Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.


How Far Do You Go?

(This is another special posting by Suzy. I hope you enjoy it.)

Where did you set the boundaries of your child’s unsupervised play? Recently I’ve read a number of articles in magazines and newspapers purporting to guide parents of school age children about the type of limits they should establish over their children’s autonomous roaming. Many were spurred by the story of a single parent who had instructed her child to play in a nearby city park while she was at work. Childcare was too expensive, leaving her with a poignant dilemma. The reactions of the others triggered a few thoughts. They, the unnamed, invisible arbiters of social mores, castigated her for choosing to work rather and allowing the child to play in the park rather than making sure the child had someone with him constantly.

How parents arrange childcare evolves over time and geography. I remember reading a book in the early 80s: And Ladies of the Club by Helen Hooven Santmyer. It was a long book chronicling the lives of a couple of ladies living in Ohio from shortly after the Civil War to the years of the Great Depression. The concept that impressed me most from the book was how, with each subsequent decade, the children’s area of freedom to play, and play under their own recognizance, became more and more circumscribed. My own children were in elementary school at the time and I was constantly reassessing how much autonomy we should grant them. Like many parents, I thought back to what limits had been set for me and compared them to what had been set for Walt, factored in contemporary conditions, and hoped we made good decisions.

My limits to roam and what I was permitted to do changed with age and where we were living at the time. The more rural the living area, the greater the geography I was allowed. One of my favorite, and least restrictive, areas was living on Clairemont Mesa in San Diego in the mid 50s. Our neighborhood was still relatively remote from the city proper. We could drive down Clairemont Mesa Blvd. to our west and then down to the city or we could head eastward, over dirt roads between a couple of cattle ranches to Linda Vista. This was in a building boom era where ranch style houses were popping up faster than weeds could grow on freshly broken ground. For most of our time in that house one block of homes stood between us and miles of canyon to the north, and to the northeast was Miramar NAS.   Age wise, I’m on the leading edge of the baby-boomer generation so every house was guaranteed to have children who were potential playmates. During summer months and vacations from school, our mothers, for the most part, fed us breakfast, and told us to be home for lunch. After lunch we were told what time dinner would be and that we should be present. The latter was more than a suggestion and from the time I was eight I had a wrist watch to help me monitor my comings and goings. So off we went. My limit was to stay on the north side of Clairemont Mesa Blvd. We pedaled our bikes on every bit of paved road and into the areas that where new homes were being built. When just pedaling was too tame we rode handless. There were few cars to dodge as all our fathers were at work, and since most families still had only one car, our mothers were at home with housework or younger children or both. So how far we swerved across the street as we worked on our balance didn’t matter. If the construction men weren’t on the job, we would clamber over the work site to see how houses were developing. Sometimes we girls would play house in the framework of what would eventually be someone’s real home. We scrambled up and down the canyon walls. We caught horny toad lizards and snakes. We knew which were poisonous and which we could grab.   Parent rules stated that all critters had to be released at sunset. One of our favorite past times was to find a pasteboard box, large enough to sit it, take it to the edge of the canyon wall, and slide down. Was it safe? Probably not. Was it fun? You betcha! It was fast and relatively smooth until you bumped over a rock or couldn’t swerve around thick, dry shrub. Did we come out unscathed? Rarely. In the summer we all sported scabs from some minor injury. I also broke a couple of wristwatches a summer, which upset my parents more than the skinned knees. Skinned knees would heal, but watches cost money. We discovered that if we went just a little further we came to a valley that had trees and was green, and sometimes it had a tiny creek. We floated papers or leaves or seedpods. We kicked off our flip-flops, which we called go-aheads, and waded in the water as far as we could go. Our barrier was a chain link fence with a metal sign indicating that the federal government owned all the land on the other side of the fence. This was the far side of the Miramar Naval Air Base. One afternoon three of us stood there and stared at the fence. It really looked interesting on the other side. We didn’t see any people. We’d never seen any people there. The little creek was still trickling further into the valley on the other side of the fence, which did not protrude into the creek. For relatively small kids, it looked as if we could skinny underneath and continue our exploration. Dare we? The other two had civilian parents and felt it was no different than hopping a neighbor’s fence and going across a backyard. With a father in the service, I was familiar with going through guarded gates that required ID. I consulted my watch and decreed that there was not enough time to go any further than we could see beyond the fence and still get home by my time limit.   After some discussion we decided to wander back the way we had come. Even with the freedom granted by our parents, or maybe because of it, we generally made good decisions. At least ones that didn’t present too much danger.

I think that’s the key thing to keep in mind. We need to guide our children, not stifle them. Without practice none of us learns to make responsible decisions. Don’t you prefer to work for the boss who trusts you to do your job well? Without that sense of choice and discovery we tend to become indolent and resentful.

The last word:

I suspect there are bad side effects to reducing the time children have to play, imagine and explore at least apparently unsupervised. When we are overly protective or overly controlling we can negatively impact their futures in unexpected ways, including interpersonal relationships, love of learning, creativity, and even their health.

Comments solicited.

Keep your sense of humor.


This is the tenth year for the Verizon RISK Team study of incidents of cyber crime, and the fifth year I have written about their report (2010, 2011, 2012, and 2013). A set of what they call “eye-candy” begins this year’s report: beautifully simple charts mapping data breaches from 2004 through 2013. If you have any responsibility for securing the data in your company or have concerns over your own personal information I encourage you to at least admire pages 7-12.

Some of my key takeaways:

  • Cyber criminals are still looking for financial information with large-scale attacks on payment card systems and point-of-sale devices. 2013 was certainly a year of retailer breaches, and those are continuing into 2014.
  • Internal attacks increased slightly over last year’s report, but the main attack continues to be by external actors who are primarily attacking your servers.
  • While social engineering has increased as a threat action, hacking and malware continue to be the main ways the cybercriminals get into your systems.
  • The report shows a significant increase in Web Application attacks which take advantage of weak security and flaws in the programs that interface between the user and the data.
  • Point of Sale (POS) devices continue to be a target, with more sophisticated attacks each year. Whether you have one POS device in your single store or thousands scattered around the country or world, each needs to be protected.

Discovery and mitigation of a breach continues to be a real problem for most companies. Most attacks can compromise your data in a day or less. Most companies take weeks or more to discover the attack. What is far worse is that while companies as a whole are getting better at internal monitoring, the majority of breaches are still discovered by someone else including fraud detection by payment card processing companies and law enforcement, or other third parties. Over the past ten years the cybercriminals have gotten better at getting in and stealing data quickly, while companies have gotten worse at discovery.

The Verizon report contains specific recommendations for each type of attack. It is sad to note that these recommendations change little from year to year. In general, we are losing the war against the cybercriminals, especially as countries are actively using cyber-terrorism to support national issues. As just one example, the FBI is investigating a recent attack against five large US banks that may be instigated by the Russian government in retaliation for the US sanctions against Russia over the Ukraine.

If you are responsible for the security of PCI (Payment Card Industry) or HIPAA (health-care) information then you know you must be compliant. But that means more than just satisfying an internal or external audit. It means really embracing the business need to protect that data. Your company might not be able to survive the financial and reputation penalties of a significant breach, whether caused by an act of war, a criminal gang, or a disgruntled or unthinking employee.

The last word:

I do not often quote President Obama favorably, but his “Don’t Do Stupid Stuff” policy is right on in a number of areas, including data security. The vast majority of data breaches are enabled by someone doing something stupid. Do not let it be your company, or your personal finances.

On the other hand, President Obama’s “We don’t have a strategy [long pause] yet” statement really comes under that “stupid” category. He was referring to ISIS, but when your CEO asks you what your strategy is for data security, I suggest you do not repeat the President’s statement. ISIS formed in 2004, and by February 2014 al-Qaeda cut all ties to ISIS due to its brutality. Certainly by August 2014 the President of the United States ought to have a well-formulated strategy for dealing with them. Verizon has been making their annual data breach summaries freely available for ten years. You do not have any excuse for not having a well-formulated strategy for dealing with cybercriminals and cyber-terrorists.

Comments solicited.

Keep your sense of humor.


The Russians have stolen 1.2 billion Internet passwords! We are all doomed!

Probably not.

You can’t have missed the recent flurry from NBC News, The New York Times, USA Today, and almost every other news media about how a Russian crime ring has stolen 1.2 billion user name / password combinations plus over 500 million email addresses. These credentials were stolen from 420,000 different websites spanning everything from Fortune 500 companies to small companies across almost every line of business and all around the world.

The attack uses an old but still effective mechanism: introduce malware into the company’s network that looks for SQL databases, then use a technique called “SQL Injection” to steal data. SQL Injection takes advantage of bad code in application programs. When you sign into a website and enter your account number to get information such as your personal profile, the web site sends the request to an application program which then queries a database. Many of these databases are based on SQL, Structured Query Language, originally developed by IBM over 40 years ago. These databases now run on every kind of computer and are extensively used because of their reliability, scalability and relatively low cost. The application program sends an easy to understand query to the database. For example, it would send something like “give me the account information for account number 123.” The database returns the requested data to the application. If you ask “give me the account information for account number > 1” the database will return all of the account information for all of the accounts. If the programmer was not careful and testing was woefully lacking, you can fool the database into giving you a lot more information then intended or appropriate.

How serious is this particular attack? We don’t really know. The 420,000 hacked companies have not been identified. We don’t know how old the passwords are. Many critical systems require that you change your password periodically; many of the hacked user name password combinations may be months or years old. These attacks have apparently been going on for years, so it is not clear that this is really something new.

Surprisingly, and contrary to standard practice, Hold Security, who reported the breach, has not provided the victim companies sufficient information to verify the problem and identify specific individuals impacted. Hold Security has also announced a new service ($10/month) that will monitor your email address if it is one of the stolen emails. However, you must provide Hold Security with your email addresses and account passwords.

What should you do?

  1. Don’t panic.
  2. Monitor your financial activity frequently looking for unusual transactions. Especially look for small, often less than $10, transactions that you do not recognize. Many criminals use one or two small transactions to validate the information they have before they move to bigger transactions, and many are satisfied to pick up a few dollars from thousands of accounts and hopefully stay below the threshold to get government authorities interested in their activities. Some financial organizations, including Chase, actually monitor for these small transactions and will notify you to determine whether they are valid.
  3. Identify your important financial and medical web sites. While you probably have dozens of different accounts you access online, most of them would have little impact on you if they were compromised. Note which accounts are linked to a bank account or credit/debit card. For example, if you use Amazon one-click to make purchases, then Amazon is an important account
  4. Change your passwords frequently on those important web sites. To me, frequently means at least four times a year.
  5. Do not use the same password for more than one account.
  6. Do not use a simple password. Your password should be at least eight characters long, and contain at least one lowercase letter, one uppercase letter, one digit, and, if the site allows, one special character like $ # % !.

The top five passwords actually used in 2013 were 123456, password, 12345678, qwerty, and abc123. For a bad password, I prefer “what,” as in “what is the password.” You should not use anything remotely like these.

If you have trouble remembering dozens of strong passwords and would like to have help doing that, check out Sreenivas Angara’s Kickstarter project. He is working on a smart phone and tablet game called Drongzer to teach you to how to create and remember strong passwords by using procedural memory instead of declarative memory. Procedural memory guides the processes we perform, like driving a car. We know what to do while driving when we come to an intersection, even if we have never been there before. Procedural memory usually resides below the level of conscious awareness and tends to be automatically retrieved and utilized. Declarative memories must be consciously recalled. We use it for things like dates (1492, your significant other’s birthday, your address, …). There is no pattern to them; you just have to memorize them.

The last word:

Many if not most of the 420,000 companies are still vulnerable. Is yours? Meet with your IT and security managers and review your current security and audit practices. Most companies concentrate on protecting data coming into their site, looking for malware and denial of service attacks. These are all important. But also look at the data leaving your site; this is where you are really vulnerable to losing protected information. Are you looking for unusual patterns, like outgoing transactions that are thousands or millions of bytes instead of a few hundred, or large data transfers in the middle of the night? Do not forget to include non-electronic loss opportunities like storing unencrypted files on laptops, CDs or thumb drives.

Comments solicited.

Keep your sense of humor.


Cloud Adoption

I started blogging about Cloud Computing over four years ago. At that point it was relatively new. A lot of CIOs were talking about it, but relatively few were actually spending money moving to it. The “experts” were mostly predicting great growth for the Cloud; as just one example, Novell predicted that the workloads running in the Cloud would grow from 2% in 2010 to 20% in 2015. Of course, most of these experts were in the Cloud industry and possibly with an inclination to hype the concept.

Four years later, how is Cloud Computing adoption doing?

As is almost always the case, not as well as predicted but better than you might have expected. Everest Group recently released its 2014 Enterprise Cloud Adoption Survey. Founded in 1991 and headquartered in Dallas, Texas, Everest Group is an advisor to business leaders on the next generation of global services with a worldwide reputation for helping Global 1000 firms dramatically improve their performance by optimizing their front-, mid-, and back-office business services.

Their most recent Cloud Adoption Survey shows that 56% of enterprises consider the Cloud as a strategic differentiator. These companies are putting their money on the Cloud, with 58% of the surveyed organizations spending more than 10% of their annual IT budget on Cloud solutions and services. These enterprises are no longer just experimenting with the Cloud, but are investing significantly in moving to the Cloud.

The survey also points out two continuing concerns about the Cloud: security and ease of migration.

Security concerns still exist, but the security picture of the Cloud is improving every year. Cloud Service Providers (CSPs) are gaining more expertise and making that expertise and the resulting best practices available to their customers. One impact is that many companies are going to private cloud implementations, and thus foregoing many of the cost savings and weakening the “pay for use” advantages of the Cloud. I have several posts specifically on Cloud Security, including a three-part introduction starting here, Secure Public Cloud, and most recently here.

The other continuing concern is ease of migration. CSPs will still tout how easy it is to move to their Cloud and most will offer you services to help you move at little or no cost. Your reality may be different. It is important to carefully plan your move, test the actual migration so you know how long it will really take, and then execute the move. As always, no matter what kind of an upgrade you are doing, have a fallback plan.

Your workloads are not all the same: their security, performance and availability requirements vary. Likewise, it is unlikely that a single Cloud solution will be the correct choice for your organization. Like with any product, if you only talk to one vendor you are likely to learn how that vendor’s product is best for you. You will usually be better off if you look at multiple vendors and match each application to the solution that best preserves your individual applications’ important security, performance and availability requirements. Most companies are likely to end up with a combination of different cloud models called a Hybrid Cloud.

As always, moving to the Cloud must be a business decision, not a technical decision. You should go to the Cloud because it makes good business sense for the reasons we have discussed earlier.

The last word:

Comments solicited.

Sometimes the biggest objections to moving to the Cloud will come from your own IT shop. They have provided you with a solution that is working at a predictable cost. Like in any outsourcing conversation, your IT team is probably concerned about what may happen to them. Your CIO may be worried that he or she will become irrelevant. They should be concerned, because it will change their world.

Because moving to the Cloud is a business decision, the key stakeholders in a Cloud implementation are likely to be the business owners within the company. However, the IT organization will remain critical to provide the leadership and overall management of your ever-changing Cloud environment. The Everest Group report indicates that over 75% of the surveyed organizations believe that the role of IT is increasing or is unchanged as they move to the Cloud. The focus of the CIO and the whole IT team needs to change from the day-to-day handling of the IT infrastructure to a more business-oriented approach of providing the IT services the business stakeholders require.

Keep your sense of humor.



(This is another special posting by Suzy. I hope you enjoy it.)

Locavores pride themselves on eating locally grown and prepared foods. Some of them are just food snobs trying to make the rest of us feel like food slobs. Most really enjoy and are proud of the foods their locality produces. Philly cheesesteaks, North Carolina pulled pork, Texas Chili, Neapolitan pizza, beers from various localities, or a spicy barbeque all make us salivate. Each reminds us of a region, or a special meal, or at the very least a clear and distinct flavor. There is a difference to be enjoyed between New York and Philly cheesecakes. New York cheesecake is a bit creamier and tangier. I prefer one for dessert and the other as a breakfast treat.

Each time I moved I would develop a taste for a regional specialty that would be the source of cravings when we moved to the next place. Living in Southern California I missed mid-Atlantic favorites. Now, back in the Philadelphia area, I am constantly craving foods with a Mexican flair. Several weeks ago we had a family movie night. That is to say we were showing home movies of the growing up years of my siblings and myself to which we subjected our mates. And here I commend them for being good sports about the entire evening. Seeing where we lived in Naples made me hungry for the pizza we would buy from a small shop at the foot of the hill on which we lived. Nothing else will sate this craving, so Walt and I are now thinking about a trip. There was also this one particular wine I remember, so it isn’t just about the pizza.

When I lived in Naples the world was a slightly slower place. When we moved there we traveled, not by plane, but by an ocean liner. All the American goods that we got at the Base Exchange were brought in by cargo ship. Due to temperature changes in the hulls of the cargo ships that could affect the look or efficacy of some products, Hershey’s Chocolate bars often had a white powdery coating. Our mail was flown over from the States. Much of our shopping for American style products was done through mail order catalogs. That meant flipping through the pages of a catalog, filling out an order form, mailing it to the company back in the States, having the company fill the order, and then ship, yes literally send it on a ship, back to us. It took time. Sometimes we didn’t remember quite what we had ordered, so opening the package was a bit exciting. Gifts to or from family and friends were also shipped. My Grandmother decided she would not send us the annual supply of Christmas cookies. She was afraid that the shipping would cause then to be stale or nothing but crumbs. She sent Moma copies of my Great-grandfather’s treasured holiday cookie recipies instead and wished Moma luck in finding the ingredients and making them. At that point I had learned a bit more Italian than Moma, so armed with my trusty bi-lingual dictionary we went together to the local shops to find some of the candied fruit bits and spices. It was a family project to make the cookies and Daddy documented it with his trusty 8mm movie camera with its 4 floodlight light bar. My Grandmother’s education wasn’t the best, and in her copying of the recipes she left out some key instructions and an ingredient or two, thus making the project more of a challenge. As Moma had often helped with the baking when she lived at home, or we lived near Grandmom, she was able to see some of the discrepancies or she just got a bit creative. During the course of the project we all talked about how various flavors and aromas reminded us of different places and times.

My fertile little mind took off on tangents. I began to think of all the places we had been and the various things we had enjoyed wherever we were. One of the fun things was walking with my Grandmother to the local farmers’ market at least once during each of our visits with her. As that’s where she did most of her food shopping, she knew all the farmers and their families in each of the stalls, and they knew her. She would tell the butcher she wanted to make ox-tail soup, and he would have a tail for her on her next visit. Though Daddy often teased her that it was just from some cow he had just butchered she insisted that it was from an ox. She would ask each seller she visited about children who weren’t there that day. Then she would push my brother and me forward to be seen and praised. It had its rewards, as we would often be given tastes. As we were then living in Naples, Italy I decided I really would enjoy a sandwich with Lebanon bologna. The local shops had prosciutto, Parma ham, mortadella, capicola, but no Lebanon bologna.

Having been rewarded by the Italian consulate in New York with all sorts of wonderful information about Italy when I had written to them about our up-coming move, I responded as rapidly as Pavlov’s dog. I wasn’t fussy about a brand name since I had never noticed any on the bologna Grandmom had brought home from the farmers’ market, so I didn’t have an address nor even a company name. I had no idea where to send a letter. Remember, this was before the Internet, so I couldn’t just Google it. I decided to write to the Chamber of Commerce in Lebanon, Pennsylvania. After all, shouldn’t Lebanon bologna come from Lebanon, Pennsylvania?   In my letter, I explained how far away we were, how the Italians didn’t understand lunchmeat, and, most grievously, how the Commissary didn’t carry Lebanon bologna. I wanted to know how I could buy some and have it sent to us. Having signed, sealed and stamped it I placed my letter in the pile of out-going mail and pretty much forgot about it. I’m not sure how the Chamber of Commerce reacted upon receipt of the letter. Hopefully they had a pretty good laugh.

Quite a while later, getting on into spring, Daddy arrived from work with a box that was about three foot long, and maybe nine inches on a side. Accusingly he looked to Moma and me and asked what we had ordered this time. Moma was puzzled. By then, I had forgotten about my letter. We all stood around the kitchen table as Daddy carefully opened the box and slid out an entire roll of Weaver’s Lebanon bologna and a very nice letter. The Chamber of Commerce had forwarded my letter to the Weaver family, who gifted us with an entire bologna. Moma had a hand-cranked meat-slicing machine, which she immediately set up on the table and proceeded to cut off several slices. It was the best I had ever had or have had since.

Times have changed. We expect immediate gratification. We now buy foods from all over just about anywhere any time of year, though travel time and distance mean that especially fresh foods aren’t always at their peak. People don’t write letters anymore, either, contenting themselves with ephemeral e-mail, texts or twitter. But that’s for another rant.

The last word:Jim1099s

This is the view from their apartment in Naples, Italy. Many years later, this story helps explain why Suzy really likes to cook, is pretty good at it, creates many of her dishes from scratch, and makes me create an herb garden everyplace we have lived.

Comments solicited.

Keep your sense of humor.


This has been an interesting couple of weeks. The IRS admits to “loosing” millions of emails, coincidentally the subject of an on-going investigation. If your company tried that trick, several of your executives would be in jail and the company would have a huge fine. There are several federal and state laws that require retention of any information relevant to an ongoing investigation. In addition, there are even more stringent laws on data retention specifically for US government entities. In legal terms, “spoliation of evidence” is the intentional or negligent withholding, hiding, altering or destroying evidence relevant to a legal proceeding. This kind of activity, in addition to being illegal, usually leads to “spoliation inference.” That is when a party destroys evidence, it is reasonable to infer in a court that the evidence was damaging to the party.

On the flip side, the IRS has inappropriately released protected personal information to third parties. This includes information provided to Congress as part of their inquiry into the lost emails. In reality, it is illegal for Congress to even open the files provided from the IRS because Congress was told that those files contained protected information on individual taxpayers.

On top of this, and in spite of the assurances from NSA, NSA has been collecting the content of emails from US citizens who are not under any suspicion of any connection to terrorism.

The implications to your company’s ability to respond to Discovery Orders could be serious. Even if you have an excellent Life-Cycle Management policy which defines exactly how long you retain different categories of documents, the US government may be working to make those policies ineffective.

When you receive a court order asking for all of the documentation on a particular subject, you must deliver all and only the appropriate documents. These documents may include emails, text messages, tweets, and standard documents, spreadsheets and presentations. Most organizations don’t do a good job of responding to these court orders. The possibility, or in some industries, the high probability of receipt of a discovery order is one of the drivers to implementing a data life-cycle management system. Most organizations give far more than they should, and fail to give everything they must because they don’t know where all of the data is. Like data life-cycle management, if you have existing policies, systems and procedures in place, it is well worth the effort to make sure that your Cloud Service Provider can interface with them.

My recommendation is to make sure you have a well documented life-cycle management policy and that you carefully document a complete audit of those procedures at least once a year. The legality of the government introducing in a court case documents it has illegally obtained has not yet been tested. But if you can show that you made every effort to appropriately destroy information according to your reasonable data life-cycle management policy then the court may look favorably on your attorney’s objection to the introduction of government-obtained data.

Whatever you do, do not emulate the IRS. Do not destroy information after the issuance of a discovery order or the reasonable expectation that one may be issued. And do not include protected privacy information in response to any discovery order unless that information is specifically listed in the discovery order.

The last word:

The Philadelphia Inquirer reported Monday that the Veterans Administration Philadelphia Regional Office had once again demonstrated the importance of management bonuses over providing services to our veterans. In this case they changed the dates on hundreds of thousands of claims, some filed as early as 2011, so that they were no older than 125 days in order to meet guidelines.

The VA is a fine example of federal government bureaucracy, where management works very hard to destroy the reputation of the organization and the thousands of dedicated medical personnel who are working to protect and serve our veterans. What are the implications of Obamacare as it inexorably moves health care under the federal government bureaucracy?

But don’t worry, the IRS is watching over the implementation of the Affordable Care Act. The IRS is even working with the union of IRS employees to rewrite their agreement so that employees who have failed to pay their federal taxes will no longer get bonuses from the IRS. Not funny. Over 1,100 IRS employees received bonuses within a year of substantiated federal tax compliance infractions.

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 107 other followers