Thursday, September 30, 2010

Are they sending a message or will everyone be subject to fines for slow compliance? (I hope it is the latter...)

Did the punishment fit the “crime?” (the Lucile Salter Packard Hospital breach fines)

By Dissent, September 29, 2010

Jason C. Gavejian writes about a hospital breach that is causing waves because of the exorbitant fine the state imposed.

Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law. What makes this fine particularly disconcerting for health care providers is the relatively small number of patient records which were subject to the breach when compared to the considerable fine imposed. [It's not how many patients were involved, it's your failure to protect your records! Bob] For employers generally, this fine could establish a timing and penalty standard which is examined and utilized by other adminstrative entities.

Personally, I think the significant issue/concern is not the number of patients affected (532) but the time issue. The hospital had confirmed that PHI were on the stolen computer by Feb. 1. Under California’s law, the state’s position is that the hospital had five (5) business days from that point to notify both the state and affected patients. The hospital, however, did notify the state or affected patients until February 19 — after it confirmed that it could not recover the computer.

CDPH informed the hospital of the fine due to the reporting of the incident 11 days late on April 23, 2010. It is unclear if the fine was tied to a failure to notify the affected individuals or the CDPH. The hospital is appealing the fine asserting its communication to CDPH was appropriate given that no unauthorized or inappropriate access took place to require it to notify affected individuals.

As much as I empathize with the hospital, the statute does not appear to be give them wiggle room on this:

A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

Does stealing a computer provide “unlawful access” to the patients’ records? If so, it seems to me that the clock started running on Feb. 1. I understand the hospital’s view and I understand that the stolen computer had software that enabled the hospital to know that it had not been turned on, but there is nothing in the statute that would seemingly toll the deadline for that.

CDPH’s report can be found here (pdf).

This incident highlights the seriousness of potential data breaches, regardless of size, and the urgency with which these situations must be addressed. It also highlights an often asked question as to whether laptops that go unrecovered would constitute unauthorized access or acqisitiion (sic) of protected information.

I think the answer is obvious: if an entity loses control of a device that contains unsecured PHI, it may or may not have been acquired by someone, but if you know it was stolen, then it was acquired. Whether it will ever be accessed or not is another question, but entities need to err on the side of caution and assume the worst and notify promptly.

The HIPAA regulations also shed light on this issues stating, “if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.”

Agreed. Whether the fine should be this steep is another matter, though. I personally think it’s quite harsh.

Read Jason C. Gavejian’s full commentary without my interspersed remarks on Workplace Privacy Data Management & Security Report.

Now this is an interesting legal argument – even if it only applies to Napoleon.

Oui, Defamation Can be Automatic

September 30, 2010 by Dissent

Marie-Andrée - who unlike this blogger can actually speak French and is a lawyer to boot – provides a commentary and explanation of a recent French court ruling that Eric Schmidt was guilty of defamation because of Google Suggest results. She writes, in part:

The Court noted that “algorithms or software solutions proceed from the human mind before being implemented.” The court also doubted the purely automatic character of the search results, as results were not the same on “Google Suggest” and “Recherches Associées” (associated research), which is a list of suggested research made to users, based on their original search terms. Results were not the same on the Yahoo search engine either. Therefore, the Court expressed doubt about the technological neutrality of the results.

The Court also noted that “not all research terms entered by Internet users are taken into account by the Google search engine in order. One of Google’s exhibits in the September 2010 case was a statement by Google that “[it] appl[ies] a limited set of policies regarding removal of pornography, violence and hatred”, which, according to the French Court, “confirms the possibility of at least a retrospectively human intervention capable of preventing the most obvious damage related to the search features at stake.”

Read her full commentary on Online Reputation and the Law.

[The article concludes:

It seems that if Mr. Schmidt could have proven the neutrality of the algorithm, he could have won the case. However, in order to prove neutrality, it would have been necessary for Google to discard any voiced concerned of its users, and to avoid complying with their requests to suppress offensive terms. Probably not a good result for society.

Someone wants to slap Big Brother's wrist! (and Big Brother know who he is and where he lives and works and what roads he takes to work and what medications he takes and... )

EU takes UK to court over internet privacy

September 30, 2010 by Dissent

The UKPA reports:

The European Commission is taking the UK to court for breaking EU rules on safeguarding internet privacy.

The move follows complaints to the Commission from British internet users that they have been targeted by advertisers based on an analysis of their “internet traffic”.

A Commission statement said it first launched legal proceedings in April last year amid concerns about how the UK authorities dealt with citizens’ concerns over the use of “behavioural advertising” by internet service providers.

The complaints were handled by the UK Information Commissioner’s Office, the UK personal data protection authority and police forces responsible for investigating cases of illegal interception of communications.


As Chris Williams of The Register tells it:

The European Commission is suing the UK government over authorities’ failure to take any action in response to BT’s secret trials of Phorm’s behavioural advertising technology.

The Commission alleges the UK is failing to meet its obligations under the Data Protection Directive and the ePrivacy Directive.

The action follows 18 months of letters back and forth between Whitehall and Brussels. The Commssion demanded changes to UK law that have not been made, so it has today referred the case to the European Court of Justice in Luxembourg.

Read more in The Register.

California law protects drivers’ locational privacy

September 30, 2010 by Dissent

One of the bills Governor Schwarzenegger has signed into law is SB 1268, another privacy-centric bill by Democratic Sen. Joe Simitian. Under the new law, drivers who use who use FasTrak or other automatic systems to pay tolls for bridges and roads (like the EZPass system on the east coast) will now have their records protected. The state cannot sell or share the data, which would include the location of the car identified by the FasTrak, and the time it was used.

The bill also requires purging of the data [I think that's a first. Bob] if not needed for law enforcement purposes.

In a press release issued yesterday, Senator Simitian said

Less well-known is the fact that the FasTrak cards are read by traffic monitoring systems throughout the Bay Area and elsewhere in the state to measure traffic congestion. Cameras that photograph license plates are also used to ensure tollpayer compliance by all drivers, even those who choose to pay by cash rather than use FasTrak.

“The net result,” says Simitian, “is that relatively obscure transportation agencies have personal data and travel histories for well over a million Californians, with no real meaningful legal protection from misuse of or inappropriate access to the data.”

Senate Bill 1268 becomes law Jan. 1, 2011.

This seems to be the hot trend for law firms – law suits as extortion? Perhaps this will translate to Software Patent trolls as well?

EFF Sues Newspaper Chain’s Copyright Troll

Righthaven, the Las Vegas-based copyright troll, may have sued one website too many. The Electronic Frontier Foundation hit the company with a lawsuit Monday alleging Righthaven is abusing copyright law by suing for excerpting or posting newspaper articles without permission.

Law firm Righthaven was formed earlier this year for the sole purpose of suing for copyright infringement. So far, its main client, Stephens Media, has publicly authorized it to sue the operators of 145 internet sites on behalf of its flagship paper, the Las Vegas Review-Journal.

San Francisco’s EFF, which has been shopping for one of the cases to take, has agreed to defend user-generated Democratic Underground, a site that says it provides “political satire and commentary for Democrats.”

It’s also filed a countersuit claiming Monday that Righthaven is a “front and sham representative” of Stephens Media with a sole mission “to seek windfall recoveries of statutory damages and to exact nuisance settlements.”

Since Righthaven was formed this spring, it has settled about 20 percent of its lawsuits for a few thousand dollars each. Righthaven even demands forfeiture of the a site’s domain, which likely fuels settlements from site owners who don’t have a lawyer or who conclude that legal fees would be more onerous than settling, said Kurt Opsahl, an EFF senior staff attorney.

Democratic Underground is being sued for a user of the site last month posting four paragraphs and a link to a 34-paragraph Review-Journal story on Sharron Angle, the Republican Nevada candidate for Senate entitled “Tea party fuels Angle.”

Opsahl claimed the site had a fair-use right to the four paragraphs. It was posted for discussion and commentary, not for commercial gain. The article, he said, is freely available on the Review Journal’s website, which encourages readers to share it via Facebook, Twitter, e-mail and by other means.

“We don’t think they should have filed this lawsuit in the first place,” Opsahl said.

At the very least, Righthaven should have requested that the site remove the disputed content, Opsahl said.

Interesting mash-up of maps and demographic information.

Revealed: The maps that show the racial breakdown of America’s biggest cities

Using information from the latest U.S. census results, the maps show the extent to which America has blended together the races in the nation’s 40 largest cities.

With one dot equalling 25 people, digital cartographer Eric Fischer then colour-coded them based on race, with whites represented by pink, blacks by blue, Hispanic by orange and Asians by green.

[All the maps are here:

Perhaps publishers shouldn't view the Kindle as a competitor?

In Study, Children Cite Appeal of Digital Reading

Many children want to read books on digital devices and would read for fun more frequently if they could obtain e-books. But even if they had that access, two-thirds of them would not want to give up their traditional print books.

… About 25 percent of the children surveyed said they had already read a book on a digital device, including computers and e-readers. Fifty-seven percent between ages 9 and 17 said they were interested in doing so.

Only 6 percent of parents surveyed owned an e-reader, but 16 percent said they planned to buy one in the next year. Eighty-three percent of those parents said they would allow or encourage their children to use the e-readers.

… The report also suggested that many children displayed an alarmingly high level of trust in information available on the Internet: 39 percent of children ages 9 to 17 said the information they found online was “always correct.”

Another bauble to beguile my Statistics class (Might be fun to have them build one)

Incredibly Depressing Mega Millions Lottery Simulator!

Qwiki will let you sign up for their Alpha release... I did.

Qwiki Just May Be The Future Of Information Consumption. And It’s Here Now.

To be clear, Qwiki isn’t a piece of hardware. Instead, it’s a piece of software meant to run on the web and as an app on mobile devices. What it does is present to you data about millions of topics in an extremely interesting and visual way. Imagine if someone created a movie highlight reel of Wikipedia pages — that’s sort of what Qwiki is like. You search for something — a topic, a person, etc — and Qwiki talks to you, telling you all you need to know about what you searched for, while also showing you key things about the subject or person.

Something for my new tech students. Not every free app, but several that will be useful for my website class and others. - A Swift Way To Install Free Software

Found at, the Free Apps website does something which is so useful that you are just left wondering why sites providing comparable services are not released at a more constant rate.

This site will come in handy when you have had to reformat your HD, or when a friend has just bought a computer and he needs the guidance of someone who knows a lot about applications that are substantially good. Well, on this site you will be able to individualize these applications one by one, and have Free Apps handle the entire installation process.

In both examples, this is a killer application in itself. In the first case, you are freed from having to oversee a lengthy installation process. And the same applies when it comes to installing software for a friend. You won’t even have to go to his house. You can tell him what he needs and where to find it. Free Apps will take caring of installing it all for good.

Another site for my website students and no, it's not for wasting time playing games on the school computers... (look at their code, see how they do it, do it yourself)

HTML5games: Play HTML5 Games Online

HTML5games is exactly what its name suggests: a collection of games that run on the HTML5 platform. Although relatively new, the website features a number of impressive games including Asteroids, Chess, Knifetanks, and Pac-man. Each game carries a description and rating with itself.

Similar tools: CloudCanvas and Aloha-Editor.

No comments: