Student data breaches and expanded guidelines for health information
Any company engaging in the sharing of personal health information (PHI) for advertising purposes may soon find itself subject to new Federal Trade Commission (FTC) rules. New guidance extends previous controls to the formerly ambiguous domain of applications and devices that share health data. Failure to comply looks to invite agency enforcement in the future.
The expanded rules are far more encompassing than previously. Health data handled by something like a fitness tracker, weight or blood-sugar monitors, whether collected by an app or input by the users themselves, will now constitute covered information under the FTC. Without obtaining user authorization, any sharing or acquisition of covered health data will now qualify as a data breach going forward. This could impact digital advertisers that will need to be more dutiful about how they share data. If it can be used to identify a user, selling health information to Google or Facebook, etc., is prohibited as a breach. In essence, what this broadening seems to do is more closely couple PHI and personally identifiable information (PII).
In other news, the recent breach of around 820,000 New York City students (former and current K-12) continues to be an incident of massive concern for families. A company that operates platforms used by NYC public schools was breached by a bad actor last winter. This individual gained access to student information such as birthdays, languages and grades. Parents are being advised to monitor their children’s financial and credit information over the long term, as it remains unclear exactly how any given student might have been affected. An ongoing investigation will notify parents when it uncovers more details.
Whenever the personal data of minors is involved, the case becomes even more serious. People will have to check their kids’ passwords, and probably go ahead and change them just to be safe. Heightened alert for spam phone calls and phishing emails is also recommended, especially if those involve requests for a student’s Social Security number using any number of scare tactics. Never give that out, and never click on email links without being certain of the sender.
People’s personal data is continuously growing in value, which means cyber criminals will only want to steal it more. If you’re a business that engages with such data, it is critical to keep it locked away and prevent news stories like this about your organization.
Request a free evaluation of NetLib Security’s Encryptionizer software here, to see if it fits your firm’s data protection needs.