Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.
The July 2010 settlement by Health Net of a HIPAA enforcement action by the Connecticut Attorney General provides a window to the potential near-term future. In settlement of an action resulting from its loss of a portable hard drive containing unencrypted patient records, Health Net paid a $250,000 fine, agreed to an additional contingent payment of up to $500,000, agreed to take several corrective steps – and spent more than $7,000,000 Read more…
A report issued by Panda Security describes how the cyber theft marketplace is adapting to economic circumstances. Among other things, the report belies any notion that cyber crime is dominated by small, disconnected actors haphazardly hacking into randomly chosen troves of electronic information. It is big business, driven by profit-maximizing business operators who continually adapt to the shifting economy and the laws of supply and demand. The Panda Security report makes interesting, and sobering, reading.
The report makes clear that cyber thieves are diversifying their business to offer a range of services and information to different audiences. Basic credit card information, for example, can be bought relatively cheaply for as little as $2 per card, while credit cards with guaranteed lines of credit can cost the buyer as much as $80 per card. The cyber theft market offers bulk discounts and special deals, is subject to pricing wars, and is broadening the range of “goods and services” offered. The menu for buyers of confidential information is a la carte. Read more…
In many data security circles, the word “encryption” will bring a glow of peaceful serenity. Encrypting data is one of the best ways to protect it from prying eyes and is recommended by almost all experts and required by many laws and regulations. But it is not always enough. A recent incident illustrates how human error can foil even the best data security methods.
Rainbow Hospice and Palliative Care in Illinois had duly encrypted its laptops in accordance with everyone’s best practices recommendations and many jurisdictions’ legal requirements. The laptop at issue contained personal medical and financial information about nearly 1,000 patients. Encryption was activated whenever the computer was shut off or its top closed, and two passwords were required for access to the confidential data. So far, so good. Read more…
The lead story in the Wall Street Journal today reports Facebook in Privacy Breach. The article describes how several of the applications available on Facebook transmit identifying information to Internet tracking and advertising companies. The breach affects millions of users. An especially resonant sentence in the article notes that “The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.”
A casual reader of the article might understandably think that the Facebook breach has little relevance to the risks that most companies confront in the collection and handling of confidential information. While it is true that most don’t have 500 million customers or embed third-party applications in their websites, several important aspects of Facebook seemingly sui generis situation can have analogues for almost all companies.
Some important questions raised by the Facebook matter could also arise for any other company that collects confidential personal information. Read more…
Earlier this week, the Wall Street Journal reported on a rash of new litigation filed in the U.S. District Court for the Central District of California against “cookies”, the ubiquitous markers of our electronic activity. The lawsuits claim that, despite earlier rulings that allow internet sites to place these small text files on users’ computers, that newer versions of this technology result in online tracking that violates privacy and data security standards. The lawsuits, which seek class action status, accuse companies of violations of the Computer Fraud and Abuse Act and similar laws. The suits name Cable News Network (CNN), Travel Channel and other large media organizations as defendants. Read more…
On August 13, 2010, the front page of The Boston Globe reported that four Massachusetts hospitals are investigating how the unshredded health records of thousands of patients ended up at a public dump. At least some of the records contain sensitive medical information and Social Security numbers. The situation highlights the difficulties that organizations – and healthcare organizations in particular – face in protecting confidential patient or other personal information when many different people have access to such information in the normal performance of their duties. Read more…
On August 4, 2010, it was reported that officials in the town of Hingham, Massachusetts would be notifying approximately 1,300 individuals whose names and Social Security Numbers were mistakenly sent to about 30 town officials. Hingham officials indicated that they were notifying the state attorney general’s office and the Office of Consumer Affairs and Business Regulation of the breach in accordance with Massachusetts law.
A town official had emailed a document containing the personally identifiable information to about 30 department heads. When the official was notified that the document contained confidential personal information, he recalled the email, which had been sent to accounts maintained on the town’s protected server. The official said that about half of the emails had been successfully retrieved and destroyed before the recipients had opened them and seen the personal information. Read more…
Another front in the battle over Data Security and Privacy broke out this week when the United Arab Emirates (UAE) announced its intention to shut down mobile services over Blackberry smart phones made by Research in Motion (RIM). The UAE, concerned about security and looking for ways to intercept illegal and terrorist activity, threatened to shut down the popular email and text messaging services due to RIM’s practice of encrypting such communications. Other governments are seeking similar control and access over data.
Should RIM and other service providers agree to government access to data, however, they expose themselves to increased litigation from customers and third parties. Foreign government access to data may be misused for profit by rogue elements in governments. Data Security and Privacy insurers, in a nascent field, still have little way of quantifying such data risks. Nonetheless, insurance coverage for these types of risks to telecom and data providers is available with some limitations.
Health Net’s recent settlement with the Connecticut Attorney General shines a light on some of the noteworthy costs and risks of data breaches. It’s a sobering view.
In early July 2010, Health Net settled allegations by the Connecticut Attorney General that Health Net had violated its obligations under the HIPAA privacy and security rules. The settlement capped the first enforcement by a state Attorney General of HIPAA violations since such state enforcements were authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more…
Hospital officials announced yesterday that computer files from South Shore Hospital in Weymouth, MA containing personal information for 800,000 individuals (patients, employees, doctors, volunteers, donors, vendors and business partners) may have been lost when they were shipped to a contractor to be destroyed. The notice posted to their website provides careful readers with some insights into some of the potential financial and insurance coverage risks that even the most careful organizations can face in connection with the compromise of confidential information. Read more…
Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.
