The differences throughout the world with which personally identifiable information (PII) privacy breaches are penalized is always interesting to me.
Today it was reported that the
“Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said Thursday.
A 56-year-old associate professor, who leads the alumni organization of the university’s pharmaceutical faculty, took an external hard disk containing the information out of the institution on the night of Feb. 24, according to officials.
While he was riding a train home, his bag containing the disk was stolen.
The university is set to take punitive measures against the associate professor. The officials said they have not confirmed if the information has been placed on any website. (Mainichi)”
With the concern indicated, it implies the PII was not encrypted.
In other incidents that have occurred in Japan the business leaders have faced significant personal penalties, such as having their salaries withheld for a period of time and even being fired.
Such penalties certainly would seem to motivate business leaders to take better care of PII.
The U.S. oversight and enforcement agencies, particularly the Department of Health and Human Services (HHS) who have yet to apply any penalties for HIPAA noncompliance, should start being more proactive and applying enforcement penalties; we could then see if this would motivate organizations to strengthen safeguards and have impact on slowing down PII breaches and incidents.
Tags: awareness and training, encryption, HHS, HIPAA, Information Security, IT compliance, policies and procedures, privacy, privacy breach