Disconnect Between Legal Team and Corporate Culture
The headline of a story caught my eye last week – Marriott Disowns One Hotel’s Defense in Rape Case.
It seems Marriott International is seeking to distance itself from a Marriott franchise hotel’s legal defense tactic and released this statement:
“This incident is not reflective of our corporate culture or ethical standards, and we apologize to all of our guests and customers who were so deeply offended by the words used in the legal pleading.”
The court case stems from a situation where a woman was raped at gunpoint in front of her children in a hotel parking garage, which was obviously a horrible experience for her and her children.
The story goes on to explain that the insurance company attorneys for the Stamford Marriott Hotel & Spa filed court papers saying the woman “failed to exercise due care for her own safety and the safety of her children and proper use of her senses and facilities.”
The legal team filed this response to a lawsuit the woman filed which said the hotel failed to adequately police the parking lot or train security employees at the time of the attack.
Are there any lessons learned in this story? Yes, there are multiple lessons learned for the hotel management, the legal team, the parent corporation, the victim and other organizations too.
Are you and your staff prepared to prevent this type of incident from happening on your property?
Are your organization and your legal team (internal or external) operating on the same page of music?
Do you have a reputation management strategy? Does anyone else know what the strategy is?
Implementing processes and procedures and strategies can be far less costly than dealing with headlines and lawsuits and reputation damage.
Weekly Update: Implementing Lessons Learned
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
U.S. Government Advises Businesses on Swine Flu.
Government officials are calling on U.S. businesses to help manage the H1N1 flu this fall by developing customized plans for managing both the seasonal and swine flu, getting vaccines to vulnerable workers and encouraging employees with symptoms to stay home.
Court indicts Hackers in Largest Data Breaches in US History
A federal grand jury in New Jersey indicted Albert “Segvec” Gonzalez in the largest hacking and identity theft case ever prosecuted. Gonzalez was involved in allegedly stealing more than 130 million credit and debit card numbers by hacking into Heartland Payment Systems, as well as Hannaford Brothers, 7-Eleven and other unnamed national retailers. Gonzalez was also indicted on accusations of stealing 41 million credit and debit card numbers from major retailers, including TJ Maxx.
Campaign Monitor, an Australian email marketing application, was a victim of a hacking attack when unauthorized users broke into the Campaign Monitor servers and accessed customer accounts. The compromised accounts were used to send spam, using lists already in the account and lists imported by the hackers.
Massachusetts Data Protection Law Deadline Extended to March 1
The deadline for compliance with the Massachusetts data protection law, 201 CMR 17.00, has been extended to March 1, 2010. 201 CMR 17.00 requires all companies, large or small, that conduct business within Massachusetts to protect the personal information of Massachusetts residents.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
HHS Has Busy Week and HIPAA Strikes Again!
Health and Human Services (HHS) issued new regulations this week requiring healthcare providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify patients if their electronic health information has been breached.
The regulations were developed by HHS Office of Civil Rights (OCR) and require healthcare providers and other HIPAA covered entities to promptly notify people, the HHS and the media in breaches that affect more than 500 people.
Earlier this week, HHS announced that they delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR).
Any lessons learned from the announcements this week?
Absolutely! If you are a manager working in a “HIPAA covered entity” – which includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, insurance companies, HMOs, company health plans, government programs that pay for healthcare and healthcare clearinghouses – then your lesson learned is pretty obvious…make sure you fully implement your privacy and security programs as soon as possible.
Why should you take action as soon as possible?
Because OCR now has authority for:
- the HIPAA Security Rule
- the HIPAA Privacy Rule
- the Breach Notification requirements
And because the Health Information Technology for Economic and Clinical Health (HITECH) Act and American Recovery and Reinvestment Act of 2009 (ARRA) mandate these requirements.
Healthcare managers beware…
HIPAA Alert! And Congratulations to HHS Secretary Sebelius
In case you missed it, the Department of Health and Human Services (HHS) has delegated the authority for the administration and enforcement of HIPAA Security Rule to the Office for Civil Rights (OCR).
In the article Secretary Sebelius commented:
“Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information. Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”
Why should this announcement be taken seriously in the Healthcare industry?
Enforcement changes are coming.
There is no doubt that pressure on HHS to enforce security and privacy in Healthcare is mounting. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been around now for 13 years and new mandates such as the Health Information Technology for Economic and Clinical Health (HITECH) Act and part of the American Recovery and Reinvestment Act of 2009 (ARRA) both require improved enforcement of both rules.
Congratulations to Secretary Sebelius for recognizing the advantages of eliminating duplication and increasing efficiencies within HHS. But now comes the hard part – getting healthcare institutions to effectively and fully implement HIPAA, HITECH, PCI, FACTA and many other state and federal mandates.
Healthcare managers should be thankful for the 13 years of lax enforcement with HIPAA, and now that the HIPAA alert has been delivered, healthcare managers should be taking aggressive actions to avoid being the next enforcement poster child.
Weekly Update: Implementing Lessons Learned
Lessons Learned Review…Keeping You Out of the Headlines and out of this blog…
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
A recent survey revealed that although most small retailers feel somewhat familiar with PCI-DSS and also understand the importance of security, most small retailers express frustration with understanding, implementing and paying for compliance.
Has your organization met compliance requirements? Is your data secure?
Schools are Given New Flu Guidelines
The federal government released new guidelines as schools across the U.S. prepare for the new school year and brace for the H1N1 virus.
Is your organization prepared?
The homepages of several members of the House of Representatives were hacked and defaced with digital graffiti earlier this month. The breaches were the result of passwords assigned by the vendor to member offices that were never changed.
Are you using default passwords?
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
To Do Lists and Got To Do Lists…
Every manager I talk to has a long To Do List and they all say the list is getting longer.
Then I ask them a question about their GOT TO DO LIST? Their responses usually include groans, moans and terribly painful looks on their faces.
As I talk to more and more managers and review more and more headlines in the news, it is obvious to me that managers’ GOT TO DO LISTS are becoming more painful by the day.
Why are GOT TO DO LISTS getting more painful? Look at these articles which include lessons learned as well as future challenges:
Heartland CEO on Data Breach: QSAs Let Us Down
HITECH Act Ramps Up HIPAA Compliance
Obama Wants Big Banks to Pay More for Oversight
FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule
Updated Federal Guidelines for 2009 H1N1 Influenza in Schools Offer Many Options
Improving OSHA’s Enhanced Enforcement Program
How are you managing and implementing your GOT TO DO LIST?
Article Cites “Dingbat Data Leaks”
A title to an article in SmartMoney caught my attention because it read “Dingbat Data Leaks”.
I think it caught my attention because over the last 27+ years or so, I have worked with my share of IT and IS department managers, as well spending many years working with end-users and I am not sure I understand who the author is referring to as the “dingbats”?
The author mentions absurd incidents and common blunder incidents….so:
Are the people that throw away sensitive records in the trash the dingbats?
Are the people that lose flash drives and laptops the dingbats?
Is the gas station attendant who refilled the receipt printer with a used roll that had prior customers’ credit card data printed on the back a dingbat?
I get the impression from the article that yes, they are the dingbats. The article closes with an interesting bright side revelation from a Ponemon researcher that only 2 percent of all data breaches result in ID fraud. And the conclusion of the article cites that cluelessness works both ways and says “just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they’ve received.”
Everyone has their own view, however I see some great Lessons Learned in this article for business leaders.
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand which records can and can’t be thrown away and which need to be shredded?
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand how to handle and protect information that is in transit or on mobile devices?
Isn’t it the responsibility of the business leaders to ensure their technology and business devices are compliant with today’s security and privacy regulations?
Is it possible the source of these common problems is the business leaders not implementing situational awareness, regulatory requirements, legal due diligence and accountability for their employees?
After 27+ years experience and research, I know People are very capable and most want to help. I also know People can be an organization’s first layer and best layer of defense in protecting against data leaks, but only if business leaders understand the problem and take steps to implement and enforce simple and reasonable processes and procedures at the individual level.
Weekly Update: Implementing Lessons Learned
Lessons Learned Review…Keeping You Out of the Headlines and out of this blog…
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
DDoS Attacks On Twitter, Facebook Result Of Massive Attack On One Person
A pro-Georgian blogger called “Cyxymu” was apparently the intended target of the massive DDoS attack that knocked down Twitter and caused major slowdowns on Facebook and LiveJournal. A botnet blasted waves of traffic at the blogger’s accounts on the sites simultaneously.
File Sharing Banned on Government Networks
Rep. Edolphus Towns introduced a bill to ban file-sharing software from all government and contractor computers and networks due to the recent disclosures of sensitive government and personal information.
Internet Hackers Steal $219K from City Bank Account
Internet hackers cracked into the City of Sherwood’s bank account and took $219,000 from the city’s checking account at Eagle Bank. The illegal withdrawal happened in December 2008, but the FBI warned the city not to say anything at the time.
LA Fitness Center Shooting In Pennsylvania Leaves 4 Dead
A man entered the L.A. Fitness Club, turned out the lights on a aerobics class filled with women, and opened fire with three guns, killing three women and wounding nine others before committing suicide.
U.S. Bank Failures Rise to 72 With Collapses in Florida and Oregon
U.S. bank failures rose to 72 in 2009 with the collapse of two lenders in Florida and one in Oregon. Regulators are closing banks at the fastest pace in 17 years as losses mount from unpaid real-estate debt.
Court rules employer did not violate workers’ privacy
The California Supreme Court ruled that an employer that installed a hidden camera in an employee office did not invade the workers’ privacy because the camera was turned on only when the workers were away. This decision left privacy rights intact for employees in the workplace, but made it possible for courts to throw out lawsuits before trial if surveillance was limited and conducted for legitimate purposes.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
Please Don’t Ban E-mail and Phones…
Will Rep. Edolphus Towns (D-NY) introduce a bill to ban e-mail and phone software next?
I was reading an article in the Washington Post that reported that online data-sharing technology has led to the disclosure of sensitive government and personal information. According to the article some of the sensitive information included:
- FBI surveillance photos of a Mafia hit man
- Lists of people with HIV and social security numbers
- Motorcade routes and safe-house locations for then-first lady Laura Bush
- Names of people in government’s witness protection program
- Records with full psychological assessments of patients
In response to the news, the chairman of the House Oversight and Government Reform Committee, Rep. Edolphus Towns, said he would introduce a bill to ban such software from all government and contractor computers and networks.
Is this the right response by Rep. Edolphus Towns?
Do we need more bills and regulations?
Do we need bills to ban software? (which is almost impossible to do)
What about other software that has led to sensitive information breaches? For example:
- Since e-mails have led to the disclosure of sensitive information, will Committees be introducing a bill to ban e-mail software?
- Since phone calls (social engineering) have led to the disclosure of sensitive information, will Committees be introducing a bill to ban phone software?
Are our government leaders missing the point and placing too much emphasis, too much blame and too much dependence on Technology (software and hardware) and not enough emphasis on the value and obligations of implementing individual level awareness and accountability of acceptable usage policies and procedures?
Lesson Learned and wake up call for all managers…if you do not start doing a better job with implementing situational awareness and accountability at the individual level, Congressmen may take steps to ban more and more software…then what??
PCI Needs A New Three Letter Acronym and Focus
Another data breach involving more than 500,000 records and Network Solutions is yet another organization that claims they were PCI compliant. How can this be happening? How does an organization know if they are PCI compliant with all 12 sections of PCI Security Standards which include hundreds of processes, roles and responsibilities that people must be following and implementing on a daily basis?
Maybe what PCI really needs is a new focus and a new three letter acronym to go with all their other three letter acronyms.
If you visit the PCI Security Standards web site, you will find a whole bunch of three letter acronyms that the PCI Security Standards Council created:
PCI – Payment Card Industry
DSS – Data Security Standard
ASV – Approved Scanning Vendors
QSA – Qualified Security Assessors
SSC – Security Standards Council
PED – PIN Entry Devices
SAQ – Self Assessment Questionnaire
ROV – Report on Validation
FAQ – Frequently Asked Questions
Based on lessons learned and multiple data breaches at organizations that were PCI Compliant at the time of their incident, the PCI Security Standards Council is clearly missing a key three letter acronym.
CYA – Cover Your Ass(ets)*
*For those people offended by Cover Your Ass(ets), we recommend:
*CYA – Compliance Year Around
*CYA – Certification Year Around
Compliance/Certification Year Around delivers much better results than compliance or certification for a day or two. Managing ongoing awareness, accountability, security, confidentiality, integrity, availability and auditability on an ongoing basis requires a focus on Technology, Processes and People….not just Technology focused security and scanning efforts.
