Archive for the ‘Non-compliance Sanctions Examples’ Category

FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security

Friday, January 18th, 2008

Yesterday the U.S. Federal Trade Commission (FTC) handed down yet another penalty against an online retailer, Life is good, Inc., for not properly safeguarding their online ecommerce applications.
The FTC charged they were in violation of the FTC Act because they promised in their online privacy statement that they would safeguard their customer data, but yet a hacker “was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.”


E-Discovery Decision Demonstrates Need For Effective Retention Practices: A Great Case Study For E-Discovery Training

Monday, January 7th, 2008

I’m still catching up on December news…and I ran across a significant e-discovery ruling. The U.S. District Court for the Central District of California ruled December 13, 2007, that Justin Bunnell/ was guilty of “willful spoliation of evidence” violating the E-Discovery Rule in the suit Columbia Pictures, Inc. brought against them for copyright infringement.
Reading through the court records, it is really amazing how blatantly the defendent violated what seemed to be almost every e-discovery rule possible in this situation. They…


UK Imposes Record Fine of $2.54 Million Against Life Insurance Company For Poor Information Security & Privacy Practices

Sunday, December 30th, 2007

On December 17, 2007 the United Kingdom Financial Services Authority (FSA) fined Norwich Union Life £1.26 million ($2.54 million) for poor information security, privacy and anti-fraud mitigation systems and controls.


FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations

Wednesday, December 26th, 2007

On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster.
Under the terms of the penalty, American United Mortgage Company must:


FTC Continues Active Compliance Enforcement: Applies $7.7 Million In Fines To 6 Do-Not-Call Violators

Saturday, November 10th, 2007

This week the FTC once again demonstrated that they aggressively enforce compliance with those regulations for which they have responsibility.
In their press release, “FTC Announces Law Enforcement Crackdown on Do Not Call Violators” they detail their recent actions against six organizations for non-compliance with the Do Not Call (DNC) registry requirements. The involved settlements totaled close to $7.7 million in civil penalties. In addition to the following, actions against Global Mortgage Funding are pending.
Here is an overview of the non-compliance activities and associated fines/penalties:


Trending Towards More Business Applied Employee Sanctions For Security Incidents

Monday, October 15th, 2007

I’ve been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10 about another hospital sanctioning employees for noncompliance, then again on October 11, and then again just yesterday.


Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a “Resignation”

Sunday, October 14th, 2007

The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services’ Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an un-encrypted backup tape containing the personally identifiable information (PII) of 1.3 million individuals, is the loss of 40 hours of vacation time.


HIPAA, The Insider Threat & Prison Time

Thursday, October 11th, 2007

It seems there are more and more stories related to patient privacy and HIPAA popping up lately. Today another story caught my eye related to them.


Another Hospital Suspends Staff For Violating HIPAA Requirements

Wednesday, October 10th, 2007

A couple of weeks ago I blogged about the Ivinson Memorial Hospital applying sanctions to their staff for violating HIPAA requirements.
They have set a good example…another hospital has also applied sanctions…suspending 27 of their staff members for violating HIPAA requirements.


A Hospital Actively Enforcing HIPAA Requirements!

Saturday, September 29th, 2007

It is great to see a story published about a hospital, actually any type of organization that is a covered entity (CE), that is actively and seriously trying to be in compliance with HIPAA requirements.