Is the FTC coming after your company next? Learn how to avoid it during our next ‘Tuesdays at 2′ webinar series

HIPAA. PCI. SOX. All very familiar, but rather industry-specific, acronyms in the world of regulating data security. A recent court decision confirmed the authority of another powerful player – the FTC – to be the omnibus data security enforcer of the federal government.

In the next installment of Online Tech’s free ‘Tuesdays at 2′ educational webinar series, guest host Tatiana Melnik will explain the Federal Trade Commission v. Wyndham Worldwide Corporation court case, discuss the FTC’s broad discretion to take legal action against companies, the technology controls the FTC expects organizations to have in place, and the important role privacy policies play in gauging data compliance.

The webinar – titled Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices – will be held from 2 to 3 p.m. ET on Tuesday, April 29. (Register here.)

After Wyndham suffered three separate data breaches at the hands of hackers, the FTC filed suit that one of the world’s largest hospitality company’s website deceptively stated it reasonably protected consumers’ privacy. Wyndham filed to dismiss the case, citing – among other points – that the FTC lacks authority to regulate data security. The U.S. District Court for the District of New Jersey ruled for the FTC in rejecting Wyndham’s challenged to the FTC’s authority over data security practices.

Melnik, a Tampa-based IT privacy and security attorney, will dive into the implications for all businesses storing personal customer information as FTC enforcement becomes increasingly stringent.

“It’s always helpful to know what the regulators find problematic, so we’ll go through and talk about the issues the FTC found problematic in this case and several other cases,” said Melnik.

Melnik notes that each of the dozens of enforcement actions the FTC has undertaken in recent years argues that a company’s failure to maintain privacy and security protections was deceptive or unfair. This highlights the language found in privacy policies. Not meeting expectations laid out in grandiose privacy policies can be deemed as “deceptive or unfair” as not meeting commercially reasonable standards for data protection.

“Privacy policies do get used against companies. If it’s not a true reflection of what actually happens at a company, that’s quite problematic if there’s a breach,” Melnik said. “To say that you ‘take any and all measures to protect consumer information’ just isn’t true. You most likely can’t afford to take ‘any and all measures.’”

Tatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. She regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements. She is managing editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida. For more information, visit

Posted in Online Tech News | Tagged , | Leave a comment

Federal court upholds FTC’s authority to penalize lax cyber security measures protecting personal information and credit card numbers

The Federal Trade Commission has taken new assertive action to protect consumer data privacy interests, this time relating to breaches of payment card information, and other consumer personal information by Wyndham Worldwide, a company which owns and manages hotels.

Just recently, the FTC settled charges against Accretive Health relating to inadequate data security protections that resulted in the theft of patient records. This settlement is on top of the charges filed by the Minnesota State Attorney General against the Business Associate that resulted in the company being banned from doing business in Minnesota for six years, reminding businesses that data breaches may incur actions from a variety of state and federal authorities.

Most recently, a United States District Court in New Jersey upheld the FTC’s authority to penalize Wyndham Hotel and Resorts for “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” In this case, failure to implement reasonable data safeguards resulted in multiple data breaches of consumer payment card information as well as personal information including address, social security numbers, and other identifying data.

Wyndham’s “failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection, and use.”

Results of the poor data security safeguards included:

  •  three separate data breaches.
  • the exposure of over 619,000 consumer credit card numbers to a Russian domain.
  • fraudulent credit card charges for many consumers’ over $10.6 million in fraud loss.

The injuries to both businesses and consumers included unreimbursed fraudulent charges, costs of remediation, reduced or eliminated funds or credit, and significant time and money to investigate and resolve fraudulent charges.

The District Court decision raises the question of what businesses are outside the reach of the FTC, and the answer seems to be: very few. Actions by the FTC should serve to put all businesses that come into contact with sensitive consumer information on notice that protecting sensitive information is not optional, addressable, or low priority. Data protection of health, payment, and personal consumer information is becoming both paramount and complex in a landscape of ever increasing sophistication of cyber criminals to access and benefit from sensitive personal information.

Appropriate data safeguards are not limited to technical security protections like cloud encryption, anti-virus, intrusion protection and detection, and daily review of log files. Data security must also include physical security safeguards to restrict access to sensitive information and administrative safeguards that include thorough and frequent training for all employees on their responsibilities and what to watch for.

For more information, register for our webinar about the impact of FTC authority with our guest Tatiana Melnik, IT privacy and security attorney.

Guest: Tatiana Melnik, IT privacy & security attorney

Webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

Businesses that collect or use consumer information – including social security or credit card numbers, protected health information, and other sensitive data – are responsible for implementing cyber security measures to safeguard it and live up to the promises made. Those who fail to protect personal information are subject to actions from both state and federal authorities as well as lawsuits from individuals. Most recently, the FTC, with its broad authority to pursue action against any business engaging in interstate commerce, is stepping up its investigation and enforcement activities in 2014 across many industries including healthcare, hospitality, and mobile applications. What does this enforcement environment mean for businesses that are increasingly handling personal digital information in terms of liabilities and information assurance strategies?

Join us at 2 p.m. ET on Tuesday, April 29 with IT privacy and security attorney Tatiana Melnik to learn more and get your questions answered.

Related whitepapers:
Encrypting Sensitive Information in the Cloud
Protecting Data in Mobile Apps
PCI Compliant Hosting
HIPAA Compliant Hosting

Related webinars:
Why is it so hard to secure a company?
Encryption – Perspective on Privacy, Security, and Compliance
Security and Privacy Concerns with Patient Portals


Posted in Cloud Computing, HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , | Leave a comment

Online Tech one of CIOReview magazine’s 20 Most Promising Enterprise Security Companies

Online Tech was named to CIOReview magazine’s list of the 20 Most Promising Enterprise Security Companies released in its April issue.

The magazine reports the purpose of compiling the list is “to help CIOs navigate and find the right enterprise security solution providers” by presenting 20 companies that “have achieved significant momentum and will rise above the rest.”

The 20 business were picked by a panel of CIOs, CEOs, analysts and the CIOReview editorial board.

From the magazine’s profile of Online Tech:

“Our legacy of audits and compliance is part of Online Tech’s culture, not a checkbox. Some companies cringe at the sight of auditors. We view it as a win-win partnership, and we benefit from getting an experienced set of independent eyes on our organization. We’ve worked hand-in-hand to establish a ‘super-audit’across the entire company that meets SOX, PCI, HIPAA, and Safe Harbor standards,” says Mike Klein, Co-CEO, Online Tech. The company protects its clients’ data and interests with comprehensive technical, physical, and administrative safeguards to ensure the secure handling of mission critical data and applications. A complement of enterprise backup and recovery services round out the protection of their clients’ critical IT infrastructure and systems.

See the entire list of the 20 Most Promising Enterprise Security Companies and the Online Tech profile.

Posted in HIPAA Compliance, Online Tech News, PCI Compliance | Tagged | Leave a comment

BYOD continues to grow, continues to be a security concern

More and more healthcare organizations are allowing employees to connect their own mobile devices to their network, but more than half are not confident those devices are secure.

According to the Ponemon Institute’s fourth annual Benchmark Study on Patient Privacy and Data Security, Bring Your Own Device (BYOD) programs usage continues to rise despite concerns about employee negligence and the use of insecure mobile devices.

According to the study:

“…88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year, more than half of organizations are not confident that the personally-owned mobile devices or BYOD are secure.”

With that, it seemed like a good time to revisit a summary of a BYOD-centered webinar hosted by Online Tech last November. Co-presented from technical and legal perspectives, Online Tech’s Steve Aiello discussed the best technical practices for implementing an effective BYOD strategy and attorney Tatiana Melnik provided an overview of the legal and regulatory framework of the process. (View a video replay and the presentation slides.)

The gist: If you’re going to allow employees to use their own devices at work, you must implement a BYOD policy to protect sensitive data, keep senior management out of legal hot water and protect the organization from fines associated with data breaches.

Continue reading

Posted in Information Technology Tips, Mobile Security | Tagged , , , , | Leave a comment

Cloud security concerns persist in healthcare field, here’s why data is more secure with cloud hosting provider

When the Ponemon Institute’s fourth annual Benchmark Study on Patient Privacy & Data Security was released earlier this month, it stated that use of cloud services is the second-highest security risk concern for healthcare organizations.

Employee negligence was the runaway winner in that category, mentioned by 75 percent of leaders interviewed for the study. Cloud services (41 percent) was bunched in a tight race for second-place with mobile device insecurity (40 percent) and cyber attackers (39 percent).

According to the report:

“… healthcare organizations view the use of public cloud services as a serious threat. In fact, only one-third are very confident or confident that information in a public cloud environment is secure. Despite the risk, 40 percent of organizations say they use the cloud heavily, an increase from 32 percent last year. The applications or services most used are backup and storage, file-sharing applications, business applications and document sharing and collaboration.”

Online Tech, of course, has built its reputation on protecting data and mission critical applications to ensure they are always available, secure, and comply with government and industry regulations. We have independent HIPAA, PCI, SOC 2 and Safe Harbor audits to back those claims.

When you spend $1 million to build the new architecture of your next-generation encrypted, enterprise-class cloud infrastructure, you differentiate yourself with a focus on security, compliance and mission critical applications.

Recently, Online Tech Senior Product Architect Steve Aiello dispelled the myth that data is less secure in a well-run data center or in a cloud environment. “I would say that is not only 100% false, but probably the opposite of the truth,” he said. In a video series entry, he counters that data is actually more secure with a cloud hosting provider.

He asks: Does your office have the appropriate level of physical security in place, including …

  • Biometric authentication – key fobs, pins and fingerprint readers for access to your servers
  • Solid, reinforced concrete walls
  • Heat and fire suppression sensors
  • Additional locks on cabinets
  • Visitor logs


He asks: Does your limited technical staff have the ability to …

  • Ensure your patches are up-to-date
  • Expertise to run enterprise antivirus, anti-malware, file integrity monitoring solution with IDS/IPS solution
  • Fully redundant, high availability firewall maintenance
  • Expertise to implement encryption in storage arrays
  • Know-how to harden operating systems
  • Ability to alert in case of anomalies
  • Set up web application firewalls
  • Set up and configure highly mobile VPNs in a cost-effective manner

Comparing the services of cloud service providers to the man-hours and hardware required for an in-house solution, a cloud hosting provider offers more value and expertise at lower costs.

Posted in Cloud Computing, HIPAA Compliance | Tagged , , , , , , | Leave a comment

Metro Detroit has ‘become a leader among the nation’s technology economies’

The automotive capital of the world has “quietly become a leader among the nation’s technology economies,” says an Automation Alley’s 2014 Technology Industry Report released today.

According to media reports, the study shows Metro Detroit tech industry employment is up 15 percent (approximately 30,000 jobs) compared to last year, making it the largest tech hub in the Midwest. The growth rate significantly eclipses more traditional technology regions like Silicon Valley, which lost 4 percent (approximately 10,000 jobs) of its employment base.

Online Tech’s Metro Detroit data center.

The study also shows schools in Metro Detroit graduated more science, technology, engineering, mathematics and computer science than Silicon Valley.

Online Tech contributed 15 jobs to the Detroit-area technology boom when it announced the opening of its new, world-class Metro Detroit data center facility in Westland. A $10 million investment into the infrastructure of the building will “provide the critical IT infrastructure and services that growing Michigan companies need to sustain growth and credibility in the next few years,” Online Tech co-CEO Mike Klein said in a press release announcing the center.

“Metro Detroit is a perfect location for expansion with a healthy enterprise market of Fortune 500 companies and a fast-growing community of startups in the healthcare, financial and retail industries,” Klein added.

According to the study’s definition, the Detroit region includes Genesee, Livingston, Macomb, Monroe, Oakland, St. Clair, Washtenaw and Wayne counties — placing all four of Online Tech’s Michigan data centers and its company headquarters in the mix.

The new Westland location is in Wayne County while the company’s headquarters and two additional data centers are located in Ann Arbor, in Washtenaw County. The Mid-Michigan data center is located in Flint Township, in Genesee County.

Automation Alley will release complete details of the study on its website later today.

Check out our current employment opportunities on our careers page.


Detroit News: Study cites Metro Detroit as high-tech hotbed

Crain’s Detroit Business: Detroit shows high-tech promise: More STEM grads, jobs than in Silicon Valley, Automation Alley report says

Posted in Michigan Data Centers | Tagged , | Leave a comment

Disaster recovery: Steps in a business continuity plan

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. (View original post.) For more information on IT disaster recovery, download disaster recovery white paper or check out our case studies.


Within a business continuity plan exists a few steps:

Business Impact Analysis (BIA)
This involves determining the operational and financial impact of a potential disaster or disruption, including loss of sales, credibility, compliance fines, legal fees, PR management, etc.

It also includes measuring the amount of financial/operational damage depending on the time of the year. A risk assessment should be conducted as part of the BIA to determine what kind of assets are actually at risk – including people, property, critical infrastructure, IT systems, etc.; as well as the probability and significance of possible hazards – including natural disasters, fires, mechanical problems, supply failure, cyber attacks; etc.

Mapping out your business model and determining where the interdependencies lie between the different departments and vendors within your company is also part of the BIA. The larger the organization, the more challenging it will be to develop a successful business continuity and disaster recovery plan. Sometimes organizational restructuring and business process or workflow realignment is necessary not only to create a business continuity/disaster recovery plan, but also to maximize and drive operational efficiency.

Continue reading

Posted in Information Technology Tips | Tagged , | Leave a comment

Ponemon Institute: Cyber attacks up dramatically, overall breaches down slightly at healthcare organizations

Criminal attacks on healthcare systems have risen 100 percent over the past four years, according to the Ponemon Institute’s fourth annual Benchmark Study on Patient Privacy and Data Security.

When the Traverse City, Mich.-based institute first conducted the study in 2010, 20 percent of senior employees at healthcare organizations across the country reported attacks on sensitive data. That number rose to 40 percent in 2014.

Despite the uptick in cyber attacks, the report indicates that the total number of data breaches declined slightly from previous years and the average economic impact of breaches dropped 17 percent.

Not surprisingly, 75 percent of organizations reported employee negligence is their greatest breach threat and that healthcare organizations continue to struggle to comply with increasing complex federal and state privacy and security regulations.

Primary causes of breaches were lost or stolen devices (49 percent), employee mistakes or unintentional actions (46 percent) and third-party errors (41 percent).

“The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago.”

See the full study here.

Posted in HIPAA Compliance | Tagged , , , | Leave a comment

Online Tech on CRN’s Hosting Service Provider 100 list for secure enterprise cloud, colocation

Here we go patting ourselves on the back again, but we can’t help it. Media outlets keep handing us awards!

Most recently, CRN named Online Tech one of its MSP Hosting Service Provider 100. (Read full press release.) These 100 companies are a subset of CRN’s Managed Service Provider 500 list, which it hails as “the top technology providers and consultants in North America whose forward-thinking approach to providing managed services is changing the landscape of the IT channel.”

The MSP Hosting Service Provider 100 are the best owners and operators of data centers that provide a wide array of subscription-based outsourced services.

“It’s quite an honor to be recognized as a leader among quite a celebrated list of peers in the managed hosting business, which includes colocation and cloud computing leaders in the market,” said Online Tech co-CEO Mike Klein.

Online Tech was selected for its secure, compliant, enterprise cloud and colocation services.

While it’s an honor to be part of the top 100 data center operators in North America, Online Tech differentiates itself from others on the list through our focus on security, compliance and mission critical applications. We are a trusted partner of companies in healthcare, financial services, retail and other industries that require secure and compliant hosting to adhere to strict regulations.

“Our secure, compliant cloud and colocation services are unique in the industry, enabling clients to solve very challenging compliance and security issues that many other cloud providers do not have the technology and expertise to solve,” Klein said.

Along with the MSP Hosting Service Provider 100, the complete MSP 500 list is made up of the MSP Pioneer 250 (managed services focused on the small- and midsize-business market) and the MSP Elite 150 (large data center-focused solution providers).

Posted in Cloud Computing, Online Tech News | Tagged , , , , | Leave a comment

After Target breach: CIOs under more scrutiny, getting more support

When Target’s Beth Jacob resigned in the aftermath of the company’s holiday season data breach that affected up to 110 million customers, it put the role of CIOs in a spotlight of scrutiny. But the ramifications of Target’s problems – which includes $17 million in breach-related expenses and a significant blow to the retail giant’s reputation – could also help technology executives get the funds and manpower required to battle cyber attacks.

Target, which said the resignation was Jacob’s decision, announced it will hire a chief information security officer and a chief compliance officer as part of its “overhaul of our information security and compliance structure and practices at Target.”

A recent Associated Press story discussed how the role of CIOs has gone from behind-the-scenes to high-profile with the rise of cybercrime. CIOs told the news organization the fallout at Target has resulted in a mix of additional scrutiny and support:

For a host of companies, the Target breach was a pivotal event that permanently altered the way they approach data security. Many CIOs say they’re receiving more support, but they say the trade-off is that they’re facing increased scrutiny from their CEOs and other executives. If their fortress walls fall to hackers, their jobs will be on the line.

And, later in the story:

Tim Scannell, director of strategic content for the CIO Executive Council, a professional trade group, says companies have come to realize the importance of security. The result: boosted budgets and staffing increases. According to a recent CIO Executive Council survey, computer security professionals say they expect an average increase of 8 percent in their budgets this year.

“I think CIOs are getting more respect,” Scannell says. “They’re winning a seat at the table. But along with that, we have a heightened security risk, so they’re under pressure to do something about it.”

Download PCI Hosting White PaperOf course, Target has the ability to hire new high-level security leaders and invest in security systems. If that’s not in your organization’s budget, outsourcing to a secure and compliant IT partner can allow you to take advantage of their investments and save on resources and personnel costs.

Online Tech’s PCI compliant hosting options offer a full arsenal of security services for a layered-defense approach to ensuring data is protected.

Wall Street Journal: Target CIO Takes the Fall

CNN: Target replaces officials in security overhaul

Associated Press: Target exec’s departure puts spotlight on CIOs

Posted in Information Technology Tips, PCI Compliance | Tagged , , | Leave a comment