A recent press release and open letter from Westin Bonaventure Hotel & Suites induces a rant.
I’m working on my taxes and thought I’d send this notification off to the I.R.S.:
To valued I.R.S. employees:
I wish to inform you of possible income earned involving my private practice. At some point during the period April 2009 through December 2009, income may have been received. The income possibly obtained through this employment would have included checks and cash from patients, and possibly some checks from insurance carriers. If you consider this reportable and taxable income, you may be owed money, but at the present time, I have no reason to believe that this is the case. I have been working closely and cooperating fully with my accountant to investigate and respond to the income received.
I value our government’s tax laws and deeply regret that this incident may have occurred. Please note that while this incident may have affected my total income, I did not actually lose any patient records. Working with my accountant and my bank, I have conducted a thorough review of all of my deposits to ensure that no further possible gaps in income records occur.
If you would like to inquire about this report or have any other questions about the incident, please call 877-xxx-xxxx, between the hours of 9 am – 5 pm ET Monday through Thursday. I am focused on providing the highest level of service for my patients and my government and am committed to doing everything I can to resolve this issue expediently and completely.
Dr. Dissent
Yeah, that should go over really well, right?
What inspired this ridiculous letter? Last week’s press release and open letter from Westin Bonaventure Hotel & Suites exceeded my threshold for “may have, might have, possibly, potentially” waffling.
Either they had a security breach or they didn’t. Why do they say that there “may have been” a breach and then, in the next breath, referring to “the unlawfully accessed data?” If data were unlawfully accessed, then there was a breach, right? Knock off the waffling, folks.
And if I’ve misinterpreted their excessively waffled press release and open letter to customers and they really don’t know whether they’ve been breached — keeping in mind that we are now in March and the “possible” breach supposedly occurred between April 2009 (almost a year ago!) and December 2009 — why don’t they know for sure and what does that say about their security?
So new rules (and Congress, feel free to take note and incorporate in that legislation that you never seem to get around to passing):
1. If an entity knows that it has had a breach, even if it is not sure whose data or how much data were accessed, exposed, or acquired, it cannot say “may have,” “might have,” or “possible” in describing whether there was a breach. It must forthrightly say “There was a breach.”
2. If an entity doesn’t know for sure that it has been breached, it needs to come out and admit its inability to determine if its system was breached and explain why it can’t figure it out (e.g., “We meant to get around to keeping logs, but gosh darn, Tom got busy playing online poker” or “Well, the hackers are smarter than our IT guys and we didn’t want to spring for a forensic investigation unless Visa tells us we have to” or “We collected years’ worth of customer calls without ever thinking about how we would retrieve personally identifiable information from all those files in a timely fashion.”).
3. If an entity knows there was a breach but doesn’t know whose data were exposed, accessed, or acquired, it needs to come out and admit that it is currently clueless and tell all those potentially affected to assume the worst. Statements such as, “While we have no reason to believe…” or “We have not received any reports of….” and “In an abundance of caution” are hereafter banned.
Failure to adhere to these new rules may place on you the Office of Inadequate Security’s new Waffling Hall of Shame List. This is now a no-waffling zone.