in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2014 - Posts

  • HIPAA Encryption: Sometimes, It's Not HIPAA You Should Be Worried About

    When is the loss of sensitive information from a HIPAA covered entity not a HIPAA breach?  When it has been protected with encryption software like AlertBoot, since the use of encryption provides safe harbor.  But this is not the only scenario that fits the above description.

    The other scenario, as I covered in this story involving Kaiser Permanente, is when the missing sensitive information is not PHI, such as employee information.  Which is why Kaiser was able to notify the affected employees approximately six months after the HMO learned of the data breach, a far cry from HIPAA's 60 calendar-day limit, without running afoul of HIPAA.

    But, HIPAA is not the only regulation covered entities have to follow.

    AG Files Complaint: California Breach Notification Law Breached

    According to infolawgroup.com, the Attorney General of California has problems with the length of time it took for Kaiser to notify approximately 30,000 people.  California's data breach notification law maintains that a data breach disclosure must "be made in the most expedient time possible and without unreasonable delay."

    The problem with such a directive is, how do you define unreasonable?  The people over at infolawgroup.com have an answer for that:
    While California's law does not explicitly define "most expedient time possible and without unreasonable delay", California's Office of Privacy Protection recommends that notice be provided within ten (10) business days of an organization's determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
    Most states make an exception to local laws if they happen to overlap with federal laws (which is not surprising, seeing how federal laws always trump state laws).  So, it could be that Kaiser could have ignored the ten business day recommendation for the cold, hard deadline set by HIPAA.

    However, seeing how HIPAA did not apply to Kaiser on this particular breach, one wonders if they really had a choice.  Of course, strictly speaking, Kaiser didn't have to do anything within ten business days.  After all, it's not written in stone; it is a recommendation.  On the other hand, there are instances where you do stick to something regardless of whether it's law or not.  For example, if the AG leaves you a message to please call back regarding lost personal information, chances are that you will call back even if it's not required by law.

    The point is, if the organization that is in charge of data privacy issues is making a recommendation, chances are that you should follow it.  And if not, at least have a reasonable and valid reason why.  And, try not to veer to far from said recommendation.

    Nearly six months later, when ten days is recommended?  One assumes that will be problematic.

    Interesting Issues for Breach Notification in California

    In addition, infolawgroup.com has identified tolling and staggered notifications as "interesting issues for breach notification lawyers."

    Tolling, as far as I can tell, has something to do regarding the modification of the statute of limitations (generally extending it).  In other words, Kaiser may not be in as much trouble if they can show that they legitimately needed six months to contact people about the data breach.  In fact, based on the position that the AG has taken,
    one might reasonably conclude that the CA AG viewed the effort of obtaining the drive and the delay associated with that effort as not unreasonable delay [the hard drive's loss was determined in September 2011 and the drive was recovered in December 2011].    
    The AG, however, appears to have problems with the approximate two-month delay between when the hard drive was recovered and when people were notified, which brings us to staggered notifications.

    The implication is that, even if an organization doesn't have the complete picture, they should start contacting those who they know have been affected.  This assessment makes sense.  As I remarked in the original Kaiser breach post:
    HHS stuck to the 60 days, noting that the point behind breach notification letters is to let patients know of the breach and give them a chance to protect themselves.  The longer one takes to notify patients, the greater the chances that they will be notified after being victimized.  And what's the point in that?
    Related Articles and Sites:
    http://www.databreaches.net/california-attorney-general-files-lawsuit-based-on-late-breach-notification/
    http://www.infolawgroup.com/2014/01/articles/breach-notice/california-attorney-general-files-lawsuit-based-on-late-breach-notification/
     
  • Malaysia Full Disk Encryption: SMEs Are Told To Protect Client Data

    According to thesundaily.my, small and medium sized enterprises (SMEs) in Malaysia have reason to seriously start exploring the use of laptop encryption solutions like AlertBoot.

    SMEs specifically have been warned about keeping safe the information they collect from clients.  Malaysia has become the first ASEAN (Association of Southeast Asian Nations) member to pass data protection legislation.  The law went into effect on November 15, 2013 (less than 90 days ago), and companies have until February 15 to register with the Personal Data Protection Department (PDPD) as "data users".

    Penalties for Offenses

    Companies who commit an offense can be fined up to RM500,000 (approximately US$150,000) or face three years in jail.

    What kinds of offenses are included?  The article at thesundaily.my doesn't list them, but notes that sharing customer information with third parties, without the customers' consent, would be a breach of the data protection act.  

    I found it interesting that the article included the following quote:
    "Many SMEs in Malaysia have the wrong perception that they will be spared from cyber attacks, assuming that it would only happen to big corporations," Tan said.
    It was further revealed that 31% of companies targeted by hackers were SMEs with fewer than 250 employees.

    The above implication is that being attacked by hackers could also be categorized as a breach of the data protection act, leading to fines or jail time by the PDPD, as harsh as that may sound.  One assumes, however, that the PDPD has prosecutorial discretion over which SMEs to penalize, depending on the type of breach.

    For example, as global trends over the past couple of months have shown, stopping hackers is hard (one may say it's impossible.  Not that this means one shouldn't be trying – if you're not trying, you deserve to be penalized).  However, if a company exposes customer data because they lost a computer that was not protected with laptop encryption software, then that's not the fault of hackers, is it?

    In that particular case, the person that ought to be penalized, crucified, pilloried, and savaged is the SME that allowed such a data breach to take place.  After all, hackers had nothing to do with it.
    Related Articles and Sites:
    http://www.thesundaily.my/news/946127
     
More Posts « Previous page