Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal.
|
|
- Godfrey Stone
- 8 years ago
- Views:
Transcription
1 Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal.
2 Beyond the NDA: Digital Rights Management Isn t Just for Music By Adam Petravicius and Joseph T. Miotke Theft of proprietary information causes companies to lose billions of dollars each year. 1 Yet to compete effectively, companies often must share their most valuable secrets with third parties, even their fiercest competitors. Companies routinely enter into non-disclosure agreements (NDAs) when sharing their proprietary information but then forget about them shortly after they are signed, assuming that their information is fully protected by the NDA. However, there are a number of steps that companies should consider taking to protect their proprietary information after signing an NDA. These steps range from simple steps, such as marking information appropriately, to sophisticated technological solutions, such as using digital rights management (DRM) software. Although a well-drafted NDA provides significant legal protection to a company s proprietary information, the best protection is often non-legal security measures. 2 Theft or misuse of information is often difficult to detect and even more difficult to prove. Legal remedies may be expensive and time-consuming to obtain and may not fully compensate a company for the harm that it suffers. On the other hand, a company may be able to implement security measures that minimize the risk of theft or misuse in the first place. The cost of these security measures is relatively low when compared to the staggering losses that could result from theft or misuse. Selective Disclosure The most effective method of preventing a third party from stealing or misusing proprietary information is not sharing the information with it. Although collaborating with a third party sharing some of a company s proprietary information, companies often disclose more information than they should. Once an NDA is signed, companies frequently engage in a free flow of information. Although the flow of information may be naturally limited to information relating Adam Petravicius is a partner in the Intellectual Property and Technology Practice of Jenner & Block LLP. His practice focuses on transactions involving intellectual property or technology, including licenses, strategic alliances and joint ventures, and outsourcing agreements. Joseph T. Miotke is an associate in the firm, focusing primarily on patent, trademark, trade secret, and copyright matters. to a particular project, little regard is given to whether the information is actually needed for the project. Before sharing its proprietary information, a company should carefully consider the scope of information that needs to be shared. This should be done both at the beginning of each relationship and periodically throughout the relationship. When doing so, a company should not just identify general categories of information to be shared but should identify the specific information in each category. For example, if a company decides to share its customer information, it may not be necessary to disclose customer names; names could be withheld or replaced with random, unique identifiers. One factor that should be considered when determining which information to share is the scope of protection provided by the relevant NDA. For example, if an NDA requires information to be protected for only a limited time, a company should consider whether information to be disclosed will have value beyond that time. When reviewing the scope of protection, a company should not just look at the duration of protection but also should look at terms regarding the handling of information. In some cases, a company may decide not to disclose certain information until the NDA is updated to protect the information adequately. A company may be able to make the process of selective disclosure more efficient by routinely categorizing its proprietary information in advance of disclosure. The categories to be used should be selected to guide decisions regarding disclosure. One or more categories may be used for information that should never be disclosed outside of the company. Other categories may be used for information that should not be disclosed unless certain conditions are met, such as written approval by specified individuals. Finally, categories may be used to identify information that can be freely disclosed as long as there is an appropriate NDA in place. Limiting the scope of information to be disclosed sometimes means that information cannot be disclosed in the form that it is usually kept. Instead, a company will need to prepare the information in a different form (e.g., by redacting unnecessary information). This is a big reason why companies often disclose more than they should; they simply disclose information in whatever form it exists at the time of disclosure. The costs of preparing information for disclosure Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 1
3 will need to be considered when determining what information will be shared. However, these costs are usually relatively small, especially for electronic information. Proper Marking Although it should go without saying, many companies fail to mark their proprietary information appropriately. 3 Yet companies may significantly reduce their risk of loss by taking the simple step of appropriately marking their proprietary information as confidential. Marking information will likely prevent it from being inadvertently stolen or misused (e.g., because the individual or company doing so did not realize the information was confidential). Perhaps more importantly, it deters intentional theft or misuse by making it difficult for an individual or company to claim ignorance about the confidential nature of the information after being caught. For individuals acting on their own, 4 intentional behavior may also be deterred by the real, or even perceived, increase in the likelihood of being caught because the markings may call attention to behavior that would otherwise go unnoticed. Finally, the terms of many NDAs require information to be marked in a certain way in order to be protected by the confidentiality provisions in the NDA. When marking its proprietary information, a company should do so in a manner that clearly and conspicuously identifies it as confidential. At a minimum, this should include a prominent placement of the word confidential or similar words on every page of information. A company should also consider adding its name or a project or code name next to the word confidential. Doing so eliminates confusion about the source of the information and the corresponding restrictions that go with it. For example, an employee who finds a document simply marked confidential may assume it belongs to the employee s own company (and not to the competitor with which the employee s company is collaborating). Although the employee will likely treat the information in accordance with the company s policies, this treatment may go far beyond what was permitted by the NDA between the company and the competitor and may never be detected by either the company or the competitor. The competitor could have avoided this situation by simply adding its name to the confidentiality legend. A company should consider additional ways to identify its information as confidential and distinguish it from any other company s confidential information. This may include using watermarks, colored ink or colored paper, or special bindings or containers. The more sensitive the information, the more a company should do along these lines. When considering additional ways to mark its information, a company should pay particular attention to one of the purposes discussed above, calling attention to improper behavior. For example, consider a confidential document that is required to be kept in a certain room. If the document is only marked by use of the word confidential in its header, then removing the document may be as simple as covering it with another piece of paper. Removing the document would be much more difficult if it is printed on red paper and bound in a red notebook with the word confidential appearing on the covers and sides of the binder and on the sides of the pages of the document itself. In addition to marking information as confidential, a company may wish to include markings that specify restrictions applicable to the information. In the red notebook example above, the document would be much better protected if it contained equally conspicuous markings indicating that the document was not to be removed from the specific room. If information is subject to numerous restrictions, it may be easier to include a reference to the applicable NDA or other document that identifies the relevant restrictions. However, referring to another document only works if the other document is actually read. As a result, it may be preferable to include all of the essential restrictions on the document itself, even if doing so requires attaching a separate instruction sheet (e.g., as a cover sheet). A company should take care not to mark information indiscriminately. It should avoid marking as confidential information that is in fact not confidential or of little value to it. By indiscriminately marking this type of information as confidential, a company may undermine the effectiveness of marking its truly confidential information and, as a result, lose the benefits of marking described above. For example, it may be difficult for a company to rely on a marking to prove that someone knew its information was confidential when the company has frequently put the same marking on publicly available information. 5 Perhaps more importantly, the individuals handling proprietary information (whether a company s own employees or the employees of a third party to which information is disclosed) may stop treating information as confidential simply because it is marked as confidential. Another form of marking that may be used for more sensitive information is to apply unique numbers or other identifiers to each copy of information that is disclosed (e.g., a unique number on each copy of a document). The individual recipients of each document should then be tracked using the document number or identifier. When done overtly, this may deter improper behavior by individual recipients because they realize that it may be easier to trace their improper behavior back to them. When done covertly, this may help a company discover, and therefore correct, the source of any 2 Intellectual Property & Technology Law Journal Volume 16 Number 1 January 2004
4 improper behavior after it has occurred. Covert markings include, for example, changing the wording of a document without changing its meaning so that each copy is worded slightly differently or adding dummy data or information (e.g., fake customer names or unused software code) to a document in a way that does not undermine the usefulness of the information. Access and Copy Controls Although an NDA may contain provisions that restrict access or copying, a company should also consider security measures that do the same. The most effective way to control access and copying is to retain control over the information. Sharing information does not necessarily require sharing control. For example, a company could keep its information at its own premises and require third parties to review the information there. The company could even provide workspace as needed. If it is impractical to keep the information at its own facilities, a company can still retain control of information that is given to a third party. For example, the company could require the third party to provide space for the information and allow the company to control access to that space. Alternatively, the company could install its own security devices at the third party s facilities. For example, if a company is sharing its proprietary software, instead of providing an installation disk and allowing the third party to install it, the company could deliver a computer with the software pre-installed. Not providing the installation disk may make it difficult for the software to be copied. The company can take further steps to prevent copying by removing all external drives, modems and network access cards from the computer and locking the case so that the hard drive cannot be removed and no drives can be added. The company could take steps to limit access by installing access controls on the computer such as password systems or hardware key devices. In any case, the company will likely need ongoing access to the third party s facilities to make its control over its information effective. If it is impractical for a company to retain actual control over its information, it should consider exercising control over how its information is handled. The language in most NDAs regarding the handling of information is very general. They usually contain a provision requiring information to be handled with a reasonable degree of care or in the same manner that the other party uses to handle its own information but often do not provide any further detail. In these cases, a company should consider providing additional instructions regarding how its information should be handled. In other words, a company should consider specifying what it believes is a reasonable degree of care. 6 These instructions may include, for example, keeping the information in a locked room or locked file cabinet. Documentation A company should keep a record of all of its proprietary information that it discloses to a third party. This record may be necessary to prevent the third party from misusing that information. For example, if a company is unable to demonstrate that it provided certain information to a third party, it may not be able to prevent the third party from using that information. The manner in which information is documented will depend on the type of information. Information in hardcopy or electronic form can be documented by keeping separate copies of all of the information that is shared. Alternatively, this information can be documented in a log that identifies by title or other unique identifier each item that was shared. Information that is disclosed orally or by observation (e.g., a plant visit) must later be described in writing. In fact, many NDAs require the information to be described in writing before it will be protected by the NDA. In all cases, the documentation should identify the date on which the information was disclosed and, if possible, to whom. In some circumstances, it may also be desirable to obtain written acknowledgement of receipt of the information. Return and Destruction Procedures A well-drafted NDA will include a provision to address how information should be handled at the end of a relationship. In most cases, the NDA will simply state that the information must be returned or destroyed. If an NDA allows information to be destroyed instead of returned, a company should consider specifying how the information should be destroyed. Some methods of destruction are more secure than other methods. For example, a third party may decide to destroy information by shredding it. However, confetti or cross-cut shredding is much more secure than simple strip shredding. 7 Shredding itself may be an insecure method of destruction. There are now commercially available services that use software to piece together shredded documents. 8 When information is transmitted or stored electronically, a company will need to give special consideration to how that information will be returned or destroyed at the end of a relationship. This information will likely be automatically copied numerous times by the computer systems through which it is transmitted or on which it is stored. For example, servers may automatically retain copies of s and computer networks are frequently backed up, creating multiple copies of any information stored on the network. Deleting files from a computer often does not physically remove the Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 3
5 information from the computer, making it possible to retrieve the information at a later time. To avoid these problems, a company may decide not to transmit information via and not to permit information to be stored on a network or otherwise backed up. For example, if information is stored on a single hard drive and never copied, then returning the information can be as simple as returning the entire hard drive. Destroying the information can be as simple as using a special software program that physically removes information from a hard drive, making it nearly impossible to retrieve. Another potential solution is to encrypt the information whenever it is transmitted or stored. Destroying the information can then be accomplished by destroying the encryption keys (which are needed to decrypt the information) without having to destroy every copy of the information itself (which is encrypted). Even though the information may still physically reside on a computer system, it cannot be accessed without the encryption keys and is, therefore, effectively destroyed. However, care must be taken to ensure that all copies of the keys are destroyed, which may present a similar set of challenges. There is also the risk that it becomes possible in the future to decrypt the information without the encryption keys. For example, a flaw may be discovered in the encryption method that was used or computer processing power may increase to the point that cracking the code becomes a trivial exercise. Employee Training Training its employees is a key step for a company to take to protect its proprietary information. A company may adopt policies to protect its information (such as those suggested in this article), but the policies are useless if its employees are not familiar with them or do not know how or when to apply them. A company must educate its employees on what the company considers to be proprietary information. If an employee does not know that certain information is considered proprietary, the employee will likely not follow any of the company s procedures regarding proprietary information when dealing with that information. A company must also educate employees on how to handle proprietary information. Whatever policies a company adopts, it should be sure that its employees understand how and when to implement them. When sharing information with a third party, a company should also consider requiring the third party to train its employees how to handle the company s information. The company s information may be subject to security procedures that are different from the third party s procedures and, therefore, are unknown or unfamiliar to the third party s employees. A company may also wish to train its own employees on the treatment of a third party s information. The more a company can demonstrate that it is taking steps to protect a third party s information, the more steps the third party may take to protect the company s information. Technology Solutions The suggestions identified above can be implemented without any special technology. However, there are a number of technological solutions that may make implementing those solutions easier or more effective. Protecting information in electronic form can be very challenging. The information can be copied or widely distributed at the click of a button, often inadvertently. Yet sharing information electronically is often the most practical or convenient way of sharing it, especially software, databases or large volumes of information. Encryption can be used to protect electronic information while it is transmitted or stored. However, encrypted information must eventually be decrypted to be shared. Once the information is decrypted, it is subject to all of the risks described above. This is not meant to suggest that encryption is not valuable; it can be very effective in preventing an unauthorized third party from gaining access to information (e.g., by intercepting an communication). Nonetheless, encryption does not prevent the intended recipient 9 (or an employee of the intended recipient) from copying or distributing the information. To fully protect electronic information, a company should consider using digital rights management (DRM) software. DRM software is commonly thought of as applying only to digital media such as music or movies. However, a number of companies are developing DRM software specifically for the purpose of protecting electronic information. DRM software protects information by creating access and copy controls that travel with the information, even if it is transmitted via . These controls determine whether the information can be viewed, copied, printed, or re-transmitted and by whom. They also can limit the number of times or length of time that information can be accessed. Some DRM software even allows the controls to be changed after the information is already distributed (e.g., to revoke access). DRM software also can keep detailed audit trails of how information was accessed or copied. Although the application of DRM software to electronic information is relatively new, a number of vendors are pursuing its development. There are several smaller vendors that focus on DRM software and that have developed commercial software packages, such as Authentica ( Liquid Machines ( and Sealed 4 Intellectual Property & Technology Law Journal Volume 16 Number 1 January 2004
6 Media ( The demand for this type of software also has attracted the attention of large vendors. Both IBM and Microsoft are reported to be developing this software for use by companies. Microsoft has reported that DRM software will be built into its Office 2003 applications, and IBM is integrating DRM software into some of its enterprise software. Other solutions that are similar to DRM software are also available. Several common software applications provide limited access and copy controls, such as Adobe Acrobat. Although the DRM functionality contained in these applications may not be as robust as in the software describe above, they may be sufficient for sharing certain information. There are also vendors that provide secure collaboration servers that allow companies to share their information online in a secure fashion, such as CYA Technologies ( These solutions allow information to be viewed online but prevent it from being downloaded, printed, or otherwise copied. For information that is shared in hardcopy form, information can be printed in a way that makes it difficult to make copies using a photocopy machine. For example, information can be printed in a red font on brown paper in such a way that a photocopy machine will not be able to make a legible copy. However, this method may not prevent a highquality color scanner (or a photocopy machine with similar capabilities) from making copies. To prevent this type of copying, a company should consider using paper with a special coating that prevents copying or scanning. Conclusion A well-drafted NDA is an essential first step to protecting a company s proprietary information, and the suggestions in this article are no substitute. However, companies should view an NDA as the first, and not the final, step in protecting their information. Companies must be vigilant in identifying and implementing additional steps for keeping their information confidential and for preventing others from misusing it. Notes 1. See PricewaterhouseCoopers, US Chamber of Commerce, and ASIS Foundation, Trends in Proprietary Loss, Survey Report (Sept. 2002). 2. This article is not intended to undermine or question the importance of a well-drafted NDA, which the authors believe to be essential when sharing proprietary information. Although a discussion of the terms of a well-drafted NDA is beyond the scope of this article, it should be noted that implementing some of the suggestions in this article may require the terms of the relevant NDA to account for such implementation. 3. See Trends in Proprietary Information Loss, supra. n For example, a company receiving confidential information may intend to comply with the terms of the relevant NDA. However, one of its employees may intentionally violate the terms of the NDA. 5. Ironically, there is often no benefit to marking such information as confidential because such information is typically excluded from the confidentiality provisions of an NDA. 6. In many cases, it may be preferable to include this type of detail in the NDA. However, it may be impractical to do so, especially if the relationship will be long-term or if it is difficult to anticipate the exact scope of information to be disclosed. 7. Strip shredding simply cuts documents into long, thin strips, usually along the length of the document. Crosscut shredding, however, cuts strips in both directions (i.e., along its length and width), producing confetti-like pieces. 8. See Douglas Heingartner, Picking Up the Pieces, N.Y. Times, July 17, 2003, available at 9. The intended recipient must necessarily be given the means to decrypt the information. Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 5
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information
More informationInformation Technology Security Policies
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationHuman Resources Policy and Procedure Manual
Procedure: maintains a computer network and either purchases software for use in the network or develops proprietary software systems for Company use. Company employees are generally authorized to use
More informationOnline Banking Agreement and Disclosure
AB&T National Bank Online Banking Agreement and Disclosure General Information This Online Banking Agreement and Disclosure ( Agreement ) sets forth your rights and responsibilities concerning the use
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationSecuring your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.
Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate A STEP-BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your MS IIS Web
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationInformation Security Plan effective March 1, 2010
Information Security Plan effective March 1, 2010 Section Coverage pages I. Objective 1 II. Purpose 1 III. Action Plans 1 IV. Action Steps 1-5 Internal threats 3 External threats 3-4 Addenda A. Document
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationWhat Are Certificates?
The Essentials Series: Code-Signing Certificates What Are Certificates? sponsored by by Don Jones W hat Are Certificates?... 1 Digital Certificates and Asymmetric Encryption... 1 Certificates as a Form
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More information2007 Microsoft Office System Document Encryption
2007 Microsoft Office System Document Encryption June 2007 Table of Contents Introduction 1 Benefits of Document Encryption 2 Microsoft 2007 Office system Document Encryption Improvements 5 End-User Microsoft
More informationIntroduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI
Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved
More informationInformation Security Policy
Information Security Policy Contents Version: 1 Contents... 1 Introduction... 2 Anti-Virus Software... 3 Media Classification... 4 Media Handling... 5 Media Retention... 6 Media Disposal... 7 Service Providers...
More informationInformation Technology Acceptable Use Policy
Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not
More informationACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information
NAMI EASTSIDE - 13 POLICY: Privacy and Security of Protected Health Information (HIPAA Policies and Procedures) DATE APPROVED: Pending INTENT: (At present, none of the activities that NAMI Eastside provides
More informationBUSINESS ONLINE BANKING AGREEMENT
BUSINESS ONLINE BANKING AGREEMENT This Business Online Banking Agreement ("Agreement") establishes the terms and conditions for Business Online Banking Services ( Service(s) ) provided by Mechanics Bank
More information8.03 Health Insurance Portability and Accountability Act (HIPAA)
Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of
More informationAcceptable Use Policy
Acceptable Use Policy TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 AUDIENCE... 4 COMPLIANCE & ENFORCEMENT... 4 POLICY STATEMENTS... 5 1. General... 5 2. Authorized Users... 5 3. Loss and Theft... 5 4. Illegal
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationSecure Mail Registration and Viewing Procedures
Secure Mail Registration and Viewing Procedures May 2011 For External Secure Mail Recipients Contents This document provides a brief, end user oriented overview of the Associated Banc Corp s Secure Email
More informationLiquid Machines Document Control Client Version 7. Helpdesk Run Book and Troubleshooting Guide
Document Control Client Version 7 OVERVIEW OF LIQUID MACHINES DOCUMENT CONTROL VERSION 7...1 FEATURES...1 Microsoft Windows Rights Management Services (RMS)...1 Policies and Rights...1 Client...1 Policy
More informationOnline (Internet) Banking Agreement and Disclosure
Online (Internet) Banking Agreement and Disclosure This Online (Internet) Banking Agreement and Disclosure ( the Agreement") explains the terms and conditions governing the basic Online Banking services
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationMBAM Data Retention and Consistency Strategies
MBAM Data Retention and Consistency Strategies Technical White Paper Published: September 2011 William Lees, James Hedrick, and Nathan Barnett CONTENTS Executive Summary... 3 Introduction... 4 Guidelines
More information4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web.
Topic 8 Database Security LEARNING OUTCOMES When you have completed this Topic you should be able to: 1. Discuss the important of database security to an organisation. 2. Identify the types of threat that
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationIntellectual Property& Technology Law Journal
Intellectual Property& Technology Law Journal Edited by the Technology and Proprietary Rights Group of Weil, Gotshal & Manges LLP VOLUME 26 NUMBER 6 JUNE 2014 A Practical Approach to Working with Open
More informationA California Business Privacy Handbook
A California Business Privacy Handbook April 2008 This brochure is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice in
More informationGUIDE TO MANAGING DATA BREACHES
8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND
More informationMANAGED SERVICE PROVIDER (MSP) PROGRAM
MANAGED SERVICE PROVIDER (MSP) PROGRAM SECURITY POLICY FOR DATA MANAGEMENT AND PERSONNEL JUNE, 2001 6991 E. Camelback Rd, Suite B-265 * Scottsdale, AZ 85251 * 877-675-0080 * Fax: 480-675-0090 TABLE OF
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationMicrosoft Dynamics GP. Bill of Materials
Microsoft Dynamics GP Bill of Materials Copyright Copyright 2007 Microsoft Corporation. All rights reserved. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
More informationUser Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection
User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Outline How do you protect your critical confidential data?
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationCITY UNIVERSITY OF HONG KONG. Information Classification and
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
More informationAPPROVED BY: Signatures on File Chief Information Officer APPROVED BY: Chief Financial Officer PURPOSE
TITLE: COMPUTER USE POLICY PAGE 1 OF 5 EFFECTIVE DATE: 07/2001 REVIEW DATES: 02/2003, 09/2006 REVISION DATES: 03/2005, 03/2008 DISTRIBUTION: All Departments PURPOSE APPROVED BY: Signatures on File Chief
More informationAddressing document imaging security issues
Addressing document imaging security issues Document imaging makes it possible to integrate paper documents with existing workflow processes and business applications, e.g., e-mail, fax, and electronic
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationSECURITY POLICIES AND PROCEDURES
2014 WorldEscrow N.V./S.A. SECURITY POLICIES AND PROCEDURES This document describes internal security rules within the WorldEscrow N.V./S.A. organization. Content 1) Employee Responsibilities... 1 2) Use
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationUser Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data
User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data Security Kit Outline How do you protect your critical
More informationEASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More information1. The records have been created, sent or received in connection with the compilation.
Record Retention & Destruction Policy Bradley Kirschner PC recognizes that the firm s engagement and administrative files are critical assets. As such, the firm has established this formal written policy
More informationEncryption. From the Real World
HIPAA Safe Harbor Requirement Encryption Lessons Learned From the Real World Larry.Yob@AscensionHealth.org Scott.Aschenbach@StJohn.org Breach 45 CFR Parts 160 and 164 Breach Notification for Unsecured
More information13. Acceptable Use Policy
To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information
More informationReducing Email Threats
Reducing Email Threats MyMail Solves Common Privacy and Security Email Threats MyMail Technology, LLC 2009 West Beauregard Avenue San Angelo, TX 76901 (866) 949-8572 www.mymail.com March 2008 REDUCING
More informationMicrosoft Dynamics GP. Bank Reconciliation
Microsoft Dynamics GP Bank Reconciliation Copyright Copyright 2007 Microsoft Corporation. All rights reserved. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
More informationWindows BitLocker Drive Encryption Step-by-Step Guide
Windows BitLocker Drive Encryption Step-by-Step Guide Microsoft Corporation Published: September 2006 Abstract Microsoft Windows BitLocker Drive Encryption is a new hardware-enhanced feature in the Microsoft
More informationHealth Insurance Portability and Accountability Act (HIPAA) Overview
Health Insurance Portability and Accountability Act (HIPAA) Overview Agency, Contract and Temporary Staff Orientation Initiated: 5/04, Reviewed: 7/10, Revised: 10/10 Prepared by SHS Administration & Samaritan
More informationE-SAFETY POLICY 2014/15 Including:
E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationHIPAA: The Role of PatientTrak in Supporting Compliance
HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationProtecting. Personal Information A Business Guide. Division of Finance and Corporate Securities
Protecting Personal Information A Business Guide Division of Finance and Corporate Securities Oregon Identity Theft Protection Act Collecting, keeping, and sharing personal data is essential to all types
More informationPACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )
PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,
More informationEthical and Responsible Use of EagleNet 03/26/14 AMW
Campus Technology Services Solutions Center Juniata College 814.641.3619 help@juniata.edu http://services.juniata.edu/cts Ethical and Responsible Use of EagleNet 03/26/14 AMW Preamble The resources of
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationPII Personally Identifiable Information Training and Fraud Prevention
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationMulti-Factor Authentication
Making the Most of Multi-Factor Authentication Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to
More informationClinical Solutions. 2 Hour CEU
1 2 Hour CEU 2 Course Objectives The purpose of this program is to provide nurses with information about the Health Insurance Portability and Accountability Act (HIPAA), especially as it relates to protected
More informationComparison of Enterprise Digital Rights Management systems
Comparison of Enterprise Digital Rights Management systems M.H. van Beek Master Thesis Computer Science MT Advice report Aia Software Thesis number 565 June 22, 2007 Radboud University Nijmegen Computer
More informationDigital Documents, Compliance and the Cloud
A Perspective on Navigating the Complexities Associated with Digital Document Transmission and Security for the Modern Enterprise. What are Digital (Electronic) Documents The Rise of the e-document Definition
More informationEJGH Email Encryption User Tip Sheet 10-11-2013 1 of 8
EJGH Email Encryption User Tip Sheet 10-11-2013 1 of 8 External Users Decrypting Secure Messages The following sections describe how users external to EJGH receive and decrypt secure messages. Reading
More informationWhat Every Non IP Attorney Should Know
What Every Non IP Attorney Should Know Morris E. Turek Solo practitioner representing entrepreneurs, small businesses, non profits, and educational institutions Ten years of non patent IP law experience
More informationPierce County Policy on Computer Use and Information Systems
Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationPrivacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationGetting a Secure Intranet
61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like
More informationTop 10 Reasons You Need Encryption
Top 10 Reasons You Need Encryption Executive Summary When you talk about encryption especially to someone who isn t a security specialist you often get a variety of interpretations. In general, encryption
More informationHIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014
1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan,
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationDRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430
DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430 POLICY INFORMATION Major Functional Area (MFA): Finance and Administration Policy Title: Asset Management Responsible
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationControlling Desktop Software Expenditures
Controlling Desktop Software Expenditures For Windows -based Workstations and Servers Written By: John T. McCann Chief SofTrack Architect Integrity Software, Inc. http://www.softwaremetering.com/ Corporate
More informationSecurity Basics: A Whitepaper
Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview
More informationAcceptable Use Policy
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationCYBERSECURITY POLICY
* CYBERSECURITY POLICY THE CYBERSECURITY POLICY DEFINES THE DUTIES EMPLOYEES AND CONTRACTORS OF CU*ANSWERS MUST FULFILL IN SECURING SENSITIVE INFORMATION. THE CYBERSECURITY POLICY IS PART OF AND INCORPORATED
More informationTen Tests for Microsoft s Document Inspector: Does it satisfy the Metadata Management Needs of Law Firms?
Ten Tests for Microsoft s Document Inspector: Does it satisfy the Metadata Management Needs of Law Firms? Esquire Innovations, Inc., a leading provider of Microsoft Office integrated practice management
More informationInformation Technology (IT) Security Guidelines for External Companies
Information Technology (IT) Security Guidelines for External Companies Document History: Version Name Org.-Unit Date Comments 1.1 Froehlich, Hafner Audi I/GO VW K-DOK 25.05.2004 Table of Contents: 1. Goal...3
More informationESR Secure Email System End to End 256-bit TSL Encryption
ESR Secure Email System End to End 256-bit TSL Encryption Protecting Sensitive Information Sensitive Information Defined Personally Identifiable Information and proprietary or confidential business information
More informationProtecting Electronic Data and Trade Secrets
Protecting Electronic Data and Trade Secrets Presenter: Robert W. Kent, Jr. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology
More informationAntivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)
Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for
More informationCredit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
More informationThe HIPAA Security Rule Primer Compliance Date: April 20, 2005
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
More informationInformation Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
More information