This was forwarded to me. I am unaware of the original source of this image, but I could not resist posting it here.

Reminds me of the joke about a life-long city resident who visits an Alaskan gun store and asks if his pistol is enough to defend himself against bears. A weathered old trapper looks at him and tells him to file off the bead at the tip of the barrel. “Why remove the bead?” the visitor asks. “Well, for one it will hurt less when the bear shoves it up your @$#.”

Or then there’s the joke about the hikers who happen upon a bear who roars at them and starts to charge:
“What now?” asks one hiker.
“Run!” says the other.
“Can you really outrun the bear?”
“No, but I can outrun you…”

An article that quotes me on GLBA has been published on Bank InfoSecurity. It is called “GLBA Compliance: Tips for Building a Successful Program Board Involvement, Documentation of Programs Key to Favorable Reviews”.

When an institution’s focus turns to compliance with the Gramm-Leach-Bliley Act (GLBA), questions always pop up — What should the institution’s core GLBA program include; who should be involved; what kind of information is needed, and what should be prepared for an assessment?

We’ve asked industry thought-leaders for their insights on GLBA program essentials, including board member involvement, key components of an information security program, as well as the keys to a successful GLBA compliance examination – and how to avoid a bad one.

You have to register to read, but registration is free.

This is the kind of breach that makes you go “huh”? The Breach Blog tells a sad tale of mailing labels gone awry:

On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

I hope the regulators fine the DoT for every label. Everyone knows the DoT love to hand out violations, so fair is fair. On the other hand, they might incorporate the fine by raising parking violation fees…

The news release speaks for itself:

The U.S. Department of Health & Human Services (HHS) has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

Ouch. This follows a recent warning by the Department of Justice that HIPAA is now being taken seriously and will be enforced.

The incidents giving rise to the agreement involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

It is vital to note in the above text how breach notification played a role.