> On Mar 11, 2009, at 12:18 AM, RECMGMT-L automatic digest system wrote:
>> From: Bruce White <[log in to unmask]>
>> Date: March 10, 2009 5:27:21 PM EDT
>> Subject: RAINDrop - Google software bug shared private online  
>> documents
>> <snip>
>> Google has confirmed that a software bug exposed documents thought to
>> be privately stored in the Internet giant's online Docs application
>> service. The problem was fixed by the weekend and is believed to have
>> affected only .05 percent of the digital documents at a Google Docs
>> service that provides text-handling programs as services on the
>> Internet
>> <snip>

Google better hope there were no HIPAA records in that group.  The new  
regulations in the Stimulus Bill make business partners liable.  For  
example the Legislation states:

> The initial HIPAA Act of 1996 held "covered entities" subject to  
> severe criminal and civil penalties for violations of privacy and  
> security standards as defined in the HIPAA legislation. These same  
> penalties now apply to "business associates". Section 13401 of the  
> bill states, “In the case of a business associate that violates any  
> security provision…sections 1176 and 1177 of the Social Security Act  
> [civil and criminal penalties] shall apply to the business associate  
> with respect to such violation in the same manner such sections  
> apply to a covered entity that violates such security provision.”

> The following conditions are outlined in the law:
> a.    The name of each individual must be reported.
> b.    A breach is considered “discovered” on the first day it is  
> known to the business associate
> c.    All notifications of individuals must be made within 60 days
> d.    The business associate must be prepared to prove that all  
> notifications have been made
> e.    Individual notices can by delivered by first class mail or e- 
> mail
> f.    For 10 or more individuals who cannot be contacted as outlined  
> above, a conspicuous posting on the web page of the covered entity  
> or notices in major print or broadcast media where the individuals  
> are likely to reside may be substituted. These notices must include  
> a toll free number where individuals can learn whether their  
> information was a part of the breach.
> g.    If more than 500 individuals are involved, media outlets in  
> the area must be notified
> h.    The Secretary of Health and Human Services must be notified by  
> the covered entity if more than 500 persons are involved.

> The law considers three “tiers” of violations for HIPAA, as follows:
> •    The lowest tier violation is by a person who did not know (and  
> by exercising reasonable diligence, would not have known) that their  
> action violates the law. The penalty for this violation is $100 for  
> each violation – the total penalties for a calendar year not to  
> exceed $25,000.
> •    The second tier is a violation of the law due to reasonable  
> cause, and not due to willful neglect. The penalty for this  
> violation is $1,000 for each violation – the total penalties for a  
> calendar year not to exceed $100,000
> •    The third tier is a violation due to willful neglect and  
> carries with it two possible penalties. If the violation is  
> corrected, the penalty is $10,000 for each violation – the total  
> penalties for a calendar year not to exceed $250,000. If the  
> violation is not corrected, the penalty is $50,000 for each  
> violation – the total penalties for a calendar year not to exceed  
> $1,500,000.

Hey Google, How is that Cloud Computing model looking now?  The issues  
with security we talked about with Cloud Computing can be expensive if  
you have multiple disclosure events.

If some hacker cracks the algorthym then look out.  But $1.5 million a  
year may be cheaper than fixing the problem so who cares.

It is projected that these requirements will be spread across other  
spectrums so business partners will soon be liable for Identity Theft  
exposures, hacker events as the Banking Industry, the SEC and  
PHarmaceutical and so on fall under the spell of the Stimulus Bill  

These fines become a defacto new taxing authority.  I predicted a few  
years ago that when other Federal Agencies saw the fines being levied  
by the FDA that they would lobby for this stick as well.  Sure enough,  
the Health Industry has it now, the SEC has it and it is growing.

Citizens are already calling for China to be fined for putting  
Melamine in baby formula and road paint in things and lead paint on  
toys. A billion here and a billion there and the U.S. will back solvent.

If you are an offsite records or media storage company, PRISM's  
Conference in Daytona in May will have some sessions on this new  
legislation and how to prepare for it.  New insurance will be required  
and procedures will need to change to stay in compliance. There is  
still time to sign up. A whole day is just for Data Protection issues  
and offsite media storage, evaulting, etc.

Angie of our Listserv is also a presenter so it should be interesting.  
Just tell them I sent you and I get a commission.  Oh wait that is  
Rush Limbaugh for  Shoot I never get any thing good.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134

List archives at
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]