On Privacy Law: HIPPA, Library

jimi-monterey.jpgAt Law.com, “Hospitals Fear Privacy Claims Over Medical Records:”

The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits.

Labor and employment attorneys who represent health care providers are especially concerned about the prospect of private HIPAA litigation because the law does not currently provide a private right of action. But plaintiffs appear to be getting around that. They say that courts in recent years have begun letting plaintiffs use HIPAA standards to prove liability in privacy lawsuits alleging that their sensitive medical records were inadequately protected.

I’m optimistic that private action will do more than the Bush administration has done to enforce HIPAA. It’s a pretty low bar, as I joked in ‘Medical “Privacy” law.’ (What do you call a set of regulations that the government won’t enforce?

At the same time, I expect that private action will face a substantial and uphill battle, absent a financially-expressible cost.

In other news, law firm Morrison & Foerstr has a “International Data Privacy” library up, at Morrison & Forster International Data Privacy.

Oh, and the picture? Nothing to do with this blog post. Just celebrating. Because we’re not blogging for the money.

Flower Power Sucks

Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering.
Lately, not just on NPR but on my local “Timeless Rock” station, I’ve heard wistful mentions of this summer being the 40th anniversary of the Summer of Love. In fact, today is the 40th anniversary of the start of the Monterey Pop festival.
Well, I like sixties tunes as much (probably way more) than the next guy, but I want to take this opportunity to plug an album that was recorded in 1967 and was decades ahead of its time. It had the unmitigated temerity to ridicule Sergeant Pepper’s, to mercilessly excoriate the vapid, privileged denizens of the San Francisco scene, to call Ronald Reagan a fascist who wanted to create a police state, and to attack narrow-minded parents for strangling their childrens’ curiosity and wonder in the cradle (and much, much more). It also laid withering scorn on mindless, superficial hippies and (accurately, alas) predicted a Kent State-type event.
That record is The Mothers’ “We’re Only in it for the Money“.
(BTW, the ’86 remastered version is worthless. You want the original vinyl (good luck), or the Rykodisc CD based on the original Verve master.)

Posted in art

New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007.
I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is:

New Hampshire 40 11
North Carolina 11 41

I am eager to see how many of the NH cases were reported to NY. I am going to predict 27. Interesting how reports were being made to NH before the law requiring them took effect (hence the 1/17 date).

Disclosures where they’re not required by law

It’s the new normal in the English speaking world. See:

All via the Dataloss list.

Emergent Downtime

We had some downtime after a failure at our hosting facility.

We would like to address the power loss which occurred in our Virginia
Datacenter on Wednesday, June 13th. We are still investigating the
root cause, but in the interest of full disclosure, here are the facts
as we know them today. A more complete post-mortem will be sent to you
as soon as possible.

Mmm, full disclosure and analysis. What a neat idea.

New Hampshire gets it

Via Lyger at Attrition.org, comes word that New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net.
I haven’t had any time to read the approximately fifty-five notices, or add to my stylish breach Venn diagram, but I will say that the idea of digitizing such materials and making them available online is one I like (and have done with reports from NY).
I do not know when the Granite State started doing this, or what fraction of reports they have made available, but I sure hope they keep up the good work. I counted 55 or so reports covering 11/06 – 6/07.

“Whatever happened to Zero-Knowledge Systems?”

zeroknowledgeprivacyad.JPGZero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?”

The company has re-focused its business model, changed its name to Radialpoint, become profitable, and become the fastest growing company in Quebec (based on 5 year revenue growth). As Austin Hill writes in “Radialpoint gets some Prophetic Love:”

I want to congratulate my brother Hamnett, father Hammie and the entire team at Radialpoint who were just honored by Profit Magazine as the fastest growing company in Quebec (measured in 5 year revenue growth) and the 32 fastest in Canada.

I’ll join Austin in sending the entire Radialpoint team congratulations.

It’s a great team, and they’ve done a fantastic job transitioning from promise to a reality for their partners and customers.

Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:”

MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security.

Secretary General Noble exposed the global problem of prison escapes of terrorists and other dangerous criminals not being promptly and adequately reported to police worldwide, thereby placing the citizens of all countries potentially at risk.

‘Moreover, the absence of a global protocol on sharing vital information such as fingerprints and photographs of escaped prisoners, including terrorists, constitutes a serious threat to the safety and security of citizens worldwide,’ he added.

Note the subtle use of the terrorist card. Note the utter lack of any mention of privacy, wrongful convictions, or the reality that refuseniks and dissidents will end up in the database, harrassed when they show up in other countries.

Don’t worry, your national ID registers won’t be checked against the database until computer power becomes a lot cheaper.

Dear FBI: Fusion requires critical mass

blackhole.jpgThe FBI runs what they call “Fusion Centers” for intelligence sharing. There’s a fascinating quote in the Washington Technology article, “Boeing to staff FBI Fusion Center:”

“As a police chief of the 19th largest city in the nation, and in possession of a top secret clearance, by law I cannot set foot unescorted in the National Counter Terrorism Center, let alone have direct access to even the most benign information,” Kerlikowske said.

So, dear FBI: Fusion requires critical mass, and it creates risks. If you re-design to eliminate all those risks, you end up without any chance of fusion.

Another little known fact about fusion: stuff goes in, stuff comes out. What you’ve got there is a black hole.

Via Global Guerrillas, “QUOTE: Security Dysfunction.” Image from Western Washington University Planetarium.

Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:”

A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan Hofer, spokeswoman for the department, said in an interview that about a quarter of the stored information was compromised.

A quarter of the information? Really? I’d love to understand their logs, which seem to be well designed. Compare and contrast to all the organizations that say “we’re not really sure what happened.”

Kudos to the Illinois Department of Financial and Professional Regulation for having good logs.

Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands.

This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems.

I’d try to contribute, but I’ve been in the midst of a large project at work.

Archival links:

Wanted: iPod organ donor.

I’m not throwing out a whole iPod just because the headphone jack is hosed.
If you have a dead mini iPod (maybe with a smashed display, say?), and you don’t want to take up precious landfill space, leave a comment or send me an email.

Federal Computer Week on SSN Purges


There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’

Agencies can eliminate some SSN uses by asking employees not to write their SSNs on leave application forms, Howell said. NBC also is modifying its time and attendance system to eliminate the use of SSNs…Like USDA, Interior has a head start on scrubbing its databases of unnecessary SSNs. Interior’s National Business Center, which handles many of the department’s major applications containing sensitive information, is able to mask or block the display of SSNs on reports and computer screens, said Interior CIO Mike Howell.

It remains to be seen how much data will be scrubbed. There’s also an interesting linguistic tidbit: the article flips between and and or, as in “only as authorized by law and as necessary to carry out agency responsibilities” and “Do we have to have information for a legal or procedural reason.”

As any programmer can tell you, there’s a world of difference between those two sentences.

Article pointer via Pogo Was Right. Photo, “Social Aptitude,” by ms. boomer.

I don’t know much about art…

…but encasing a skull in millions of bucks worth of diamonds and thinking you’ve made some kind of statement strikes me as uninspired in the extreme. Of course, this matters not, because this is “the work with the highest intrinsic value in modern and contemporary art” according to a guy who works for an insurance company. Ok, then. Price of everything and value of nothing, my friend.
Alternatively, here’s art that makes you think, and perhaps not coincidentally has no “intrinsic value” other than the opportunity cost of the artist (which almost by definition is nil).
As long as we’re on the subject that money spent on some so-called art has better uses…
Here’s an art idea: take something that could save a life (say, $5 worth of medicine), encase it in cheesy rhinestones and make a belt-buckle out of it. Make it known that for every belt-buckle left unsold, the artist will donate $10 to a charity which will provide said medicine to those who would otherwise not get it. Every buckle sold, in essence, is two lives not saved. I predict a sellout.
Here’s another one. Take a thousand five dollar bills. Put them in a lucite cube containing an electrically operated mechanism. When a button is pushed by a gallery visitor, a single bill is picked from the heap and burned. Tell gallery visitors that all money left in the cube at the end of the exhibit period will be used to provide food/medicine for those who otherwise would not get it.
Extra bonus variation on the above: Same money, same cube. Each time a bill is burned, a photograph of a child in the recipient pool is displayed to the gallery visitor who burned that bill, along with basic details about that child, such as her first name, nationality, and age.
I have some issues with the last of these (and with another variation which shows the picture and details *first*, and then lets people burn or not burn the money), but maybe I can patent this as a business process and license it. That way, it’s other people who are doing the bad stuff and I am just earning a living. Right? Right??

Posted in art