DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

[RANT] New Rule: No Waffling

Posted on March 8, 2010 by Dissent

A recent press release and open letter from Westin Bonaventure Hotel & Suites induces a rant.

I’m working on my taxes and thought I’d send this notification off to the I.R.S.:

To valued I.R.S. employees:

I wish to inform you of possible income earned involving my private practice. At some point during the period April 2009 through December 2009,  income may have been received. The income possibly obtained through this employment would have included checks and cash from patients, and possibly some checks from insurance carriers.  If you consider this reportable and taxable income, you may be owed money, but at the present time, I have no reason to believe that this is the case.   I have been working closely and cooperating fully with my accountant to investigate and respond to the  income received.

I value our government’s tax laws and deeply regret that this incident may have occurred. Please note that while this incident may have affected my total income, I did not actually lose any patient records.   Working with my accountant and my bank, I  have conducted a thorough review of all of my deposits to ensure that no further possible gaps in income records occur.

If you would like to inquire about this report or have any other questions about the incident, please call 877-xxx-xxxx, between the hours of 9 am – 5 pm ET Monday through Thursday.  I am focused on providing the highest level of service for my patients and my government and am committed to doing everything I can to resolve this issue expediently and completely.

Dr. Dissent

Yeah, that should go over really well, right?

What inspired this ridiculous letter?   Last week’s  press release and open letter from Westin Bonaventure Hotel & Suites exceeded my threshold for “may have, might have, possibly, potentially” waffling.

Either they had a security breach or they didn’t. Why do they say that there “may have been” a breach and then, in the next breath, referring to “the unlawfully accessed data?” If data were unlawfully accessed, then there was a breach, right? Knock off the waffling, folks.

And if I’ve misinterpreted their excessively waffled press release and open letter to customers and they really don’t know whether they’ve been breached — keeping in mind that we are now in March and the “possible” breach supposedly occurred between April 2009 (almost a year ago!) and December 2009 — why don’t they know for sure and what does that say about their security?

So new rules (and Congress, feel free to take note and incorporate in that legislation that you never seem to get around to passing):

1. If an entity knows that it has had a breach, even if it is not sure whose data or how much data were accessed, exposed, or acquired, it cannot say “may have,” “might have,” or “possible” in describing whether there was a breach. It must forthrightly say “There was a breach.”

2. If an entity doesn’t know for sure that it has been breached, it needs to come out and admit its inability to determine if its system was breached and explain why it can’t figure it out (e.g., “We meant to get around to keeping logs, but gosh darn, Tom got busy playing online poker” or “Well, the hackers are smarter than our IT guys and we didn’t want to spring for a forensic investigation unless Visa tells us we have to” or “We collected years’ worth of customer calls without ever thinking about how we would retrieve personally identifiable information from all those files in a timely fashion.”).

3. If an entity knows there was a breach but doesn’t know whose data were exposed, accessed, or acquired, it needs to come out and admit that it is currently clueless and tell all those potentially affected to assume the worst. Statements such as, “While we have no reason to believe…” or “We have not received any reports of….” and “In an abundance of caution” are hereafter banned.

Failure to adhere to these new rules may place on you the Office of Inadequate Security’s new Waffling Hall of Shame List. This is now a no-waffling zone.

No related posts.

Category: Commentaries and AnalysesOf Note

Post navigation

← UK Commons committee rejects six-year DNA records plan
Server theft at Arkansas eye clinic could affect 9,000 people →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.