PII, Social Media and Security Considerations · September 2017 NENA’s 7 th Annual National Training Conference San Antonio, TX National Employment Network Association PII, Social

September 2017NENA’s 7th Annual National Training Conference

San Antonio, TX

National Employment Network Association

PII, Social Media and Security ConsiderationsAmanda Sowell, Alliance Professional Services LLC

Pam Walker, Alliance Professional Services LLC

Al Walker, Alliance Professional Services LLC

1


San Antonio, TX


2

Workshop Objectives• Examine use of Social Media and potential PII

issues

• Discuss Social Media best practices and how to protect PII

• Examine situations regarding Ticketholders’ PII and internal/external communication

• Review safety nets related to PII data storage.


San Antonio, TX


Rule #1:

Do not mix Business Social Media and Personal Social Media.

Don’t make business personal.

3


San Antonio, TX


Social Media

And

Best Practices to Protect PII

4


San Antonio, TX


Computer-mediated tools that allow people, companies, and organizations to create, share, and exchange information, interests, ideas, pictures, and videos.

5

What Is Social Media?


San Antonio, TX


How many of you use Social Media?

Facebook Pinterest

Twitter Tumblr

Instagram Flicker

Linkedin Vine

Google Others?

YouTube

6

Social Media Usage


San Antonio, TX


Statista.com reports:

• 81% of adults use Social Media

• Increase of 33% since 2010

• 100% of Americans are projected to use Social Media by 2020.

7

Social Media Statistics


San Antonio, TX


A Business Profile should:

• Be easily accessible

• Provide accurate contact information

• Include a concise business description

• Display the business logo

8

Social Media Profile


San Antonio, TX


Pros:

• Great marketing tool

• Provides ability to share information to a large audience very quickly

Cons:

• Requires diligence to ensure PII is protected.

Social Media – Pros & Cons

9


San Antonio, TX


• Do not

– Post client information

– Tag people

– Respond to posts publicly

– Share private photos

Protecting PII

10


San Antonio, TX


• Do not respond publicly to clients’ posts

• Do not post too often.

• Do not abuse hashtags

Use Social Media Wisely

11


San Antonio, TX


What is a Blog?

12

A regularly updated section of a website. Blogs are written by an individual with the purpose of sharing useful information with an audience.


San Antonio, TX


• Allows you to share large bits of information quickly

• Provides option to turn off response features

Why Blog?

13


San Antonio, TX


What is personal messaging?

Personal Messaging

14

A private form of communication between different members on a platform. It is only seen and accessible by the users participating in the message.


San Antonio, TX


Delete Questions posted to your account

Send response personally, not publically.

15

Use of Personal Messaging


San Antonio, TX


Be Active!

• Gift give-a-way

• Post Job openings

• Share a resume building website

• Offer a link to a free training sites

• Get creative to help your clients!

Good Use of Social Media

16


San Antonio, TX


• Search engine optimization

• Increase traffic to your web site

• Grow your networking circle

Make Social Media Work for You!

17


San Antonio, TX


Social Media:

• Is a powerful tool

• Must be used correctly

• Requires extra caution

Conclusion

18


San Antonio, TX


WHAT WOULD YOU DO?

19


San Antonio, TX


Discussion: Scenario 1

You’re going on vacation and decide to take your work laptop with you. Your laptop is password protected, so you decide to put your laptop in your checked luggage for the flight. Your arrive at your destination, but your checked luggage does not. What are your responsibilities?

What Would You Do?

20


San Antonio, TX


1. Know and follow your organization’s policy for protecting PII removed from the duty station.

2. Know and follow your organization’s policy for reporting potential PII loss.

3. Refer to Part IV, Section 8 of the TPA. (Page 58 through 69 of the TPA)

What Should You Do?

21


San Antonio, TX


Discussion: Scenario 2

• You are serving a Ticketholder who really wants to go to work. He is extremely qualified for the jobs he is seeking, but he has no references. You have been assisting him for three months and he asks if he can use you as a reference.

What Would You Do?

22


San Antonio, TX


1. Explain why you are unable to serve as a reference for this Ticketholder.

2. Offer suggestions for ways to establish references.

What Should You Do?

23


San Antonio, TX


Data Protection

and

Security Considerations

24


San Antonio, TX


• Encrypt and password protect your proprietary work at document-level

• All Microsoft Office applications (including 2016 for Mac) provide a “save-as” procedure to encrypt and password protect a single document.

• One of the very best ways to protect your work and avoid PII violations

• Microsoft Office-365 offers cost effective subscription plans for storage, sharing and Office products.

25

Document-Level Encryption

PII Risk Level - Low


San Antonio, TX


• Cell phone texting and connectivity expected to double by 2020

• Phone devices will keep a history unless deleted by the user (very risky)

• Users tend to use a “single device” for work, play and communications (ex. phones, iPads and padlike devices)

• Cell phones do provide device logon but remember, no unauthorized person is to view PII information

• Avoid texting PII unless using a beneficiary “alias” or “alias” i.d. number

26

What About Texting?

PII Risk Level - High


San Antonio, TX


• VPN (Virtual Private Network) – a secure tunnel of communications via the internet

• Requires security

settings on both

ends

• Can be difficult to

set up

• Creates network

folders for sharing

27

Remote Connectivity and VPN



San Antonio, TX


• Example - TeamViewer

28



My PC Remote PC

Secure Tunnel


San Antonio, TX


• VPN can be used in small office but usually found in larger companies with IT staffing

• Examples: TeamViewer, LogMeIn Hamachi, Citrix

• Can be very expensive

• Takeaway – very secure

29




San Antonio, TX


• For sharing, a great online subscription service

• Microsoft OneDrive for Business is an example of cloud storage. DropBox is another.

• You can:– Setup user permissions

– Share files using just about any device

(PC or handheld) anywhere

– Upload and download needed files

– Invite other users to “pick up” files when available

• Reasonably secure if shared via group security

30

Microsoft Office 365 and The “Cloud”

PII Risk Level – Reasonably Low


San Antonio, TX


• A web site that you can edit as needed

• Great for sharing documents by inviting other users to visit the site via email

• Extensive user permission levels

• Can host Microsoft Excel and Microsoft Access database tables that can be shared via a Microsoft client1

1Relational database table and referential integrity restrictions apply

31

Microsoft Office 365 and SharePoint

PII Risk Level – Reasonably Low


San Antonio, TX


• Concerns:– Email logon security

– Email “To” or “CC” addressing

– Email subject line

– Email body

– Email attachments

• In other words, there is concern with just about everything in an email!

• Constant vigilance and good policy will help you eliminate PII issues.

32

Now Let’s Talk About Email

PII Risk Level - Depends


San Antonio, TX


• Logon security (PC and Email):– Screen saver logon (with short wait duration) will protect the PC.

– A strong email password is also required.

• Email addressing:– Do not address a particular email to more than one beneficiary. Use

separate email for each beneficiary.

– Do not send a proprietary email to anyone not authorized to see it whether it’s encrypted or not.

– Ditto for persons copied.

33

Securing Email



San Antonio, TX


• Email subject line and body:– Obviously, do not include SSNs and beneficiary names in either the

subject or body.

• What about encrypting the entire email – subject line, body and all?– Microsoft Office 365 Exchange email does offer a way to encrypt an

entire email.

– Within the Administrative settings for email, “transport rules” can be put in place.

34

Securing Email



San Antonio, TX


• What about encrypting the entire email – subject line, body and all? (continued)

– Example of transport rule: if either the subject line or body includes the words “Proprietary and Confidential”, Microsoft Outlook Exchange server will encrypt the email, and . . .

– You can use any phrasing or words you wish to trigger encryption

– Requires the person receiving the email to take security actions to properly receive it.

– Note: transport rules can be tricky and may require special settings all performed within the Administrative section of Office 365 email.

35

Securing Email



San Antonio, TX


• Email attachments:– All parts of an email can be PII-free, except the attachment.

– Assigning an encryption “password-to-open” rule to a document is perhaps the best way to avoid a PII problem.

– Another technique is to purchase a low-cost email application add-in such as Winzip Courier 8.0. Encryption is automatic.

– Courier 8.0 will both zip and encrypt an attachment or bundle of them.

– Courier works well with Microsoft Outlook and most all email service providers including Gmail, Zoho, Yahoo, Office 365.

– Courier also provides a way, outside of email, to encrypt documents.

– Cost is approximately $24.95 per PC installation.

– A free trial is available - http://www.winzip.com/win/en/courier-sys-req.html

36

Securing Email



San Antonio, TX


• Example of automatic email attachment zip and encrypt:

37

Securing Email



San Antonio, TX


• What about encrypting attachments for MAC users?

• WinZip 6 for MAC is available to encrypt MAC documents

• MAC office products also provide encryption capability for MAC documents

38

Securing Email – MAC Users


San Antonio, TX


• Types of storage devices:– PC Hard Drive (various sizes)

– External Hard Drive (up to 4 TB) – Western Digital, Seagate

– CD disks (up to 4.7 GB or more) – some encryption available (careful!)

– USB encrypted Flash drives (up to 128 GB) – Sandisk, Kanguru, Imation

• The greatest risk is portability of the device.

• If it’s easy to carry, it’s easy to misplace.

• Protect it! . . . With password protection and encryption.

39

External Storage Devices



San Antonio, TX


• Reduce the risk!

40

External Storage Devices


Storage Media Logon Encryption

Types Size Prices IO Speed Password Password

Personal Computer Hard Drive TB+ Various Best Yes Yes

Flash Drive Up to 128GB $5 to $120 Good No1

Generally No1

DVD 4.7GB $15 for 50 pack Good No No

Western Digital Passport Up to 4TB $65 to $200+ Good Yes Yes2

Notes:

1. Imation, Kanguru, Sandisk make flash drives that include encryption and password logon.

2. Western Digital Passport Ultra external hard drive offers drive "unlocker", password protection, encrypted technology

Other brands are available; for example Seagate. Some brands offer wireless versions

System and Data File Backup 2017 (Excluding Cloud)

Pre-Formatted?

Yes

Yes

Sometimes

Yes


San Antonio, TX


• Extremely secure, IF . . .

• Network logon is required for everything– From PCs to Printers

• Can use MAC Address filtering (i.e. media access control) to allow and only allow approved devices to access your network. Ask your network administrator about this!

Note: MAC address is a unique identifier assigned for network interfaces. It

is unique for each PC or device. It is sometimes call a physical address.

Example: 00:23:54:49:8C:EA

41

Wireless Networks



San Antonio, TX


42

PII Security in the Office• Is security the same for home office vs commercial office?

• YES! In fact, ensure your residential office is more secure than a commercial one! Go the extra mile!

• Physical:– Facilities separated by locked doors separated from any “public” access

– Password protected devices; locking hard-copy file storage

– Facility alarm systems with professional monitoring

– Thorough cross-cut shredding of obsolete or no longer needed documentation

• Digital:– Encrypted documentation within the office or when moved via file transfer, email, or when using

cloud storage; password protected PCs, external drives, email

• Portable:– Password protected devices, avoidance of carrying hard-copy containing PII

Reference: TPA Part IV, Terms and Conditions; Sections 7 and 8 Regarding

Protection of and Reporting Loss of PII.


San Antonio, TX


43

Expect a Site Visit! Are You Ready?• Again, expect a visit!

• Audits are almost always based on risk. The greater the risk at your site, the more likely you will receive a site visit.

• What will the SSA professionals look for? (not all inclusive)– Security of PII; overall office security

– Documentation regarding your team members’ suitability; signed understanding of PII protections; contractor agreements; compliance documentation

– Overall processing: are you meeting beneficiary needs? (example: case notes)

– Physical, digital, administrative safeguards

• Practice what you preach! – If you assert certain safeguards, be sure you are using all of them routinely.

Deviations to assertions can and will be observed and noted.

• Enjoy the site visit! – Social Security Administration professionals are great to work with! Make sure all

documentation, processes, safeguards are ready for examination.


San Antonio, TX


44

Questions


San Antonio, TX


Amanda Sowell

[email protected]

Pam Walker

[email protected]

Al Walker

[email protected]

45

Presenters’ Contact Information

Documents

PII, Social Media and Security Considerations · September 2017 NENA’s 7 th Annual National Training Conference San Antonio, TX National Employment Network Association PII, Social