The loss of backup tapes (that were not protected with encryption software such as AlertBoot) eventually led to a class action suit against TRICARE. With 4.9 million people affected, it was one of the biggest suits ever (at $1,000 per person, it is asking for $4.9 billion). Now, SAIC, the company that actually lost the tapes, is also being sued.
The loss of backup tapes (that were not protected with encryption software such as AlertBoot) eventually led to a class action suit against TRICARE. With 4.9 million people affected, it was one of the biggest suits ever (at $1,000 per person, it is asking for $4.9 billion).
Now, SAIC, the company that actually lost the tapes, is also being sued.
Honestly, I'm not surprised. First of all, there is the fact that SAIC is the origin for the breach. TRICARE was just left holding the bag, which under certain laws (such as HIPAA), it's required to. Second, SAIC called the transportation of data in employees' cars "routine." As I noted in this blog post: On the other hand, sometimes you're just asking for it. As the Congressional letter notes: The notification [from SAIC to patients impacted by the breach] goes on to explain that the use of these backup tapes and the method of transporting them are "routine procedure" for the company. According to reports, the tapes were left in the vehicle for most of the day and included specific information regarding patient diagnoses and treatment. Hey, if that's routine...well, that pretty ends the discussion on whether the company thinks very highly about data security, doesn't it? I didn't mention it then, but I figured that calling such practice "routine" would be a point of controversy. People have sued for less, when actual protection was in place. Why wouldn't they do the same for when actual protection is not in place? They should have used encryption to protect the data. Of course, people have sued for the loss of encrypted data as well, but the use of cryptographic protection would mean less time spent in the courts: the protection derived from encryption is well proven, and reflected in many laws and bylaws
Honestly, I'm not surprised. First of all, there is the fact that SAIC is the origin for the breach. TRICARE was just left holding the bag, which under certain laws (such as HIPAA), it's required to.
Second, SAIC called the transportation of data in employees' cars "routine." As I noted in this blog post:
On the other hand, sometimes you're just asking for it. As the Congressional letter notes: The notification [from SAIC to patients impacted by the breach] goes on to explain that the use of these backup tapes and the method of transporting them are "routine procedure" for the company. According to reports, the tapes were left in the vehicle for most of the day and included specific information regarding patient diagnoses and treatment. Hey, if that's routine...well, that pretty ends the discussion on whether the company thinks very highly about data security, doesn't it?
On the other hand, sometimes you're just asking for it. As the Congressional letter notes:
The notification [from SAIC to patients impacted by the breach] goes on to explain that the use of these backup tapes and the method of transporting them are "routine procedure" for the company. According to reports, the tapes were left in the vehicle for most of the day and included specific information regarding patient diagnoses and treatment.
Hey, if that's routine...well, that pretty ends the discussion on whether the company thinks very highly about data security, doesn't it?
I didn't mention it then, but I figured that calling such practice "routine" would be a point of controversy. People have sued for less, when actual protection was in place. Why wouldn't they do the same for when actual protection is not in place?
They should have used encryption to protect the data. Of course, people have sued for the loss of encrypted data as well, but the use of cryptographic protection would mean less time spent in the courts: the protection derived from encryption is well proven, and reflected in many laws and bylaws
Related Articles and Sites:http://www.sandiegoreader.com/weblogs/news-ticker/2011/dec/12/defense-contractor-sued-over-theft-of-personal-dat/