Take Precautions to Protect Residents' Personal Information
Two years ago, the Oklahoma Housing Finance Agency notified some 90,000 families associated with its Section 8 Housing Choice Voucher (HCV) program that their personal information might have been compromised when a laptop was stolen from an OHFA employee's home. The computer contained names, Social Security numbers, tax identification numbers, dates of birth, and home and business addresses of the clients who participate or have participated in the HCV program.
Around that same time, Oklahoma news outlets reported that an Oklahoma Employment Security Commission employee lost an unencrypted flash drive that contained the names and Social Security numbers of 5,000 Oklahomans. And a laptop was stolen from a Department of Human Services employee's car, which contained personal information for as many as a million people served by the agency.
Across the country, similar incidents have been publicized in the past few years. Data security breaches have been occurring with alarming frequency in all types of operations, from national retail chains to local housing sites. Despite the proliferation of tools designed to safeguard network infrastructures against malicious acts by tech-savvy criminals, organizations often overlook the key weakness in their systems—the human element.
The top data risk for sites is generally omission, says Massachusetts real estate attorney Howard Goldman. “They fail to take steps to safeguard the data, as opposed to someone stealing it and selling it,” he says. Risky behavior by employees is the largest cause of data breaches across industries. Research by the Ponemon Institute revealed that, in more than 88 percent of cases, insider negligence accounted for the highest cause of breaches. A study by Deloitte LLP reported similar findings: 86 percent of companies surveyed reported human error as the primary weakness in data security.
Employee Mobility Creates Data Security Risks
Today's highly mobile, networked, technology-laden work force presents greater challenges to information security than data theft from a hacker. In fact, the most common risk to your site comes from your staff's good intentions. Managers and staff often copy information to flash drives, smart phones, and laptops so that they can continue to work from home or from different sites. Unfortunately, these smaller devices are frequently lost or mislaid. Despite that danger, Deloitte's research found that very few companies prohibit the use of storage devices (only 27 percent ban them) and smart phones or PDAs (10 percent ban).
To protect your residents' personal information, site managers need to take a multipronged approach by limiting staff access to resident data, providing ongoing identity protection and information security awareness training, setting and enforcing policies for using portable devices, and implementing technical safeguards wherever possible to ensure that confidential information doesn't fall into the wrong hands.
Establish Secure Procedures for Site Staff
Every site should have written procedures for handling confidential information and appropriate computer use. The following are a few of the risk areas that should be included in your site's procedures:
Computer safeguards. “Avoid storing confidential resident information or information on a laptop without a valid and secure password, since laptops are easy targets for ID thieves,” advises Goldman. “Always install virus protection software on your computer and have adequate firewalls, especially if you have high-speed Internet access that is left on 24 hours a day. In addition, use ‘secure browsers’—that is, software that encrypts or scrambles the information you send over the Internet.”
Email and Internet precautions. Prohibit the sending of confidential information, such as resident information, personnel files, and financial records, via email or over the Internet. It's not a good idea to use the Internet to send confidential information about residents unless employees are using one of HUD's secure systems, such as the Enterprise Verification Income (EIV) system, to transmit information.
Password protection. Site staff should never share their passwords with anyone, even coworkers. Be sure to instruct staff not to write down their passwords where someone can find it, email passwords, or store them on their computers. Password-protecting their computers and logging out whenever they're away from their desks is a basic security measure that should be followed.
Keeping confidential information safe. “Never give out personal information on the phone, through the mail, or on the Internet unless you have initiated the contact or are sure you know with whom you are dealing,” says Goldman. “Be sure that paperwork containing residents' and applicants' confidential information isn't left on desks—it should be stored in locked cabinets.” And do not leave resident files open and visible on your computer screen when others are in the office.
Adopt secure procedures for communicating with residents. “Deposit your outgoing mail in post office collection boxes, and be vigilant about how you transmit bills or statements to your residents if they contain confidential information,” says Goldman. “Do not transmit confidential information electronically without valid and secure passwords.”
Be cautious about what you say and to whom. Instruct your site staff to not discuss residents' matters with other people, and to be aware of who's around them both on- and offsite. For instance, maintenance staff who are friendly with certain residents may inadvertently share information about another resident, or site staff may have a conversation that discloses information about a resident that can be overhead by someone else.
Properly dispose of confidential information. “Thwart ID thieves who may go through your garbage by tearing or shredding charge receipts, copies of credit/renter applications, insurance forms, checks, and bank statements,” Goldman says.
For HUD guidelines for protecting residents' and prospects' personally identifiable information (PII), see Follow HUD Requirements for Safeguarding PII.
Education and Enforcement Are Key
While setting site policies and procedures is essential, oftentimes, they're not clearly understood or are simply disregarded by employees who feel that productivity is more important. Staff need to be made aware of behaviors that create security risks and why the security procedures are in place. That message should be continuously reinforced through memos, meetings, and training sessions—otherwise, staff tend to revert to their former behaviors.
The majority of employees responding to a survey by the Ponemon Institute admitted to serious noncompliant workplace behaviors that placed their companies at risk. The following are the risky behaviors that employees engaged in, despite being aware of company policies prohibiting them:
- Copying confidential information onto USB memory stick: 69 percent said they do it; 87 percent believe company policy forbids it;
- Accessing Web-based email accounts from a workplace computer: 52 percent said they do it; 74 percent believe there is no stated policy that forbids it;
- Losing a portable data-bearing device: 43 percent said they lost or misplaced a device; 72 percent said they did not report it;
- Downloading personal software onto a company-assigned computer: 53 percent said they do it; 38 percent said the company policy forbids it;
- Turning off security settings or firewall on workplace computer: 21 percent said they do it; 71 percent believe there is no stated policy that forbids it; and
- Sharing passwords with coworkers: 47 percent said they do it; 71 percent believe that company policy forbids it.
“As mobile devices become more and more prevalent in the workplace, our research shows that policies and enforcement are not keeping up with the increased risk of a data breach,” says Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Employees are under tremendous pressure to be highly mobile and productive, but they aren't being properly educated on the risks to data integrity; they are taking data outside of the organizational structure without complete understanding or awareness of the serious implications of a breach or misuse of sensitive information.”
Follow HUD Requirements for Safeguarding PII
HUD holds public housing authorities and third-party business partners responsible for protecting residents' and prospects' personally identifiable information (PII). HUD Notice PIH 2010-15, which was released May 6, 2010, outlines specific steps for safeguarding PII, which you can include in your site's data security policy.
Limit the Collection of PII
- Do not collect or maintain sensitive PII without proper authorization, and collect only the PII that's needed for the purposes for which it's collected.
Manage Access to Sensitive PII
- Share or discuss sensitive PII with only those personnel who have a need to know for purposes of their work. Challenge anyone who asks for access to sensitive PII for which you are responsible.
- Do not distribute or release sensitive PII to other employees, contractors, or other third parties unless you are first convinced that the release is authorized, proper, and necessary.
- When discussing sensitive PII on the telephone, confirm that you are speaking to the right person before discussing the information and inform him or her that the discussion will include sensitive PII.
- Never leave messages containing sensitive PII on voicemail.
- Avoid discussing sensitive PII if there are unauthorized personnel, contractors, or guests in the adjacent cubicles, rooms, or hallways who may overhear your conversations.
- Hold meetings in a secure space (that is, where no unauthorized access or eavesdropping is possible) if sensitive PII will be discussed. Treat notes and minutes from such meetings as confidential unless you can verify that they do not contain sensitive PII.
Protect Hard Copy and Electronic Files Containing Sensitive PII
- Lock up all hard copy files containing sensitive PII in secured file cabinets, and do not leave files not locked up unattended.
- Protect all media (such as flash drives, CDs, etc.) that contain sensitive PII, and do not leave them unattended. This information should be maintained either in secured file cabinets or in computers that have been secured.
- Keep accurate records of where PII is stored, used, and maintained.
- Secure digital copies of files containing sensitive PII. Protections include encryption, implementing enhanced authentication mechanisms such as two-factor authentication, and limiting the number of people allowed access to the files.
- Store sensitive PII only on workstations that can be secured, such as workstations located in areas that have restricted physical access.
Protect Electronic Transmissions of Sensitive PII
- When faxing sensitive PII, use the date stamp function, confirm the fax number, verify that the intended recipient is available, and confirm that he or she has received the fax. Ensure that none of the transmission is stored in memory on the fax machine, that the fax is in a controlled area, and that all paper waste is disposed of properly (for example, by shredding). When possible, use a fax machine that uses a secure transmission line.
- Before faxing PII, coordinate with the recipient so that the PII will not be left unattended on the receiving end.
- When faxing sensitive PII, use only individually controlled fax machines, not central receiving centers.
- Do not transmit sensitive PII via an unsecured information system (such as electronic mail, Internet, or electronic bulletin board) without first encrypting the information.
- When sending sensitive PII via email, make sure both the message and any attachments are encrypted.
- Do not place PII on shared drives, multi-access calendars, the Intranet, or the Internet.
Protect Hard Copy Transmissions of Files Containing Sensitive PII
- Do not remove records about individuals with sensitive PII from facilities where HUD information is authorized to be stored and used unless approval is first obtained from a supervisor. Sufficient justification, as well as evidence of information security, must be presented.
- Do not use interoffice or translucent envelopes to mail sensitive PII. Use sealable opaque solid envelopes. Mark the envelope to the person's attention.
- When using the U.S. Postal Service to deliver information with sensitive PII, double-wrap the documents (that is, use two envelopes, one inside the other) and mark only the inside envelope as confidential with the statement, “To Be Opened By Addressee Only.”
Follow Records Management, Retention, and Disposition Rules
- Destroy records after retention requirements are met.
- Dispose of sensitive PII appropriately—use cross-cut shredders or burn bags for hard copy records and permanently erase (not just delete) electronic records.
Search Our Web Site by Key Words: best practices; security; data theft; ID theft; training staff