Exploiting Privacy Breaches

I've described information security as a Cold War, requiring constant investment and vigilance to innovate faster than the hackers and criminals who are stealing data to commit identity theft.

I'm spending an increasing percent of my resources on regulatory compliance and data protection.

Over the past year, Federal and State governments have

1.   Specified standards to protect healthcare data during transport

2.   Required encryption of data at rest.

3.   Required breach notification to patients and prominent media  4.   Created policy to define meaningful consent and other important patient privacy rights

5.   Launched a new initiative on data segmentation in an effort to support more granular healthcare privacy preferences

CIOs and Chief Information Security Officers are working as hard as they can, hackers are intensifying their attacks, and the world is accelerating its adoption of mobile technologies that make perfect control of data more challenging.  Despite all our efforts, breaches will occur.   Even the most sophisticated security companies have been breached by increasingly sophisticated malware.

There's a dark side to all of this that is the subject of today's blog post - using the new privacy breach reporting laws for personal gain.

There are many good attorneys.   My parents are attorneys (patent and business law).    Some of my favorite colleagues are attorneys working hard in the public interest (Deven McGraw at CDT, Jodi Daniel  at ONC).

As with any profession there are those attorneys who use the law for personal gain.    Here's a list of privacy breach class action suits, comparing payments to attorneys versus their clients.

There are many good  investors.    Accelerating new technology by providing funding to those who can build high value businesses is a good thing.     As with any profession, there are investors who put profits ahead of societal benefits.

I've heard discussion about an alarming new business model.   Investors paying attorneys to file class action suits related to privacy breaches in return for a portion of the profits.

Prviacy Breach reporting is now public.   Identifying a class is easy.