|
A non-profit group, the Privacy Rights Clearinghouse, updates corporate and governmental data breaches going back to 2005. What’s striking about this list is the number of major corporations and government agencies that don’t have even basic policies in effect to prevent breaches? What’s equally striking is what inadequate or non-existent policies and procedures can end up cost these organizations.
Case in point: CVS Pharmacy, Inc., which in January, 2009 reached an agreement with the U.S Department of Health & Human Services (HHS) to settle potential violations of the HIPPA Privacy Rule. The fine: $2.25 million.
The settlement resulted from charges that CVS, the retail pharmacy, disposed of prescription bottles and old prescriptions in unprotected dumpsters. The company, the government claimed:
Failed to implement adequate policies and procedures to safeguard protected health information during the disposal process;
Failed to adequately train employees on how to dispose of such information;
Failed to maintain and implement a sanctions policy for members of its workforce who failed to comply with procedures and policies
.
In addition to the fine, CVS had to establish strict disposal procedures in all of its 6,300 stores; train its entire workforce; hire a third-party assessor to evaluate the program and also submit compliance reports to HHS for three years.
.
How unusual is this? HHS says it has investigated and resolved over 9,501 cases by requiring changes in privacy practices and other corrective actions. And those numbers are restricted to the health care industry. In cases of identity theft resulting from inadequate privacy and information security, the Federal Trade Commission has leveled fines of $10 million and more plus another $1million or so for consumer redress.
.
Then there is the possibility of a potentially crippling lawsuits filed on behalf of those impacted. Heartland Payment Systems, which was the target of a massive cyber fraud (http://www.ciozone.com/index.php/Security/The-Worst-Data-Breaches-of-2009.html.), is the subject of almost three-dozen separate lawsuits on behalf of consumers, investors, banks and credit unions. They claim the credit card processing company lacked proper security protocols.
.
According to Heartland’s most recent quarterly report, it has created an $82.9 million reserve as of September 30, 2009 to cover potential settlement costs. It also has recorded $178.6 million in pre-tax expenses associated with what it calls the Processing System Intrusion
.
Pity the unfortunate CEO who has to tells shareholders that potentially hundreds of million of dollars of data breach related expenses are going to come out of their equity holdings. As for the CIO who has to break the bad news to his or her boss about a breach that possibly could have been avoided, that old adage about not disposing of the messenger may not hold.
Only registered users can write comments.
Please login or register. |
