DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

[RANT] New Rule: No Waffling

Posted on March 8, 2010 by Dissent

A recent press release and open letter from Westin Bonaventure Hotel & Suites induces a rant.

I’m working on my taxes and thought I’d send this notification off to the I.R.S.:

To valued I.R.S. employees:

I wish to inform you of possible income earned involving my private practice. At some point during the period April 2009 through December 2009,  income may have been received. The income possibly obtained through this employment would have included checks and cash from patients, and possibly some checks from insurance carriers.  If you consider this reportable and taxable income, you may be owed money, but at the present time, I have no reason to believe that this is the case.   I have been working closely and cooperating fully with my accountant to investigate and respond to the  income received.

I value our government’s tax laws and deeply regret that this incident may have occurred. Please note that while this incident may have affected my total income, I did not actually lose any patient records.   Working with my accountant and my bank, I  have conducted a thorough review of all of my deposits to ensure that no further possible gaps in income records occur.

If you would like to inquire about this report or have any other questions about the incident, please call 877-xxx-xxxx, between the hours of 9 am – 5 pm ET Monday through Thursday.  I am focused on providing the highest level of service for my patients and my government and am committed to doing everything I can to resolve this issue expediently and completely.

Dr. Dissent

Yeah, that should go over really well, right?

What inspired this ridiculous letter?   Last week’s  press release and open letter from Westin Bonaventure Hotel & Suites exceeded my threshold for “may have, might have, possibly, potentially” waffling.

Either they had a security breach or they didn’t. Why do they say that there “may have been” a breach and then, in the next breath, referring to “the unlawfully accessed data?” If data were unlawfully accessed, then there was a breach, right? Knock off the waffling, folks.

And if I’ve misinterpreted their excessively waffled press release and open letter to customers and they really don’t know whether they’ve been breached — keeping in mind that we are now in March and the “possible” breach supposedly occurred between April 2009 (almost a year ago!) and December 2009 — why don’t they know for sure and what does that say about their security?

So new rules (and Congress, feel free to take note and incorporate in that legislation that you never seem to get around to passing):

1. If an entity knows that it has had a breach, even if it is not sure whose data or how much data were accessed, exposed, or acquired, it cannot say “may have,” “might have,” or “possible” in describing whether there was a breach. It must forthrightly say “There was a breach.”

2. If an entity doesn’t know for sure that it has been breached, it needs to come out and admit its inability to determine if its system was breached and explain why it can’t figure it out (e.g., “We meant to get around to keeping logs, but gosh darn, Tom got busy playing online poker” or “Well, the hackers are smarter than our IT guys and we didn’t want to spring for a forensic investigation unless Visa tells us we have to” or “We collected years’ worth of customer calls without ever thinking about how we would retrieve personally identifiable information from all those files in a timely fashion.”).

3. If an entity knows there was a breach but doesn’t know whose data were exposed, accessed, or acquired, it needs to come out and admit that it is currently clueless and tell all those potentially affected to assume the worst. Statements such as, “While we have no reason to believe…” or “We have not received any reports of….” and “In an abundance of caution” are hereafter banned.

Failure to adhere to these new rules may place on you the Office of Inadequate Security’s new Waffling Hall of Shame List. This is now a no-waffling zone.

Category: Commentaries and AnalysesOf Note

Post navigation

← UK Commons committee rejects six-year DNA records plan
Server theft at Arkansas eye clinic could affect 9,000 people →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.