in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2017 - Posts

  • Australia Finally Gets A Data Breach Notification Law

    The Land Down Under is finally getting a data breach notification law. This should come as a surprise to many since (a) many would have assumed that Australia already has one and (b) it's 2017 – unless you're a war-ravaged country, chances you have a breach notification law. Because that's how bad things are on the internet.

    And despite the country taking it's time on formulating a notification law that they can live with, one has to wonder if they've thought things through.  

    Applies to Entities Covered by the Privacy Act

    If you will, the new data breach notification law is an extension of Australia's Privacy Act because the new legislation applies only to those entities that are governed by it. That is people – real or legal – that are NOT:
    • Doing less than AUS $3million in sales p.a.,
    • A political party,
    • Part of the government.

    If not one of the above, the new law applies to you.

    Now, the government excusing themselves from following the legal obligations they place on others is nothing new. Plenty of countries do it, although not all: in the UK, for example, the government also has to reveal their data security shortcomings, be it the National Health Service, members of the judiciary, etc.

    The USA has also done the same. The Veteran Affairs department is constantly embroiled in hacks and other breaches. Likewise, other US state and federal departments have gone public with data breaches.

    But then again, not all countries follow the same level of transparency. So, Australia can be excused if it feels like not leading by example. It will be in excellent company either way.  

    Turnover of $3 Million

    However, one has to take exception to not covering small businesses that make less than $3 million in a year. Hard-working, financially-pressed mom-and-pop stores should be given a break; anyone knows that, when hacked, doing right by a data breach law can be expensive and time-consuming. Even Fortune 500 companies have problems with it, and they have money and personnel to spare for such things. (Well, not really – but they easily find the money and personnel to take care of it).

    But, by excluding small businesses, there is the tacit implication that they couldn't be embroiled in a huge data breach, especially if they're not making much in the way of sales. What if you're a "successful" internet startup that's financing your venture on borrowed money? In that case, sales figures would be $0. Employee count could be less than twenty, which coincides with a small business . But your customer base is a gazillion.

    A breach of this business's customer database would be tremendous. (For example, Instagram had 13 employees when it was acquired by Facebook and, if memory serves, had zero dollars in sales because it was still funding itself via venture capital. Monetization didn't come until later).

    Under the circumstances, the Privacy Act would not apply to would-be Australian Instagrams (Instagrammers? Instagrammies?). Shouldn't an exception be made for such a small business?

    It seems like a clause that introduces dependencies on the number of people affected by the data breach should have been included (or kept) before the law was approved.  


    Related Articles and Sites:
    http://www.zdnet.com/article/groundhog-lazarus-twice-dead-data-breach-notification-laws-re-enter-parliament/
    https://www.itnews.com.au/news/australia-finally-has-mandatory-data-breach-nofitication-450923
    https://www.itnews.com.au/news/what-does-data-breach-notification-mean-for-you-451025

     
  • Children's Medical Center of Dallas Pays $3.2 Million To Settle HIPAA Violations

    The Children's Medical Center of Dallas (Children's) recently settled with the US Department of Health and Human Services (HHS) over multiple failures to encrypt sensitive data in mobile devices. The settlement – $3.2 million dollars – is quite the figure, as is the timeline involved: It looks like an investigation could have been started as soon as July 5, 2013, and a final resolution was not reached until February 1, 2017.  

    Multiple Failures Over the Years

    As the HHS complaint shows, Children's had a number of data security breaches over the years.
    • Nov 2009 – loss of a BlackBerry. 3,800 individuals affected.
    • Dec 2010 – loss of an iPod. 22 individuals affected.
    • Apr 2013 – loss of a laptop. 2,462 individuals affected.
    But, it's not the number of data breaches that Children's has had over the years that HHS takes exception to. Rather, it's the fact that Children's knew that they had a bomb ticking in their hands and didn't do anything to rectify the situation… even as the bombs blew up time and again over the years. The need for better security was brought to Children's attention numerous times:
    • Strategic Management Systems Gap Analysis and Assessment, February 2007
    • PwC Analysis, August 2008.
    • Office of the Inspector General, September 2012.
    You'd imagine that a major hospital that's been recommended to secure their devices (and the data in them, more specifically) would do so as soon as possible. Instead, they waited until "at least April 9, 2013." Incidentally, that's a little after the HHS's final Omnibus Rule became effective, on March 26, 2013. As far as I can tell, Children's never had a problem after April 2013.  

    Interim Rules are Rules, Too

    Data security has always mattered under HIPAA. That almost no one really paid attention to it for nearly twenty years just goes to show how important HITECH was in forcing hospitals, clinics, and other medical practices to take it seriously.
    What really made people sit up and take notice was the 2011 fine of Massachusetts General Hospital. MGH paid $1 million to settle with the HHS over paperwork left on the subway. It affected less than 200 patients. And while all of this took place well before the Final Rule came into effect, monetary penalties had quite recently made it into the Interim Rules. MGH served as a preview of things to come, that the HHS meant business.
    And it worked. So many covered entities started looking into encryption and other data security technologies that it was like Christmas had come early for IT companies that specialized in the medical sector.
    I imagine that penalty was on the mind of Children's managers when they suddenly decided to start encrypting their data in 2013; the clock was ticking and they didn't exactly have a stellar record when it comes to not losing stuff. For their dallying, the hospital earned the fifth largest monetary penalty to date since HHS started fining people.  

    Security Issues Still Going Strong

    If I were a betting man, I would say that Children's will have plenty of company going forward. Unencrypted electronic devices that store protected health information are still getting lost today. With so many options for safeguarding patient data, it boggles the mind that this is still an issue.  

     

    Related Articles and Sites:

    https://www.databreaches.net/childrens-medical-center-of-dallas-pays-3-2m-penalty-for-multiple-violations-of-security-rule/
    http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
    https://www.hhs.gov/sites/default/files/childrens-notice-of-proposed-determination.pdf