The consequences of this insider breach do not seem severe enough to a number of parties.
"Should a data controller have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? What’s reasonable to expect of data controllers?." - PHIprivacy.netFor example, UK Information Commissioner Office's (ICO) Christopher Graham said “This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available."
In the US such a case, according to PHIprivacy.net, would have “exceeding authorized access,” as well as criminal, charges, since this theft of sensitive information was for financial gain. What is your opinion? Do you agree with the ICO that financial penalties only will not deter data thefts?
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) UK: Man made redundant fined for stealing sensitive information - www.PHIprivacy.net, 05/23/2013