By Bill Tricarico
Director, Risk Management Services
Emergency Services Insurance Program
When you think of security at your Fire or EMS Stations, your thoughts usually encompass door locks, alarm and video systems, or secured drug or petty cash storage. But emergency service organizations also handle and store something with sometimes far greater value than material goods, information.
The theft of personal information has become as insidious as theft of property. Identity theft costs all of us millions of dollars each year and the holders of such information have a duty to prevent the misuse and loss of it.
Personnel files contain valuable information about members whether they are paid or volunteer. Names, addresses, dates of birth, license numbers, social security numbers and many other personal items, which would certainly be enough to fraudulently obtain credit cards or order goods on-line in that person’s name. This information may also be utilized to develop false identification which may be used in countless ways, most likely for illegal acts. Such identification theft can cause problems to its victims for years to come including ruined credit or false accusations of wrongdoing.
Dispatch centers may have information on location of handicapped persons who may easily become victims to a variety of crimes, medical information that is highly classified, or the location of keys or lock combination numbers for quick entry. In the wrong hands, this information may be quite dangerous.
As a result of these situations, a new look around the station may be in order. Personnel files should be securely locked and key distribution closely guarded. They should not be stored in a place with other files or information. Only people who need to utilize this specific information should be able to gain access to it and the number of people involved kept at an absolute minimum.
If the information is stored electronically, the computer should be set up so that only people with passwords have access to it. During periods of inactivity, the computer should automatically revert to a screensaver with a password necessary to get back into the area that was previously up. This will prevent anyone from accessing the information should an authorized person leave for an incident response or other reason without getting out of the program first. This is especially important for dispatch computer programs containing sensitive information as previously discussed.
Members with access to sensitive programs should be instructed not to use easily broken passwords such as their name, spouse, children or pet’s name, favorite sports team, or badge number. Such passwords are easily guessed by someone attempting to enter a program without permission. A recent survey indicated that four out of five people use such simple codes. In addition many use the popular “password” or “nothing.” Assigning passwords also seems to do little since many users tend to write them down on post-it notes stuck to the monitor. It should not be permissible to have the computer “remember” the password.
Back-up files should also be safely stowed and laptop computers securely stored to prevent theft of the entire system. In the wrong hands, the information on the laptop may be more valuable than the unit itself.
Recently a state worker in the Northeast was arrested and charged with pilfering identifying information about thousands of people and using it to steal at least $100,000 through fraudulent credit cards and computer purchases. She was a clerk-typist and obtained the information from documents which crossed her desk. This information was then alleged to have been sold to an identity-theft ring. Bogus credit card accounts were set up which were maxed out without payment.
In most such cases, ultimately, the credit card companies which issued the cards are liable for the bulk of the fraudulent transactions, but such thefts will cause misery for victims because they will have to reconstruct good credit records, a difficult task at best.
Recent federal legislation further enhances the importance of the privacy of medical records, including ambulance reports. This information is quite sensitive and such reports should not be left around for others to view. These reports should be dropped into a secured cabinet which may only be accessed by individuals with a need to do so. Not only would release of this type of sensitive information to the public expose your organization to litigation and embarrassment, but it would be a major disservice to the people you have helped.
Finally, be careful what you do with the trash. Many of the documents required to be kept by an emergency service organization need to be stored for set periods of time, but when they are ready for disposal, be certain that they are shredded or burned. Information on the computer is just as sensitive. When disposing of computer hardware, be certain to remove the hard drive and incinerate or pulverize it with a hammer. The same is true for software and backup drives. There are some commercial software programs which are intended to clean hard drives, however to be certain that sensitive information does not fall into the wrong hands, it may be best to simply destroy it.
Do the best you can to protect the security of your employees, members, and the public who puts their trust in you everyday. Whether your department is a big city career or a small rural volunteer, security has become a whole new ballgame.