

Protecting Against BEC Attacks

The most effective way to prevent business email compromise attacks is a strong, multifaceted defense against the primary delivery system: phishing email.  Here are 5 solutions that help you mitigate threats and the risk of successful cyber attacks.

1 Phishing Resistance Training

An absolute must-have for any organization in today’s tumultuous world is a strong cybersecurity culture. Too many employees are still clicking on dangerous messages. Strengthen your security culture and reduce your risk of suffering email-based cyberattacks by up to 70%.

2 Advanced Threat Protection

Go beyond attack profiles and blacklist lookups. Take advantage of next-gen protections that assess content and context, leverage machine learning, and analyze the behavior of links and attachments.

3 DNS / Web Protection

Secure your DNS traffic to help prevent cyber attacks that spoof or use your identity.  Block known, dangerous web sites. Block malicious web content and downloads, even from trusted sites that have been hacked.

4 Identity Access Management

Secure your user identities over time with a comprehensive approach. Include multi-factor authentication, password vaults, and single-sign on for your best protection.

5 Dark Web Monitoring

Your team probably uses their work email address (identity) to log into third party services. Breaches in these services put your business at risk. Monitor you domain for potential breaches so you can take action before you become a victim.

To learn more about these Business Email Compromise, other cyber threats, and solutions to fit your needs and budget, contact us and schedule a complimentary Cloud Advisor Session.

 

Work Life Post COVID-19 Will be Different

As reported by the Boston Business Journal, a recent survey conducted by the Massachusetts Competitive Partnership, with help form several regional business groups, found that businesses are projecting that 47% of employees will continue to work completely or partially from home post-Covid. If this is the case, the number of remote workers will jump 2 1/2 times from the pre-Covid rate of 18%.

While this survey’s focus was looking at the potential impact on the commercial real estate market in the metro Boston area, we can expect these results to be somewhat similar for metropolitan areas across the country.

A significant, permanent shift in the percentage of remote workers will impact how businesses operate.

To adapt, you will want to eliminate issues that are “inconveniences” when temporary, but should not be allowed to hurt productivity or efficiency in the long term. Some of the changes we have seen and helped businesses deploy include:

  • Changing your infrastructure (and using cloud services) to provide users with secure, direct access to applications and files, eliminating the need for remote desktop or VPN connections to on-premise networks and systems
  • Expanding your use of social communication tools, like Google Chat and Microsoft Teams, to enable the casual and incidental conversations that occur in office
  • Incrementally automating common tasks and work flows to simplify and monitor processes
  • Giving your staff the ability to manage inbound and outbound calls through the company’s voice service, ensuring
    • Call flows, through ACD and IVR menus, work properly
    • Team members can transfer calls to others
    • Staff do not need to use personal phone numbers and voicemail
  • Ensuring your calling groups, like those for help desks, function well regardless of a person’s location
  • Updating threat protections for users, data, and applications outside your physical offices.
  • Selecting video conferencing services that are secure and that provide your team with useful features and controls, such as:
    • Controlled and secure access
    • Ability to share desktops, windows, and browser tabs
    • Privacy tools, such as alternate backgrounds
    • Captioning and transcription capture

As many of these improvements can be accomplished with the tools and systems you already have in place, the cost to ensure productivity is manageable.


Complete this form for a free, no-obligation assessment, or contact us to schedule an introductory call with one of our Cloud Advisors.

Remote Learning + (Privacy x Access) = New IT Needs

While schools, teachers, and families want schools to safely re-open, the reality is that in most areas of the country, remote learning will be part of the plan this coming school year.  In addition to ensuring student access and adapting teaching methods, the move to remote learning creates new communication and privacy issues.  Working with schools and districts across the US, we see new requirements for voice services, such as:

Full Access

  • Even schools with Voice over IP phone systems may not have a way for staff to receive and make calls remotely.  More than forwarding an extension to a home or cell phone, staff should be able to answer, transfer, and initiate calls.  Additionally, unanswered calls should go to the school, not personal, voice mailbox.

Hotline / Service Desk

  • With staff working remotely, provide the ability for managed call groups with either “ring many” or “round robin” features to ensure staff are able to answer student calls quickly.
  • In addition to IT help lines, these service desks can help librarians assist student with research, enable counselors provide better coverage, and ensure calls to administrative offices are answered or routed when staff are working remotely.

Privacy for Personal Phone Numbers

  • Not all staff have school phone numbers that they can use to call, and receive calls, when out of the office.
  • Special education teachers, aids, liaisons, and coordinators, and other staff that need to communicate one-on-one with families, should not have to make calls from, or disclose, their personal home or cell phone numbers.

Cloud VoIP solutions can augment and fill gaps in your current phone services so you can fully support remote teachers, staff, and learners.

With cloud VoIP services, we can easily tailor incremental and point-solutions to your needs while managing per-user and total costs.  Capabilities include:

  • Individual direct dial numbers or extensions
  • Soft phone apps for mobile devices, laptops, and desktops, providing:
    • Ability to make and receive calls on any device without disclosing personal phone numbers
    • Access to all phone service features
    • Access to system voicemail services
  • Single or multi-level call direction menus
  • Service Desk / Agent Pools that provide:
    • Ring many, round-robin, or prioritized inbound call assignment
    • Ability to mark self available or unavailable
    • After-call work period before receiving next call to allow for documentation/transition

Depending on the features and functionality you need, we can deploy native Microsoft and Google voice services or bring in third party services designed to work with G Suite for Education and Microsoft 365.

Please contact us to discuss your needs and explore your options.

5 Ideas for Successful Remote Shopping and Customer Pickup Services

As more areas of the country move into Phase 1 of re-opening the economy, you may be able to offer remote shopping and curbside (no contact) pickup.  While you may already have a way to hold items for pickup by customers, moving completely to the “take out” model of business requires you to make changes and scale your processes.  Here are 5 ideas to improve your customer experience:

1. Accept Online and Advance Payments

Customers paying online or by phone before coming for their pickup dramatically reduces the in-person interaction needed to complete the sale. This is safe for your employees and your customers.

  • Adding a shopping cart experience to your website is not a simple process; check with your web developer and verify they have the experience to create a secure, easy to use flow for your customers.
  • If adding a shopping cart experience to your website is not feasible in the short term, you have alternatives:
    • Check with your current card processing service; many offer payment portals that can work well in this situation.
    • Spin up a separate online store using a turnkey solution, like Shopify, to which you can upload inventory and product information
    • Create an online payment account via services like PayPal or Venmo (make sure you have or create a company-specific account)
  • Remember that you must still comply with PCI regulations.  Make sure employees know that when taking credit card information, they should not write down or otherwise record the information expect to put it into the POS or card processing systems.

2. Offer Video Shopping Appointments

Allow customers to schedule video shopping appointments, during with a member of your staff can walk the store and help your customers pick out items.

  • Use a secure video meeting tool. If you use Microsoft Office 365 or G Suite, you already have access to video meetings via Microsoft Teams and Google Meet, respectively. Employees should NOT be using personal accounts, email addresses, or phone numbers to setup or run these sessions.
  • Roll out a scheduling tool that lets customers pick from preset, available times.  Bookings is a free tool included with MS Office 365.  Tools like Calendly integrate with both G Suite and Office 365 services.
  • Get a few tripods with phone/tablet holders.  This will allow a single employee to manage the camera while displaying merchandise. It also makes for a “steady” shot and better shopping experience.

3. Live Chat with Customers

Give your customers an easy way to get in touch with you once they are on your website.

  • Live chat is an inexpensive way for customers to communicate with your team.
  • Most live chat solutions allow your staff to answer questions and transfer the conversation.  Staff working from home can cover the live chat service and answer most customer questions. The chat can be transferred to in-store staff as needed.

4. Create a “Service Desk” for Customer Questions

Going beyond live chat, let your customers interact with you however they want, when they want.  At the same time, you can enable staff working from home to support the team working in-store.

  • Setup a cloud-based service desk phone system that allows multiple team members to answer calls, text messages, and voice messages.
    • Employees sign in as ‘agents’ and can indicate when they are available / not available to answer calls.
    • The system will route calls to an available ‘agent’ in a round robin basis or other priority that you configure.
    • Using a “soft phone” application, your employees access the system via computer or mobile device; their personal phone numbers and information remain private.
  • Setup a shared inbox to allow your staff to respond to, and manage, email communications.
    • More than a distribution list, a managed shared inbox lets your team assign emails and discussion threads to employees and track their work and progress.
    • Using the shared inbox, employees’ personal information and individual work emails remain private.
    • Employees can connect/disconnect to the service as needed to cover shifts

5. Measure Customer Satisfaction

Follow up every sale with a thank you email and solicit customer feedback.

  • Cloud-based customer satisfaction (CSAT) tools let you embed one-click feedback questions into your email templates. These often use familiar green, yellow, and red icons to indicate satisfaction levels.
  • CSAT tools can also solicit comments. These comments can be used to identify and resolve customer issues, as well as generate testimonials for your web site and marketing efforts.
  • More advanced CSAT tools can also ask a “Net Promoter Score” question, so you can measure how many of your customers would recommend your business to others.

A Final Note: As you implement these (or other) ideas, procedures, and technologies, remember to take care of your “back office” and employees. Initiating or improving your customer pickup services means new and changed processes. You may also decide to change roles. For example, some stores dedicate one team member per shift to process online payments as a way of managing access to the tools and information.  Take the time to train your staff and make sure they are comfortable with the changes.  Also, solicit their feedback and ideas. They probably have suggestions that will help you impress your customers.


Please contact us for a free Response and Recovery Assessment. We are happy to discuss ideas and solutions, and to assist with getting the technologies and training in place.


 

Protect Yourself from Personal Devices

(Published 4/12/20 – Get our Sample Policy)


For many businesses, employees are working from home for the first time. Given the rush to change how our businesses operate, many of those employees will be using home computers or personal devices.  While enabling companies to continue operating, doing so can place your business, data, customers, and employees at risk.

If you do not already have a policy in place, we have published a sample policy covering employee use of personal computers and devices. The policy, intended to augment your existing company policies (such as appropriate use), covers Company and Employee responsibilities.  Since you may need to install software and utilities on the device to ensure compatibility, secure access to your systems, and compliance with your data privacy and protection requirements, the policy strives to create a balance that ensure employees will not lose personal data or use of the device for personal reasons.

You can access the Sample Policy here, free of charge. Please review the policy with your HR and IT resources and modify it as necessary for your business.

As noted in the policy, you should expect to provision current versions of software and the necessary data protection tools. For example:

  • Most Office 365 licenses allow you to install the desktop software on up to 5 computers and 5 tablets/smartphones for each user.  These rights mean that you can provide employees with the same software on their home computers as they use in the office. Doing so improves productivity.
  • Employees may have antivirus protection software installed, which may or may not be current or sufficient for your needs.  You may want, or need to layer on advanced threat endpoint protection software that will not interfere with existing tools, such as Webroot.
  • Employees likely do not have dns/web protection services installed.  As the computer is used for personal activities, adding web protections can prevent web-based malware from impacting your data and business.

Please contact us for a complimentary Cloud Advisor session.  Without obligation, we can discuss your needs, discuss how to best protect your data/business, and recommend affordable solutions to consider.

Zoom Privacy Policy is a Risk

Updated 4/05/20

Updates:

  • 4/05/20: Zoom posted an updated Privacy Policy, back dated to 3/29/2020.  This policy clarifies Zoom’s actions and intents and changes some terms and conditions, indicating that Zoom is now doing the right thing with your personal data.  Zoom has also expanded users’ ability to use passwords and waiting rooms to control meeting access.  We still recommend reviewing the policy and using the “do not sell” process.  We also recommend using conferencing systems within your productivity suite, Office 365 or G Suite, as these are secure and integrate with your email, calendar, and file services.
  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

Rules, Regulations, and Results

Rules and RegulationsFor Small and Midsize Enterprises (SMEs), the regulatory landscape remains in a perpetual state of flux with changes originating at the Federal, state, and local levels. While some rules and regulations can severely impact your business’ operations, and profitability, many create requirements that you can easily satisfy at a nominal cost.

Three regulations with upcoming deadlines or increased enforcement include:

HIPAA

HIPAA compliance is a requirement for any organization that works with personal health information of individuals — not just medical offices and insurance firms. If you are sharing employee information about benefits, insurance coverage, medical leaves, or other items that involve personal health information (PHI), you have an obligation to protect the PHI. Failure to do so can result in heavy fines and, in a few instances, criminal charges.

Historically, HIPAA compliance has focused on medical practices, insurance, and brokers. We are starting to see audits of non-medical companies, along with fines for those not in compliance. 

Fortunately, you can protect PHI by focusing on the individuals that are authorized or likely to handle sensitive employee information.  By focusing on HR, payroll, and key executive and leadership roles, you can deploy services like message-level email encryption.

What to do:

  • For as little as $5 or $6 per user per month, you can ensure that specific individuals protect PHI and sensitive information while preventing accidental disclosure
  • Contact us for information about encryption, DLP, and other HIPAA solutions.

ELD

Starting December 18, 2017, all interstate trucks in the US must use an Electronic Logging Device (ELD) to track operations and required reporting.  According to the US Department of Transportation (USDOT), fewer than 1/3 of interstate trucks have installed ELDs as of mid-November. Failure to comply can result in heavy fines, impounding of vehicles, and disruption of delivery schedules.

While enforcement is not expected to impact small and midsize trucking firms until late spring or summer of next year, your business can still be at risk.

Here are a few things to note:

  • If you have your own truck(s), they may be classified or registered as Interstate Trucks, even if you only deliver within your state.
  • If you use third parties for shipping, their failure to comply can disrupt your deliveries if trucks are stopped or impounded, or if drivers are pulled off the road.

What to do:

  • Check your own vehicles:
    • Determine if they are properly registered as Interstate Trucks, or if they should be registered as such
    • If you do not have ELDs yet, please contact us for low cost, self-install ELDs with logging software subscriptions
  • Check with your shipper(s):
    • Confirm their trucks, those of their subcontractors, and any owner/operators are properly registered and have ELDs
    • If not, have them contact us for help

GDPR

Effective May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) takes effect. While GDPR covers data protection and privacy for citizens of EU member states, treaties allow enforcement in action against US companies operating within the US.

If you have any personal data for citizens of EU member states, you are responsible for GDPR compliance.

GDPR means more than encrypting sensitive data.  GDPR includes processes and procedures for governance, including:

  • A named Data Protection Officer (DPO) responsible for oversight, compliance, and response to individual inquiries. The DPO role can be full time or part time, internal or contracted.
  • You must report suspected breaches within 72 hours of becoming aware of the issue.
  • You need to deploy privacy by design — any new system or change in systems requires primary consideration of privacy and information security.
  • You must be able to demonstrate that you mitigate risk, even in the absence of a privacy breach.

Fortunately for most SME’s the appropriate policy changes and the risk-mitigation technologies need not be expensive of complicated.

What to do:

  • Discuss GDPR with your team, and your legal counsel, to determine your required compliance
  • Provide training, education, and “cultural support” for a data privacy mindset within your organization
  • Review systems storing or processing personal information for security and privacy compliance
  • Select and deploy relevant data loss prevention (risk mitigation) solutions for your environment

Need help? Contact us for more information.