An interview summary from our live webinar on Thursday, June 13, 2019
Featuring special guest: Patrick Miller, Managing Partner of Archer International, experts in data security.
Patrick Miller is a cyber security expert here to discuss the importance of keeping your financial, family, and student information safe. With years of experience in protecting corporations and public organizations, Patrick’s straight forward, no-nonsense answers provide clarity about the basics needed to protect a child care center from a possible breach. We will discuss good cyber hygiene, avoiding phishing and pharming scams, and five important steps to securing your data to avoid potential liability.
What does data security mean for an Early Learning Center? Whose data? What data are we talking about?
We are talking about any of the data used by your organization. This means the business data, personnel data, health data, family data entrusted to you, and financial data—both business money and your family or payer money.
Centers need to be aware that there are laws in place for privacy protection. An example of this would be HIPAA, the Health Insurance Portability and Accountability Act of 1996 which is United States federal legislation that provides data privacy and security provisions for safeguarding medical information.
Privacy laws in the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information, publicizes him or her in a false light, or appropriates his or her name for personal gain.
The Family Educational Rights and Privacy Act (FERPA)
At Smartcare, we are sometimes asked about FERPA. (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”
Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records.
At Smartcare, we are compliant with FERPA. The key provisions of FERPA require the educational institution to receive consent from the parent prior to disclosing a student’s education records. Smartcare does not disclose any records. There is the expectation that a school has internal controls to ensure that information is not disclosed by school employees.
Why is data security important?
For obvious reasons, if someone can bring a lawsuit against a child care center, or if a federal or state law is violated, it spells trouble for the business. It can mean having to hire lawyers for defense, paying fines sometimes up to $100,000, and in some cases prison time.
In addition to securing your business information, keeping a child’s personal information secure is paramount because with access to certain information, hackers and cyber thieves can steal the identity of the child, take out credit in the child’s name, and create long-term credit issues for the child.
A business can suffer and may never recover from the negative results. So, it is important to be aware of the laws and to take preventive action to avoid problems.
Who is responsible for data security at a child care center?
In a word, everyone. The owner and board of directors, the executive director, administrators, business manager, receptionist, teachers, custodians–everyone is responsible. Leadership in child care centers need to be aware of what we call “cyber-hygiene” and make sure that your business is clean and safe from potential attacks.
It means taking time to train your staff of potential risks. For example, a receptionist should never leave family payer personal checks out on a desktop in plain view. That check contains personal identifiable information also known as PII. Physical health records and files need to be securely locked down. Computer and tablet screens should time out and go dark when an administrator steps away and be password protected to access.
At the very least, child care centers need to have a data security plan in writing. Technology within that plan should address encryption, firewall standards, the regular update of anti-virus software, and the use of strong passwords. Generally, it’s important to have longer passwords because it is the length that makes it harder to crack. So, pick a phrase or sentence with more that 15 characters that is easy to remember and use it.
Everyone that has potential access to information, needs to be aware of phishing and pharming scams.
Phishing: Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity.
Pharming: Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent.
Pharming is a cyber-attack intended to redirect a website’s traffic to another, fake site. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as “poisoned”. Spyware removal programs can usually correct the corruption, but it can recur.
If I have a webmaster and a cyber-security insurance policy, won’t I be protected if a cyber-attack hits me?
Many small centers probably don’t have or can’t afford a full-time computer system manager. Some centers may have just set up a website and their software may be running on old personal computers. Even if you have a webmaster, or you have hired one, as the organization’s leader, you need to be aware that the ultimate responsibility is going to fall on the shoulders of the person in charge.
As for cyber-insurance, it generally offers some protection, but it might not pay out depending upon the policy type and claim. Your claim may be denied. Most policies have clauses that deny payment for global ransomware acts. You need to do your due diligence and be aware of what your cyber-insurance covers.
What technology do I need to have in place?
To be protected, it’s important to think of your business as a place full of electronic devices that are becoming more and more automated and complex and reliant upon wi-fi. You have business devices and software, and non-business and worker devices. Software and apps are running throughout your organization. Think about Alexa taking voice commands to direct music, televisions, bots and coffeepots.
You have two choices: One is to remain hosted locally—meaning managing tech security yourself or with a hired IT person. The other choice is to outsource to the cloud.
If you remain local, at the very least you will need four things:
- A firewall and someone to manage the firewall. With an average IT staff member earning $80,000 per year, this gets expensive quickly.
- You need to be sure your anti-virus protection is up-to-date. These are anti-virus security software products that are readily available at Best Buy or downloadable online such as McAfee, Norton, or Symantec.
- Thirdly, you will need to be sure you are running the latest version of Windows or whatever operating system (OS) you are using. Don’t ignore updates. Go into your settings and switch to auto update so you are always running the latest versions.
- You will need to remember to constantly back up your systems. In case of a breach or attack, if you have back up, it will be easier to restore your data.
If you choose to host in the cloud, you will need to find a reliable vendor. The advantages of cloud security are:
- Cloud providers are able to manage security better because it is all they do.
- With multiple clients, they know their business reputation relies upon providing good service.
- Cloud providers are constantly updating security measures to stay ahead of hackers—or at least they are better able to combat the latest hacks and cyber mining activities.
I recommend you first separate your business data and move it to cloud based applications that are more secure than keeping data in your own center. Hire the best data security vendor you can afford. Most likely it will be less expensive than hiring an IT staff member. Use the BBB Better Business Bureau or get word of mouth recommendations from peers or associations to select a vendor. Interview vendors by going online and searching for “What Questions Should I Ask My Data Security Vendor?” A little research and meeting with potential vendors will payoff over time.
Going digital and paperless is actually more secure than people initially think. Dumpster divers who seek personal information are not uncommon. At the very least, be sure you are shredding all paper documents. Going digital can help your business be more efficient in addition to being more secure. You have easy access to bank and account balances and reports that can be backed up and have less of a chance to be hacked. In 10-15 years, we will see more movement to a paperless society where all documents will be stored electronically.
You need to take responsibility for managing your own system. You may need to hire a consultant to help you, but you really need to keep business data separate. Within your school, be sure to have two WiFi networks, one for guests and one for business. Let all the toys, tablets, Bluetooth, and staff devices run off the guest WiFi, and give it a relatively easy password like your center phone number or address. Then password protect your business WiFi with a strong password that is only given to authorized and trusted administrators.
What are the elements needed for top grade data security?
Security is challenging. Don’t expect to have a full data security plan implemented overnight. Take some time to research and adopt in stages. Here are the top tips you should take away from this webinar.
- Change your mind set about data. Data is money. You are liable for losing or mishandling data.
- Create a protection plan for your cybersecurity. Outsource business data to offset risk and liability. It is critical for your business continuance to protect data.
- Put your business data on cloud-based apps and don’t rely on your own servers. This is especially true for PCI-DSS compliance when accepting credit or debit cards. Leave this to professionals who focus on processing funds digitally.
- Your network should be segmented to keep business data separate from other software and apps running in your building(s).
- Outsource and get cyber insurance and understand your policy. Your security vendor will be able to have your business back up and running in hours if there is a breach. Without a vendor, it could take days—if ever—to restore lost information when trying to respond to a cyber incident.
- Begin training and non-stop messaging about data security to everyone in your organization including kids who are using tablets and computers.
This concludes our interview. Smartcare University thanks Patrick Miller, and his company Archer International for his time in presenting this information on data security and compliance for child care centers.
You can learn more about Patrick at: https://www.patrickcmiller.com/about-me
Archer International Security Advisers: