Maybe I’m just getting grumpy and mean as I get older. Maybe that’s why I’m using the word ‘failure’ so much of late. After all, I did recently celebrate my 43rd birthday – so maybe I’m just transforming from a semi-sane person into a mean old man that sits on his porch and shouts at kids to get off his lawn. Then again, maybe I’m still semi-sane and HIPAA and PCI are both toothless – and therefore lame and pointless.
PCI – Self Policing Run Amok
PCI – or the Payment Card Industry Data Security Standard – is not federal law. Instead, it’s a set of policies mandated by major credit card companies to help address the need to protect consumer information and prevent fraud. Or, at the least, that’s how it’s billed.
Importantly, both Nevada and Washington State have actually incorporated PCI standards into their own laws. Which is important, because I live in Washington State. Maybe I’ve misunderstood how the whole ‘law’ thing works, but when Target managed to lose around 40 MILLION credit and debit cards, it seems that maybe my State Attorney General should have probably gone after Target for the role that their lapse security played in this whole debacle. And if not Target, then definitely the Home Depot – who managed to ‘lose’ around 56 Million cards after they both knew that something like this was even possible (thanks to Target) and they had been repeatedly warned that their internal security was horrible.
Then again, for anyone living in states other than Nevada and Washington, I’m still a bit surprised that the Credit Card ‘cabal’ hasn’t figured out how to put some ‘teeth’ into PCI – to the point where they could make major breeches like those of Target and Home Depot painful enough for these bigger merchants that they’d have more of a vested interest in making security a bit more of a priority.
To date, though, all I’ve seen from both debacles has been a brand-new, shiny, card to replace the one stolen from Target and some ‘complimentary’ credit monitoring from the Home Depot. In short, until there’s some type of financial penalty for major failures like this, I expect ‘breeches’ like this to become a pretty common occurrence. But, hey, we’re only talking about something as important as people’s financial lives and/or credit records. So I’m probably just over-reacting.
HIPAA – Federal Legislation that was ignored by HealthCare.gov
While PCI isn’t Federal Law and therefore doesn’t have ‘teeth’, HIPAA (or the Health Insurance Portability and Accountability Act) is Federal Law and has very serious teeth – at least on paper. Fines for civil offences range from as little as $100 per individual (accidental) violation on up to $1.5 Million for instances of gross negligence. Criminal offences (i.e., wanton violation of the law) can also be punishable by as much as fines of $250,000 and up to 10 years in prison.
On paper, those penalties are nothing to sneeze at. Which is why I was absolutely gob-smacked when I recently saw the Electronic Frontier Foundation (which is NOT a branch office of the satire site ‘The Onion’ but which, instead, is a fantastic organization with very intelligent people dedicated to defending online privacy and rights) report that healthcare.gov is not only leaking PII like a sieve (broadcasting it in plain-text) but actively ‘beaming’ it out to over 14 third party organizations – including the likes of Twitter, Google, YouTube, and DoubleClick (an internet ad service).
Technically speaking, HIPAA can be interpreted somewhat broadly in terms of what it aims to safe-guard or protect. But the general gist of the privacy component of this law is that it aims to regulate or protect the transmission of data that might link an individual to anything relating to their health status, provision of care, or their payment of care. Healthcare.gov, it turns out, is sending information about the age, pregnancy status, parental status, zip code, and annual income of users on the site. Maybe I’m missing something, but it seems that the transmission of some of that data (in the clear – and to third parties) constitutes a clear violation of HIPAA’s Privacy Rule. Which is baffling, because I kind of mentally assume that ‘day 1’ for every developer, project manager, and anyone that had anything to do with building healthcare.gov would have been a tedious and exhaustive introduction to the ‘joys of HIPPA’.
Conclusion
PCI is, at present, pointless. Unless there’s some additional, financial, incentive levied against larger (and even smaller) organizations that lose customer information/PII and unless those fines and penalties are enforced, we’ll continue to see more and more ‘breeches’. And the problem is that these aren’t just an inconvenience for typical consumers and ‘nightmares’ for the occasional consumer – they’re hands-down disruptive to the entire economy for absolutely everyone involved.
HIPAA, on the other hand, does have teeth and those teeth do get used. I’ll therefore be very curious to see whether any action is taken against the ‘mega’ contractors who built HealthCare.gov and allowed it to leak PII (in clear text) like a sieve to some of the biggest data-gathering organizations in existence. Failure to prosecute will send a clear message that the Federal Government’s projects are ‘above the law’ – whereas action by the DOJ would send an equally clear message that – as much as possible – the Federal Government does and will take the breech of personal information seriously. I’m hoping for an outcome along the lines of the latter option. Until something like that happens, though, I’m going to argue that HIPAA is almost as toothless and useless as PCI.
