Monday, June 12, 2017
Ha ha ha! This, people is one reason you need to think about how to handle security breaches before they happen – and they will!
Some readers might appreciate an update as to what happened when Bronx-Lebanon Hospital Center and iHealth Solutions sent legal threat letters to this site after I notified them and reported that they were leaking protected health information. As I previously noted, I was – and remain – very grateful to Covington & Burling for their representation of me and this site in the matter. Their entrance into the matter produced an immediate shift in the law firms’ tones from strident demands to requests.
But the story doesn’t end there, and this might be categorized under your “payback’s a bitch” category. Read on….
It seems that the hospital and vendor had also sent threat letters to Kromtech Security Research Center, who had discovered the leak. For reasons that are not totally clear to me, Kromtech quickly agreed to the lawyers’ request that they destroy all the data they had downloaded in their research.
Any relief the vendor and hospital may have felt over Kromtech’s cooperation was likely short-lived, however. Kromtech informed me that they were subsequently asked to tell the entities which patients’ data they had downloaded so the entities would know whom to notify. But of course, Kromtech could not provide that information because they had deleted all the data in response to the entities’ first demand/request. D’oh?
Now the entities could just notify everyone who had PHI/PII on the server, of course, but it seemed like they were trying to narrow the universe to only those whose data wound up in Kromtech’s hands – or this site’s – or NBC News’ hands. And now Kromtech could not tell them which patients had data in the 500 mb of data they had downloaded and then destroyed.
But Kromtech had sent a subset of that data to DataBreaches.net, who had not destroyed the data it possessed. If DataBreaches.net wanted to be helpful, it could go through all the data and let the entities know which patients had data in there, right?
Would this be a good time to remind everyone that the entities had threatened me and this site?
And would it be important to point out that they never directly apologized to me for their heavy-handed threats?
I might have been able to spare the vendor and hospital some notifications if I was willing to donate my time to going through files to compile information for them, but I’m not willing.
I’m not willing, in part, because I do not want to be going through PHI if it’s not for my reporting purposes. And I’m not willing because why should I have to spend my valuable time compiling information for entities that tried to bully me and who now need my help to help them clean up their mess??
So what are the lessons that I wish entities and their lawyers would learn from all this?
1. Don’t rush to send legal threat letters. What your mother taught you about catching more flies with honey than vinegar appears true here, too; and
2. If you wouldn’t send a legal threat to the New York Times over their reporting, don’t send one to me. This site may be small, under-funded, under-staffed, and under-appreciated, but with the support of great law firms like Covington & Burling, this site will always fight back against attempts to erode press freedom or chill speech.
(Related). A reasonable guide for the thoughtful organization.
Legal impact of Data Protection and Management in the Digital Age
With increasing access to mobile devices and the internet, the amount of data created annually worldwide is predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with approximately 80 billion devices connected to the Internet.
1. Have a clear understanding of how personal data is used and managed in your organisation. Some questions that business leaders need to ask include what personal data has been collected, who has access to this data, whether the purposes of processing of such personal data are lawful, where and how it is kept and secured, and how long such personal data is kept on file.
2. Conduct regular audits and penetration testing. The authorities do recognise the fact that cyber criminals often use sophisticated measures in their attacks. However, as seen with the many data breaches around the world, it is most often the case that the organisation itself has failed to have sufficient security measures in place. It is also a known fact that many organisations are not doing enough to protect customer data or their important data. At the bare minimum, organisations need to meet the regulatory standards for data protection and compliance.
3. Be willing to seek external advice. By working closely with professionals such as specialised lawyers with the relevant expertise, organisations will be able to have a better understanding of other factors that could affect their business decisions, such as a digital transformation initiative to move data to the cloud.
A New Jersey saying, “Sometimes it’s easier to hide bits and pieces than a whole body.”
Second Amendment right to meet people at the door with a machete by your side?
Yes, says the New Jersey (!) Supreme Court in yesterday’s unanimous State v. Montalvo opinion
The future? Schools drop cursive, newspapers drop print?
The Washington Post to start experimenting with audio articles using Amazon Polly
The Washington Post today announced it has started experimenting with audio articles using Amazon Polly, a service that converts article text into lifelike speech. For the next month, mobile users will be able to listen to an audio version of four articles daily across business, lifestyle, technology and entertainment news categories.
Who knew that beans and rice were worth a price war?
German Grocery Chain Aldi to Invest $3.4 Billion to Expand U.S. Stores
German grocery chain Aldi said on Sunday it would invest $3.4 billion to expand its U.S. store base to 2,500 by 2022, raising the stakes for rivals caught in a price war.
… German rival Lidl will open the first of its 100 U.S. stores on June 15. In May, Lidl said it would price products up to 50% lower than rivals.
Wal-Mart Stores, the largest U.S. grocer, is testing lower prices in 11 U.S. states and pushing vendors to undercut rivals by 15%. Wal-Mart, the world's biggest retailer, is expected to spend about $6 billion to regain its title as the low-price leader, analysts said.
… The furious pace of expansion by Aldi and Lidl is likely to further disrupt the U.S. grocery market, which has seen 18 bankruptcies since 2014. The two chains are also upending established UK grocers like Tesco and Wal-Mart's UK arm, ASDA.