Data protection and privacy statutes are designed to protect Americans. The Federal Information Security Management Act is meant to protect U.S. residents from cyber threats. There are also state laws designed to protect the residents of that specific state. These laws are designed to keep vital information like your Social Security number, financial information, health records, driver’s license information, and personal information like your date of birth from getting into the wrong hands.
With a Social Security number, name, and date of birth, hackers can file income taxes fraudulently. They can take out loans in your name and walk away with the cash. Those are just a few of the ways scammers use your information to get money. It’s important to keep this information safe, and the government must keep your information safe, right?
The truth is the government isn’t following these data protection measures. Each year, the Office of the Inspector General audits government agencies to make sure they’re complying with federal regulations. Four agencies received “not effective” ratings. Those agencies were the Department of Health and Human Services, FDA, Medicare/Medicaid, and National Institute of Health.
What is the Federal Information Security Management/Modernization Act?
Established in 2002, the Federal Information Security Management Act set information security standards for federal agencies to follow. Agencies have to comply by reporting security issues and breaches when they occur and allow the Department of Homeland Security to help with problems.
In 2014, the act was amended and renamed the Federal Information Security Modernization Act. Either way, the rules remain the same. These agencies have to keep people’s information private and notify Congress immediately if there is a breach or security issue.
What Did the Audit Find?
When the Office of the Inspector General audited those agencies, the Department of Health and Human Services was found to be ineffective at the key areas. Weaknesses were found in data protection and privacy areas, risk management, configurations, incident responses, monitoring, and planning. The agency couldn’t detect/identify, protect, respond, or recover.
As an example, one of the things the Office of the Inspector General found was that there was no way for the Department of Health and Human Services to identify the software that was installed on their systems. If an employee installed software on a work computer, there was no way for the agency to be alerted.
This could lead to certain systems being left out of the risk management procedures. Real-time monitoring was not being performed effectively throughout the organization. This would make it easy for a breach to go unnoticed for some time.
Perhaps most frightening of all is that some of the problems had been recommended last year by the Government Accountability Office. Despite being recommended a year ago, the agency had never taken the steps to correct the issues.
Estimates on What a Breach Would Cost
Back in September 2018, the Office of the Inspector General said that the Centers for Medicare and Medicaid Services needed to beef up the security of the enrollment database. If a cyber attack breached this database, the inspector general estimated it would cost around $47 million each day.
Again, this wasn’t the first time the agency had been told to strengthen its protections. Back in April, they’d received similar warnings about the weak security measures.
How Well Are You Protecting Your Company’s and Your Clients’ Information?
Unless you work for the government, you likely have no say in how well these agencies protect your information. There are steps you can take to protect your customers’ information from breaches. The most important step is to hire a professional to destroy your company’s data when you’re upgrading technology in your offices.
When you’re recycling old electronics, do you know where things end up? If you’re just bringing them to a local recycling center, you may not have any idea where the computers go from there. It’s important to know. You should ensure that those computers, fax machines, copiers, printers, and other electronics are not handed over to strangers where theft can occur. You need to know where things are and what stage of the recycling process is taking place.
Don’t just trust any company. Look for an electronics recycling agency that is certified. ERI Direct holds ISO 9001, 14001, and 18001 certifications. We are NAID Certified, e-Stewards Certified, and R2 certified. There are four levels of data destruction available:
- High Security
Trust us to destroy your data effectively at your site or at ours. ERI Direct has secure facilities. We have motion detector alarms, video surveillance, and secure areas where data destruction takes place. You can even be there to witness the process if you would like. Call 1-800-ERI-DIRECT to talk about your company’s data destruction needs.