For those using the Google Chrome web browser, it is important to know that a critical privacy bug has been found in the browser software which has not yet been fixed by Google.
Specifically, Chrome routinely stores sensitive information, such as names, e-mails, contact information, and/or even credit card information which are typed by users into web forms at trusted websites. It appears that Chrome stores this information within the program in plain text which can be easily accessed by anyone with access to the user’s computer.
As such, until Google addresses this vulnerability, users should be extremely cautious in entering private data into websites using the Chrome browser if there is any chance that the user’s computers can be accessed by others. Furthermore, because the information is cached in the program without any encryption or any other security measures, any trojan horse or similar malware on a user’s computer could potentially access this information and forward it on to identity thieves.
While this clearly has serious potential repercussions for individuals using Chrome, the situation is even more serious for businesses, who could, as a result, be out of compliance with PCI-DSSsecurity rules which are usually mandated by credit card processing companies, if the business wants to be able to accept payments by credit card.
As such, individuals and businesses alike need to take this vulnerability very seriously.
“When former Morgan Stanley employee Garth Peterson pled guilty to violating the Federal Corrupt Practices Act by conspiring with a Chinese official to circumvent his company’s internal controls, the company avoided being penalized because it could provide substantial documentation of a robust compliance system. Had Morgan Stanley not been so committed to the implementation of transparent and thorough internal controls, things might have turned out very differently.”
Developing, implementing, and enforcing appropriate codes of conduct for businesses can be a time-consuming, expensive, and sometimes painful process for businesses. Publicly traded companies are, however, required to implement such codes of conduct under the Sarbanes-Oxley Act. Even for non-publicly traded businesses, such policies, despite the birthing panes associated with their creation, can pay significant dividends on a number of fronts. They provide clear guidelines for both management and employees as to acceptable and ethical behavior in their industry, which reduces potential liability by reducing the likelihood of systemic illegal or unethical conduct.
The article linked to above from law.com talks about some of the benefits and challenges associated with putting codes of conduct in place. Ultimately, putting this kind of policy into place should be strongly considered by any growing company. Even if “now” is not yet the time for it, it should be question of “when” not “if”.
Enforcement of HIPAA/HITECH Breach Notification Rules and related regulations is being significantly stepped up. As a consequence of the new fines and penalties associated with the HIPPA/HITECH Privacy Rule, being prepared in advance for an audits is becoming increasingly critical for covered business entities.
Enforcement of the new HIPAA Breach Notification Rule is big deal. In the past, audits had been performed only at entities against whom a compliant has been filed. Under the new rule audits are called for whether or not a complaint against the entity has been lodged. This means that the HHS can show up at a covered entity’s door and perform an audit on short notice… and woe be it to the entity which is not ready.
If a business is not ready for such audits, it can be subject to new, significantly higher fines, including a mandatory minimum of $10,000 for willful neglect of compliance. These fines can, in fact, go up to $50,000 per day. All HIPAA Covered Entities and Business Associates need to be fully in compliance and prepared for an audit at any time, or risk the penalties for non-compliance.
In some cases, multi-million dollar fines are possible. Recent enforcement actions have included a one-million dollar settlement for a breach of only192 records, as well as another one a small, two-doctor medical office, which ended up entering into a $100,000 settlement with HHS over its lack of Security Rule compliance. It appears that the days of “slap-on-the-wrist” penalties are over and much larger fines and settlements are being levied, with more on the way.
The take-away for covered entities is that, if your compliance and audit preparation with respect to HIPPA/HITECH issues is not at 100%, now is the time to get them there! Before it is too late.