Whither Cloud Computing?

If you’ve heard of cloud computing and all the security issues that surround it, and if you’re wondering if you should trust the security of your sensitive and confidential data to a third party service provider, well, all I can say is that you’re like the old timer who hoards his wad of cash in crumpled bills under his mattress, believing that that’s the safest place for them simply because it’s within eyesight range. It’s an old school of thought that if you can see it, you can protect it. And although we have come a long way since the system of banking was invented and we accustomed ourselves to it, we’re still cavemen at heart who would prefer to keep our valuables close by.

Arguably the most valuable asset any enterprise has today is its data; without information, they’re nothing. And they must provide this data with the best safeguards there are in the business. This is why levels of security and passwords were invented, so that data is protected from prying eyes and the wrong hands. But your entire setup is only as strong as the weakest link, and here, it’s the human factor. If one employee can be tempted to compromise their principles and ethics, for money, revenge or any other reason, then it’s time to say goodbye to the usefulness of proprietary security measures. Human beings are also prone to errors, and because of that, we have data breaches through stolen and misplaced laptops or computers left unprotected through oversight.

Cloud computing is a pretty safe bet when you consider such issues – your data is not in your hands, which makes internal security lapses a moot issue. But there are other aspects that you must consider – the popularity and efficacy of the service provider you choose. Take Google for instance; the search engine giant is extremely popular, and as such, an attractive target for hackers. They know that if they target the cloud, they can bring down a host of sites with one blow. And so they’re going to try harder in their efforts to do so.

But organizations would be willing to stick with Google because they know what it’s capable of; they know that it has a reputation to live up to, and that there’s a certain aspect of trust involved when you’re putting all your eggs in one basket. Cloud computing is exactly that – putting all your eggs in one very protected basket. But if the basket does break, you’re in an unholy mess with egg all over your face! It’s a tricky proposition, deciding whether or not to go with cloud computing, a decision that your needs and budget must dictate.

The idea is still in its early stages, so we must wait and watch to see if any further security issues crop up. And crop up they will, because where there’s a target, you can bet your last dollar that there will be a hunter hidden in the bushes somewhere.

This post was contributed by Datakos guest author Holly McCarthy, who writes for the online college. Holly can be reached at hollymccarthy12@gmail.com.

Advertisements

CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case

The U.S. Department of Health and Human Services and the Federal Trade Commission today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.  The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act. OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.

At the same time, the FTC opened an investigation of CVS. OCR and the FTC conducted their investigations jointly. This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC. “OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR. “Such safeguards will benefit consumers everywhere.”

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal. Among other issues, the reviews by OCR and the FTC indicated that: * CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and * CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf. OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.

They can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Information about the FTC Consent Order agreement is available at http://www.ftc.gov .

Feds Set Sights on ‘Gatekeepers’ in Fraud Investigations

Joe Palazzolo
Legal Times

Federal law enforcement officials said Wednesday they are targeting lawyers, mortgage brokers, real estate brokers and other “gatekeepers” who perpetrated fraud that contributed to the current economic crisis — a clear warning shot as the federal government is pumping billions of dollars into the financial sector.

“They have the most to lose, they’re the most likely to flip, and they make the best examples,” said Neil Barofsky, the special inspector general for the Troubled Assets Relief Program, during a congressional hearing on fraud enforcement. Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., was even more blunt: “I want to see these people prosecuted,” he said. “Frankly, I want to see them go to jail.” The hearing was meant to underscore the need for more law enforcement resources amid an upsurge in mortgage and corporate fraud investigations.

Leahy and Sen. Charles Grassley, R-Iowa, have introduced a bill that would expand the scope of federal fraud laws and provide funding for more prosecutors and investigators. FBI Deputy Director John Pistole told the committee that mortgage fraud investigations nearly doubled in the last two years to more than 1,600 in 2008. The bureau, he said, has more than 530 corporate fraud investigations open, including 38 directly related to the current financial crisis.

Pistole said he could see that number potentially rising into the hundreds. But federal law enforcers could do much more with additional resources, he said, pointing to the Justice Department’s successes in the wake of the savings-and-loan crisis of the 1980s. At the time, 1,000 agents and forensic investigators and dozens of federal prosecutors were devoted to the effort, which produced more than 600 convictions and $130 million in restitution. Compared to the $160 million lost during the S&L crisis, the current situation is far more dire, with financial institutions globally reducing their assets by more than $1 trillion.  But the Justice Department’s focus on national security has diminished the fraud ranks.

Pistole said 240 agents, supplemented by investigators from other agencies, are working on fraud cases stemming from the economic crisis. Rita Glavin, acting head of the Justice Department’s Criminal Division, said the department was in discussions with Barofsky about how best to handle criminal referrals and prosecutions when his office uncovers wrongdoing. She also said the Justice Department’s fraud section had created a mortgage fraud working group, with a collection of other enforcement agencies. Sen. Sheldon Whitehouse, D-R.I., asked Glavin whether DOJ had any designs for a nationwide mortgage fraud taskforce. Then-Attorney General Michael Mukasey repeatedly rejected the idea, saying individual U.S. Attorneys’ Offices were better equipped to handle the work. Glavin said the department was studying the issue. “No decision has been made with respect to that,” she said.

E-Discovery Trends in 2009 — New developments in e-discovery will affect enterprise general counsel and compliance officers, law firms serving corporate clients, and IT departments

By Christine Taylor, January 9, 2008, 12:10 PM

A few years ago, the Taneja Group coined the term “Information Classification and Management” (ICM) to describe the technology of locating and classifying data throughout the enterprise. ICM covered sub-technology sectors such as e-discovery, compliance, data security control, and data management. However, we saw the term “e-discovery” trump the more comprehensive name as rabid attention turned from ICM to the specifics of civil litigation software tools. We are now seeing the e-discovery term itself take on a fuller usage, more akin to ICM. People do use the term when talking about civil litigation, but are also expanding it to encompass compliance, corporate governance, data classification, and even knowledge management.

In this broad sense we have looked at the trends of the e-discovery market as they impact its largest stakeholders: the enterprise general counsel and compliance officers, law firms serving corporate clients, and IT.

The crux of the matter is that e-discovery and its related areas will be extremely hot for litigation and compliance, especially those related to the financial meltdown. The market increasingly understands the necessity of e-discovery software tools and systems, and will move toward proactive e-discovery adoption. A more reactive approach will remain alive and well as many companies will still avoid implementation until driven to it by a lawsuit or federal investigation. But companies will increasingly understand that the e-discovery solution phenomenon is much more than a litigation aid. It also has major effects on federal compliance and internal governance, and potentially on data management throughout the enterprise.

For more see byteandswitch.com.

E-Discovery Requirements Are About to Hit Canadian Firms

As Canadian firms brace for new e-discovery rules, they can look to their U.S. counterparts for technology lessons.

By Anne Rawland Gabriel

Time is growing short for Canadian securities firms to prepare for the scheduled April enforcement of the new Canadian National Instrument 31-103 (NI 31-103), regulation that significantly expands record keeping requirements for electronic communications. Fortunately NI 31-103 substantively mirrors U.S. regulations already in place, which means Canadian firms have the opportunity to learn from others’ experiences.

“NI 31-103 is very similar to SEC and FINRA requirements in the U.S.,” substantiates Carolyn DiCenzo, a Gartner research VP. “It’s important to remember that the spirit of the law is communications and not just one particular type of communication, such as e-mail or instant messaging.”

For more see wallstreetandtech.com.

Welcome to 2009: the year of the regulator

British businesses will have to navigate a “regulatory minefield” in 2009 as global law enforcement agencies and regulators step up activity in response to the economic downturn, leading lawyers warn.

Neil Gerrard, head of the regulatory and litigation practice at DLA Piper, said: “I have no hesitation in calling the developing situation a regulatory minefield – and this is not an exaggeration. We are operating in an unprecedented time of financial pressures and market volatility and the authorities are more determined than ever that everyone will play by the rules.”

Mr Gerrard’s comments, which are echoed across the legal industry, follow an intense burst of regulatory activity in 2008. Last year saw the Financial Services Authority (FSA) launch its maiden criminal prosecutions for insider dealing and forging documents as well as tens of civil cases for market abuse and other offences. It also saw the Office of Fair Trading (OFT) launch its first criminal price-fixing prosecutions and levy record fines on businesses for breaking competition rules. Elsewhere the Serious Fraud Office (SFO), HM Revenue and Customs and the Health and Safety Executive all announced major investigations against British businesses and individuals.

Robert Wardle, former director of the SFO and a consultant at DLA Piper, said the aftermath of the credit crunch would create a particular focus: “We live in a fast changing world and have witnessed drastic and irreversible changes to our financial sector this year with the effects due to continue well into the new year and into the next decade,” he said.

“In the UK, the SFO has already announced a 50 per cent increase in investigations planned for 2009, whilst the FSA and City of London Police are keen to show that London is no soft touch on regulatory enforcement,” Mr Wardle added.

Although experts are divided over whether there is an increase in the actual level of corporate crime committed during an economic downturn, they are united in the belief that the level of such crime which is discovered always surges when times are tough. “When credit dries up and management changes, fraud comes to light,” Mr Wardle said, “There will be lots of material for regulators to look at it in 2009.”

As well as having more material to investigate, regulators and prosecutors will have the benefit of new tools to help pursue wrongdoing. In particular, Mr Wardle points out that the current recession is the first for which the Fraud Act 2006 will be in effect. In addition to simplifying the offence of fraud, the act also criminalises new practices such as making false representations and failing to disclose information, making it easier to prosecute behaviour that previously slipped outside the definition of fraud.

For more see timesonline.com.

Securities and Exchange Commission v. Bernard L. Madoff and Bernard L. Madoff Investment Securities LLC (S.D.N.Y. Civ. 08 CV 10791 (LLS)) SEC Obtains Preliminary Injunction, Asset Freeze, and Other Relief Against Defendants

The United States Securities and Exchange Commission announced that on December 18, 2008, the Honorable Judge Louis L. Stanton, a federal judge in the Southern District of New York, entered a preliminary injunction order, by consent, against Bernard L. Madoff and Bernard L. Madoff Investment Securities LLC (“BMIS”).

The preliminary injunction continues to restrain Madoff and BMIS from violating certain antifraud provisions of the federal securities laws. Also, by consent, Judge Stanton ordered that assets remain frozen until further notice, continued the appointment of a receiver for two entities owned or controlled by Madoff in the United Kingdom (while defendant BMIS remains subject to oversight by a SIPC trustee), and granted other relief. The preliminary injunction order continues the relief originally obtained on December 12, 2008, in response to the Commission’s application for emergency preliminary relief that sought a temporary restraining order, an order freezing assets, and other relief against Madoff and BMIS based on his alleged violations of the federal securities laws.

The SEC’s complaint, filed on December 11, 2008, in federal court in Manhattan, alleges that the defendants have committed a $50 billion fraud and violated Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder, and Sections 206(1) and 206(2) of the Advisers Act of 1940. The complaint alleges that Madoff last week informed two senior employees that his investment advisory business was a fraud. Madoff told these employees that he was “finished,” that he had “absolutely nothing,” that “it’s all just one big lie,” and that it was “basically, a giant Ponzi scheme.” The senior employees understood him to be saying that he had for years been paying returns to certain investors out of the principal received from other, different investors. Madoff admitted in this conversation that the firm was insolvent and had been for years, and that he estimated the losses from this fraud were at least $50 billion.

The Commission continues to seek, among other things, a permanent injunction, disgorgement of ill-gotten gains plus pre-judgment interest, and civil money penalties.