DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

[RANT] New Rule: No Waffling

Posted on March 8, 2010 by Dissent

A recent press release and open letter from Westin Bonaventure Hotel & Suites induces a rant.

I’m working on my taxes and thought I’d send this notification off to the I.R.S.:

To valued I.R.S. employees:

I wish to inform you of possible income earned involving my private practice. At some point during the period April 2009 through December 2009,  income may have been received. The income possibly obtained through this employment would have included checks and cash from patients, and possibly some checks from insurance carriers.  If you consider this reportable and taxable income, you may be owed money, but at the present time, I have no reason to believe that this is the case.   I have been working closely and cooperating fully with my accountant to investigate and respond to the  income received.

I value our government’s tax laws and deeply regret that this incident may have occurred. Please note that while this incident may have affected my total income, I did not actually lose any patient records.   Working with my accountant and my bank, I  have conducted a thorough review of all of my deposits to ensure that no further possible gaps in income records occur.

If you would like to inquire about this report or have any other questions about the incident, please call 877-xxx-xxxx, between the hours of 9 am – 5 pm ET Monday through Thursday.  I am focused on providing the highest level of service for my patients and my government and am committed to doing everything I can to resolve this issue expediently and completely.

Dr. Dissent

Yeah, that should go over really well, right?

What inspired this ridiculous letter?   Last week’s  press release and open letter from Westin Bonaventure Hotel & Suites exceeded my threshold for “may have, might have, possibly, potentially” waffling.

Either they had a security breach or they didn’t. Why do they say that there “may have been” a breach and then, in the next breath, referring to “the unlawfully accessed data?” If data were unlawfully accessed, then there was a breach, right? Knock off the waffling, folks.

And if I’ve misinterpreted their excessively waffled press release and open letter to customers and they really don’t know whether they’ve been breached — keeping in mind that we are now in March and the “possible” breach supposedly occurred between April 2009 (almost a year ago!) and December 2009 — why don’t they know for sure and what does that say about their security?

So new rules (and Congress, feel free to take note and incorporate in that legislation that you never seem to get around to passing):

1. If an entity knows that it has had a breach, even if it is not sure whose data or how much data were accessed, exposed, or acquired, it cannot say “may have,” “might have,” or “possible” in describing whether there was a breach. It must forthrightly say “There was a breach.”

2. If an entity doesn’t know for sure that it has been breached, it needs to come out and admit its inability to determine if its system was breached and explain why it can’t figure it out (e.g., “We meant to get around to keeping logs, but gosh darn, Tom got busy playing online poker” or “Well, the hackers are smarter than our IT guys and we didn’t want to spring for a forensic investigation unless Visa tells us we have to” or “We collected years’ worth of customer calls without ever thinking about how we would retrieve personally identifiable information from all those files in a timely fashion.”).

3. If an entity knows there was a breach but doesn’t know whose data were exposed, accessed, or acquired, it needs to come out and admit that it is currently clueless and tell all those potentially affected to assume the worst. Statements such as, “While we have no reason to believe…” or “We have not received any reports of….” and “In an abundance of caution” are hereafter banned.

Failure to adhere to these new rules may place on you the Office of Inadequate Security’s new Waffling Hall of Shame List. This is now a no-waffling zone.

No related posts.

Category: Commentaries and AnalysesOf Note

Post navigation

← UK Commons committee rejects six-year DNA records plan
Server theft at Arkansas eye clinic could affect 9,000 people →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.