[ Monday, December 10, 2007 ]


TJX and Facebook: Different Approaches to Data Breaches.

Ugh. I just drafted a long expositive post on the diametrically opposed ways you can treat a data breach: confess and beg forgiveness, or dispense the minimum information and damn the torpedos. And blogger ate my post.

The reason I was posting was because of this blog post on Infoweek.

HIPAA doesn't require a covered entity to disclose a bad use or disclosure, necessarily. A covered entity must account for disclosures if asked, but there's no requirement that you proactively give such an accounting. And a covered entity must take reasonable steps to mitigate any known adverse effects of a breach, but there's a lot of wiggle room to allow non-disclosure. And in some instances, letting people know that there might be a problem, when there's virtually no way the bad disclosure will occur (let's say a plane crashes in the Andes, and one of the passengers was a healthcare executive with a laptop full of data -- it's possible that someone recovered the laptop from the wreckage and took the data to use for identity theft, but it's also possible that the laptop was destroyed), would cause unnecessary panic.

So, the blog post posits that perhaps it's better to keep a stiff upper lip, rather than throw yourself on the mercy of the court. Hell, you may not need mercy after all.

Something to think about.

UPDATE: that was fast; take a look at this story, and see the implications.

Jeff [11:18 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template