News Stories through 2007

This page includes older news stories listed through 2007

Click for the latest news stories

Click for the Directory of News Stories

TJX's Security Condemned by Canada's Privacy Commissioner

As reported on September 25 & 26, 2007, Canadian Privacy Commissioner Jennifer Stoddart, assisted by Frank Work, the Information and Privacy Commissioner of Alberta, has condemned TJX companies for failing to implement stronger encryption and storing far too much customer data for far too long, leading to the theft of millions of records.  TJX does not agree with all the report's findings, but it has agreed to implement the Commissioner's recommendations.  Commissioner Stoddart found that TJX violated Canadian privacy law and that the breach was "foreseeable".,1000000189,39289645,00.htm?r=1

HHS Reviews Atlanta Hospital's HIPAA Security Compliance

On June 19, 2007 Computerworld reported that it had gained access to the list of 42 questions asked of Atlanta, GA's Piedmont Hospital in a review of its compliance with HIPAA Security Rule requirements, being performed by the Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS).

This review does not appear to be initiated as a review to determine Piedmont's compliance for purposes of HIPAA enforcement against Piedmont, but rather appears to be intended to survey a non-governmental HIPAA-covered facility to assist the OIG in developing a process and specific standards to use in a compliance review of CMS and other Federal operations that are HIPAA-covered.  It is not clear at this time if any enforcement actions will be taken against Piedmont if violations of compliance are discovered and documented by OIG in the course of the review.

Nonetheless, it is clear that the methods and standards developed in the course of this review will readily usable for the enforcement of compliance with the HIPAA Security Rule for HIPAA-covered entities of all kinds.  It is more important than ever that every covered entity be prepared to answer the same 42 questions asked of Piedmont Hospital.

The 42 questions HHS is asking Piedmont Hospital are available at:

A related article is available at:

NIST Releases Draft Guide for Telework and Remote Access

On June 1, 2007 the National Institute of Standards and Technology (NIST) released Draft Version 2 of Special Publication 800-46, User's Guide to Securing External Devices for Telework and Remote Access.  We expect this guide will be referenced in the upcoming HIPAA Security Rule amendments (see next story below) as well as other information security standards.

The guide is written to help users who do telework or use remote access secure their computers, devices, and networks, and will serve as an excellent guide to remote access and use policy and procedure development, as well as a source of information for training materials.

From the NIST description on their drafts page:
It provides practical, real-world guidance on securing telework computers’ operating systems and applications and teleworkers’ home networks, and it also gives basic recommendations for securing consumer devices. The publication also provides tips on assessing the security of a device owned by a third party before deciding whether it should be used for telework.

The guide is available at:

HIPAA Security Rule to be Amended, Made More Strict

On April 30, 2007 the Department of Health and Human Services published its semi-annual regulatory agenda in the Federal Register, including a declaration of intent to propose changes to the HIPAA Security Regulation that would put the force of regulation behind the December 28, 2006 guidance from HHS about remote access and use of electronic protected health information.  The amendment is expected to be proposed in July of 2007.

This intention makes clear the significance of the guidance, and that HIPAA covered entities need to start now on implementing compliance with the guidance, as effective implementation of the guidance may be costly and time-consuming.

From the Federal Register:

Abstract: This proposed rule would further address the existing compliance requirements of the HIPAA Security regulations specific to covered entities that allow offsite access to, or use of, electronic protected health information. The proposed rule is necessitated by several recent security incidents related to the use of laptops [and] other portable and mobile devices and external handware that store, contain, or are used to access electronic protected health information. It is intended to provide a more prescriptive set of remote security requirements designed to reduce the likelihood of unauthorized uses and disclosures of sensitive health information.

To view the notice, go to:  Scroll down to the section for Health and Human Services, and click on the TEXT or PDF link to the Semi-annual agenda.  See Sequence number 951, page 22555 in the PDF version.

More Than 2/3 of States Have Security Breach Notice Laws

As of April 9, 2007, at least 35 states now have information security breach notification laws in place, with more expected to be passed in the current year.  In addition, the U.S. Congress is considering proposed legislation that would be even more strict than most states' laws.  If your business or any of your customers or employees are located in any of these states, you must comply with their breach notification laws.

To see if your state or your customers' or employees' states have breach notification laws, please see the National Conference of State Legislatures' Web site at:

HIPAA Security Rule Guidance Announced

On December 28, 2006, the Department of Health and Human Services published new guidance on the use of laptops, other portable and/or mobile devices and external hardware that store, contain, or are used to access Electronic Protected Health Information (EPHI) under the responsibility of a HIPAA Covered Entity.

In this guidance, it is indicated that covered entities must place "significant emphasis and attention on their:
  • Risk analysis and risk management strategies;
  • Policies and procedures for safeguarding EPHI;
  • Security awareness and training on the policies and procedures for safeguarding EPHI."

Also included is guidance on addressing security incidents and non-compliance, as well as a set of possible risk management strategies for accessing, storing, and transmitting EPHI.

To view the guidance, go to:

FRCP Electronic Discovery Rules Go Into Effect

On December 1, 2006 new rules went into effect under the Federal Rules of Civil Procedure for Electronic Discovery.  These new rules set the standards for the production of electronic documentation under civil proceedings and have a significant impact on how an organization's information should be managed.

To be prepared for Electronic Discovery, policies must be established to control the retention and deletion of electronic information in order to economically comply with discovery requests and control the disposal of any information.  Otherwise, penalties may result.  Please see our page on FRCP Electronic Discovery for more information. 

Click for the latest news stories

Click for the Directory of News Stories

              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us