I recently blogged about the Veterans Affairs and the lost laptop that cost Veterans Affairs (tax payers) $20M to settle a lawsuit against them. Now we have some very expensive trash.
Attention all public and private organizational leaders! Did you see the FTC charges released last week against CVS Caremark Corporation? The costs of not establishing, implementing and maintaining a comprehensive information security program to protect the security, confidentiality, and integrity of personal information it collects from consumers and their employees is expensive! The FTC order requires CVS to pay $2.25 million to HHS to settle HIPAA violations and CVS is required to obtain independent, third-party audits every two years for the next 20 years.
I would strongly encourage all executive management personnel take a few minutes to review the information and then immediately use CVS’s lesson learned to proactively assess your organization’s information security and privacy practices – policies, procedures, processes, etc.
The FTC Complaint noted CVS employees were discarding materials containing personal information in clear readable text in unsecured, publicly-accessible trash dumpsters on numerous occasions and at multiple CVS Pharmacy locations. Materials included prescriptions, prescription bottles, pharmacy labels, computer printouts, prescription purchase funds, credit card receipts, and employee records.
According to the FTC Complaint, CVS Pharmacies failed to (1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal (2) adequately train employees to dispose securely of such information (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.
Unfortunately most organizational leaders will not take the time to understand what this FTC order really means and will not use the FTC order to help their organization. For example, many organizations do not have a reasonable process for discovering and remedying risks and have no way to measure or assess whether employees understand or are in compliance with established policies and procedures. Too many organizations say “we have policies and procedures”, but they have no way to implement and maintain the policies and procedures as situations and risks change because most organizations think once-a-year “event” training is good enough….which is definitely not the case and can be very expensive to your organization.