Today’s report about the recent privacy survey jointly done by Carlson Marketing Canada and Ponemon Institute supports what most privacy proponents have been saying…that a good, strong, ethical privacy program will have a positive business impact.  It is nice to have some formal studies to provide to business leaders to support the theory and make it more likely to become an accepted leading business practice. 

Especially supportive of good compliance and privacy programs is the finding that companies who took a more personal touch, notifying individuals impacted by breaches directly by phone instead of postal mail and email, had less of a negative business impact that other businesses that took the easiest, least expensive means of notificationcontact.  I would imagine that this would also mean that the businesses who spent more time and resources on person-to-person phone contacts for the notifications actually saved more by less lost business…but then, that would probably take another study to verify, wouldn’t it?  🙂

Ethics, and clear personal concern for impacted individuals, should be an important component of any privacy and compliance program; your customers will recognize these characteristics.  You don’t want to be perceived as a privacy and ethics Grinch.

Technorati Tags
privacy breach
privacy study
privacy compliance
privacy ethics
privacy

Okay, I don’t mean to be beating a dead horse, but I find these lost and stolen laptop instances increasingly interesting…

An interesting blurb on the BYU News Net today.

"A Hewlett-Packard laptop computer belonging to a Helaman Halls resident went missing in a delivery mix up March 2. UPS delivered the package to the Helaman Halls front desk; the package, however, bore the name of the student’s father. When front desk employees couldn’t find the name in their computer system, they returned the package to the UPS employee. UPS now cannot locate the laptop, police said."

Odd this was classified by the police as a theft.  How often do you suppose laptops get lost is similar ways?  What kind of informationis on them?  Who ends up seeing it?

Technorati Tags
lost laptop
stolen laptop
privacy

"Fool me once, shame on you…fool me twice, shame on me…"

The same organization, Providence Health System, who had a laptop containing patient information stolen from an employee’s car in January (see my January 27 blog posting) has experienced laptop thefts not just once more, but twice more…each from cars AGAIN!   "The stolen laptops were being used by home care and hospice nurses to chart records on the patients they visit each day."  On February 27 and March 3 laptops were stolen from the cars of the home care nurses; one as the worker ran into a store quick and left the laptop in the car, and the other laptop was stolen from the worker’s car while the worker was visiting a home patient. 

I wrote about the unwise practice of using Lexus laptop lockers in the March Computer Security Institute Alert newsletter.

"Many patients are backing a class-action lawsuit against Providence. So far, none of the stolen records appears to have been exploited by criminals."  Smart thieves will likely wait to do much obvious mischief with the stolen information.  There is also the possibility that the information is being used in unsavory ways that won’t show up in a credit monitoring report…privacy is about more than just identity theft.  And, of course, perhaps the thieves will sell the laptops on eBay to make a little extra pocket money…hmm…something to keep an eye out for.

Two laptops containing clear text patient information were also stolen from Providence last year; the company indicates they are taking a "deeper" look at those thefts.

After the January incident involving information about 365,000 patients, Providence indicated they had paid up to $9 million for credit monitoring…after pressure from the impacted individuals.

"Since the thefts..the company has begun adding encryption to home-care practitioners’ laptops to lock out unauthorized users."  This was done after the thefts this week.

I’m sure the encryption solution cost much less than $9 million. 

With all these reported incidents of stolen laptops, thieves are probably on the lookout more than ever for vulnerable laptops and other mobile computing devices.  I hope this is a bellwether for companies to start encrypting data on these devices as a matter of standard business practice and due care.

Technorati Tags
privacy
stolen laptop
HIPAA
laptop theft
patient privacy
HIPAA compliance
HIPAA violation

I am becoming more and more drawn to stolen laptop stories much as a moth is drawn to a flame…hopefully this will result in enlightenment as opposed to burn, however!  🙂  Another story about a stolen laptop, a Boca drug salesman’s laptop is stolen.  What’s interesting about this is that the theft vicitim was a consultant for Proctar & Gamble, but the report only mentioned the value of the hardware, and not what types of files were contained on the laptop.  Wonder what kind of personal information, if any, was on the laptop?

Technorati Tags
privacy
stolen laptop

Another story was reported yesterday in the Vancouver Sun about confidential information being found on tapes the British Columbia government sold.  I’m not too surprised considering most organizations do not encrypt personal, or any, information on removable storage media, such as tapes, CDs, USB drives, and so on.  I’ve done many outsourced vendor security reviews, and I was initially surprised to see that some of them actually have within their security policies the directive to sell mobile storage media when no longer needed to try and recoup some of the investment made in it.  I’ve seen policies go into great detail about how to sell the media, on eBay and in other venues, but completely omit any mention of removing the data first.

Technorati Tags
health privacy
encrypt
personal privacy

I read a story from yesterday’s Computerworld, "Breach notification laws: When should companies tell all? Privacy experts, lawyers differ on whether more laws would help" with great interest, concern, and puzzlement at a point.  I realize that sometimes reporters twist words and put quotes into a different context to make the story more interesting.  However, there is one quote I want to pull from the article.

• "‚ÄúBreaches should not be tied to the potential criminal use of the information,‚Äù said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. ‚ÄúI find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.‚Äù"

Does this logic apply to someone stealing my credit card also?  So, if someone takes my credit card, should the credit card company wait until the intent of the criminal has been identified before cancelling my card?  The main difference is that my stolen credit card is a small-scale incident; it impacts only me.  So, if the incident involves stealing thousands or millions of credit cards in a database then the intent of the criminal must first be determined?

Of course you cannot know the intent of criminals before they commit crimes.  But when computer breaches occur, the potential impact must be examined.  If someone purposefully broke into a system, it is likely they did not do it to debug  the application code or to apply a more recent security patch.  Computer crime is growing.  Many studies, such as the CERT/Secret Service Insider Threat Study, show that there is growing criminal intent involved with computer-related incidents. 

So…unless there is irrefutable evidence that someone has mucked around with and fraudulently used all the personal information that has been stolen, or found on lost storage media, or inappropriately accessed by fraudsters, we should not worry about the potential for criminal use of information that is lost, stolen, or misused by those with access to it?  I guess in the CardSystems Solutions incident last year where a network intruder stole information on 40 million people, "and according to the FTC, the security breach resulted in millions of dollars in fraudulent purchases" wasn’t anything to worry about until the fraud occurred?  I’m sure all the people who are now dealing with identity theft, identity fraud and ruined credit histories got warm fuzzies reading his opinion.

• "Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath."

While it would take some examination of the breach notification laws involved, I generally agree with this statement.  Encryption is one of the most effective security tools available to protect the confidentiality of and access to data.  New encryption solutions have made it easier to use and manage, and more economical, than ever before.  If strong encryption is used (and this could be part of the regulatory verbiage and easily verified by organizations when breaches occur), then why would notification, or the same level or type, of notification, be necessary? 

I agree that over-notifications should be avoided, but that comes from crafting thoughtful laws and identifying what those key notification triggers should be.  Over-notification definitely could have a negative impact.  But let’s get some information security and privacy experts speaking with the lawmakers to help them understand the issues and write good legislation.

There is so much more to discuss about this…

Technorati Tags
breach notification
encryption
privacy
computer crime
breach regulation

One of the activities I want to start doing is to maintain a listing of publicized HIPAA breaches, fines, judgments, potential violations, etc.  I have found many sites listing privacy breaches, but I have not been able to find a site with a listing of just HIPAA related incidents.  I’ve contacted CMS and OCR about this, and they do not have such public listings.  I was reminded of my plan to do this when reading an interesting story today about the CDC collecting medical and education records from a school district about a child with autism without seeking to obtain the parents’ consent.  Reportedly the CDC did similar actions last year.  Note that this is also a possible violation of the Family Educational Rights and Privacy Act (FERPA).

I will post other HIPAA-related incidents as I find them and dig up those from the past that I recall.

Technorati Tags
HIPAA
FERPA
CDC privacy
NAA privacy
medical privacy

Stories such as the one in Network World about how a new type of proof-of-concept computer virus can pass from a PC to a mobile computer device and delete files are very interesting.  The anti-virus vendors seem skeptical.  This is semi-deja vu.  A few years ago when the use of mobile computing devices was still in its infancy I read an article in which one of the anti-virus vendors, I thought it was McAfee, said someday it would be possible to get a computer virus just by walking past an infected wireless computer or smartphone with your wireless computing device.  I spent too long googling to try and find this article tonight…exasperating!  If any of you find it, please let me know! 

However, seems like this possibility has been discussed for a few years now, and appears that someday all computing devices will be wireless, and thus capable of communicating easily with each other, via one route or another, won’t they?  The use of wireless in business is increasing daily.  A 2005 study reported 93.5% of responding companies used wireless somewhere within their organization, and 48% of the employees had access to use wireless technology.   

I’m certainly not a computer virus guru, but based upon programming and wireless concepts, the threat of these kind of virtual air-born viruses make sense.  I would be interested in seeing how many viruses that exist today started out as "proof of concept" viruses…basically didn’t they all?   Seems that the potential for this new concept virus called Crossover is being downplayed by the anti-virus software vendors who cannot get their hands on the code from MARA.

Technorati Tags
virus
network security
MARA crossover
wireless security