[ Thursday, June 29, 2006 ]


Stolen VA laptop recovered: As reported in the Washington Post, the FBI recovered the stolen laptop with all of the VA data on it; the FBI determined that the data had not been accessed, but they're not saying how they got it back (other than saying they haven't arrested anyone for the theft). They also note that there have been no reports of data theft from the information either. A couple of interesting notes to the story, though. First, the employee apparently had permission to work with the information from home. The initial reports said the employee had broken policy by taking the information out of the office. Second, what happens to the lawsuit that was already filed against the VA for the data breach? I guess it goes away, since there's no damage done, although would the plaintiffs still claim some sort of emotional distress from the possibility that the data was disclosed?

Third, this buttresses my "crackhead" point -- most of these potential data theft problems are really crackhead problems. That is, it's some crackhead stealing a laptop to fence as hardware, not a theft of data in any meaningful sense. Sure, the data is also stolen, but that's not the target, and it's usually deleted so the hardware can be resold. James Lee Burke has a great story in one of his Robicheaux books about some junkie breaking into a house in the Garden District of New Orleans and bundling up a bunch of silver-plate flatware and all the liquor in the house in a priceless Irish Lace tablecloth so he can haul it out of the house, and ditching the only valuable part of his loot -- the Irish Lace -- without even knowing it was valuable. That's the funny thing about data: it's really valuable, but only to certain people; to others, it's absolutely worthless. And that's also why HIPAA is a pretty damn goofy regulatory scheme: the level of protection appropriate for the valuable data is applied to the worthless data. Because we can't tell the gold from the garbage, we treat it all like gold.

(Hat tip, by the way, to Jon Neiditz at Lord Bissell & Brook for the WaPo story)

Jeff [11:08 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template