law suit, montfort hospital, patients, records, lost usb, insurance, class-action, phipa, hippa, policy, awareness
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.


Group Administrator

"ScottWright"

65% of honey sticks to date have been used in risky ways that could impact business operations. What's a Honey Stick? - Look for the link at the bottom of any article on this page for an explanation.

Streetwise Customizable Non-Trivial Security Quiz PowerPoint Deck
Product ID: 00000010

Customize your own 5 minute looping PowerPoint presentation or video loop with security awareness quiz questions. It's great for pre-meeting warm-ups as people await the beginning of a security training session. It also works ... More »

Non-Member Price: $199.00 $179.00

May 2013 Posts

Archives

  The Honey Stick Project - Measuring risk decisions
Blog Entry

What's wrong with No Harm, No Foul when lost devices are recovered?

Monday, May 13th 2013 @ 9:17 PM (not yet rated)    post viewed 4016 times

I am always interested in hearing the opinions of the public, as well as those affected by security and privacy incidents.  Recently, a USB drive that was lost by the Montfort Hospital in Ottawa was recovered. The hospital had already issued a breach notification to the 25,000 patients whose records were affected. One of the affected patients, Judith Lishman, wrote a letter to the editor of the Ottawa Citizen newspaper, explaining why she doesn't support a class action law suit that's being launched as a result of the breach. However, I think there's probably a good case for this law suit.

I find Ms. Lishman's opinion very interesting, and somewhat understandable. She feels the law suit will not result in fair compensation to victims, and will raise the insurance rates for hospitals, causing a further burden to the healthcare system. As a victim of the hospital's negligence, her argument has some added credibility, which we should definitely consider as a bigger picture than just a single event of losing a device. However, I have to ask the victims of this incident, as well as the potential victims of future incidents (all of us) to consider an even bigger picture.

The Problem of Lost Storage Devices is Getting Worse

Improperly protected and handled mobile storage devices such as USB Flash drives are becoming one of the most common reasons for data loss by businesses. If you perform a Google search on the keywords "lost USB customer records", you will find an endless stream of data breach news articles. The Montfort case does not contain a surprising number of client records lost for this kind of incident.

Most organizations do have policies for protection of client data, and for security education of staff handling that data. But these breaches are still occurring. Without some kind of penalty - either fines or lawsuits, how can we trust organizations handling customer and employee personal data to start taking their obligations for protecting this information seriously?

How Hard Should You Have to Look for Evidence of Misuse Before Giving Up?

While virtually every disclosure of lost devices with readable personal information contains a variation on the legal disclaimer, "There is no evidence to suggest that any of the personal information has been misused." This statement is meant to minimize the public's perception of the seriousness of this kind of data breach. If you read the results of my research (www.honeystickproject.com), just because a device is found and returned does not mean that no personal information was accessed. In fact, there is evidence to show that most of the time, data on lost devices has been accessed, even if it was returned.

No Harm, No Foul Doesn't Reflect the Degree of Risk

In any case, I could just as easily argue to the traffic court judge after being given a speeding ticket that, "there is no evidence that my going 150 kph in a 50 kph zone caused any harmful effects to anyone"; but I would still be found guilty and would have to pay a penalty. And by the way; my insurance rates will certainly go up, if I remain ensurable at all. Insurance companies have a pretty good nose for spotting risks.  This is probably one of the reasons we might expect that many data breach incidents are not reported, since organizations in most industries are not legally compelled to do so.

Until we have enforceable laws in place in Canada that provide a standard set of penalties for negligence in protecting personal information, and putting client data at risk, how else can organizations be held accountable, if not using this kind of law suit?

When There Are No Mandatory Penalties, a Law Suit Makes Sense

It is disturbing and sad that the parameters of a law suit such as this one seem to allow for only a small compensation to the victims for their injury and loss of trust, and that the lawyers will likely be far better rewarded than the victims for taking this initiative. But I think this is a case where we have to look an even bigger picture, and set some precedents to move closer to having the proper incentives in place for organizations to exercise due care in protecting important patient information.

Continuing to trust organizations to enforce policies and educate staff has not helped to date; and we've been lucky. One day, when the data is actually abused, and it will be, it will cost those victims much more. What will the law suits look like in that case?

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

Is it fair to place Honey Sticks on employees' desks to see if they plug them in?

Tuesday, May 7th 2013 @ 4:44 PM (not yet rated)    post viewed 2958 times

In a recent discussion with an associate who ran his own Honey Stick Project (HSP) with USB drives in his organization, I learned that he chose to plant some of the intentionally lost devices literally on peoples' desks. This is a question I had considered years ago, when I dropped my first Honey Sticks. I even thought about dropping them in peoples' purses or bags. At first, I had thought that might be a little unfair to the employees. Perhaps they might not realize the device wasn't their own. After all, I can imagine many of us could have several devices, or maybe they were expecting to receive a device from somebody.

On the other hand, is this any different from a phishing email that tries to social engineer you into opening the message that looks like it was intended for you, and clicking on a link? It's still the same type of risk decision. What's the right thing for the finder to do if they don't 100% recognize the device?... I now think the correct answer is that they should still take the device to an authority such as the IT Helpdesk.

So, I think it's fair to plant Honey Sticks anywhere - especially in places where it looks like the person was the intended recipient, just like in a phishing email.

What do  you think?

I'll be speaking at SC Toronto Congress on the topic of the Honey Stick Project, and would like to gather as many comments on any aspect of the HSP as possible, in anticipation of questions from the audience. Your input may be helpful to others.

 

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.