The Rising Costs of Deliberate Indifference
Posted In Incident Reporting, Legal, Risk Management, School Safety on October 11th, 2010 Tags: bullycide, bullying, bullying lawsuit, Cyberbullying, deliberate indifference, Incident Reporting, school lawsuit, School Safety, title IX
Do you know what the legal definition of “deliberate indifference” is?
The conscious or reckless disregard for the consequences of one’s acts or omissions.
If you are a school leader, school board member or community leader, you might do a quick web search using the words below:
deliberate indifference lawsuit school 2010
Over 8,000 results came up from my search and many of the results were related to lawsuits being brought against schools and universities under violation of Title IX. I heard the term “deliberate indifference” over the weekend when one of the national news channels did a bullying feature on a school in Ohio that has had four students commit suicide. The attorney for two of the families involved stated that the school acted with deliberate indifference towards the students and their families.
How do you ensure your school or community or organization is not sued for deliberate indifference?
Schools leaders, school boards and teachers have an obligation to create a school environment that handles misconduct and educators must realize that consequences related to bullying and cyber bullying are changing very quickly. Bullies and their bullying methods are changing very quickly. Most school leaders have some familiarity with school yard bullying because they can see the bullying with their own eyes and believe they can stop simple bullying.
Cyber bullying is much different and unfortunately most school and community leaders are seemingly disconnected and in the dark when it comes to cyber bullying and the consequences of cyber bullying.
Dealing with deliberate indifference and dealing with cyber bullying requires different approaches including more effective cyber tools that connect all the dots:
- Victims
- Bystanders
- Communities
- Support Teams
- Anonymous Reporting
- Confidentiality
- Legal Ready Documentation
- Compliance Ready Documentation
- Accessibility
- Accountability
- CYA
- And other new challenges that come along…
Does your paper reporting or phone call reporting or e-mail reporting system connect all of the dots in your school? Are you confident your school is not guilty of deliberate indifference?
It is time to deal with deliberate indifference…which will help us save lives too.
No Comments
Email This Post
Financial Sector Challenges Keep Coming…
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on October 5th, 2010 Tags: Consumer Financial Protection Bureau, credit card fraud, credit union bailout, FINCEN
How will these new challenges impact your community? And your organization?
If you have you been watching financial sector headlines recently, bad news and challenges seem to keep coming for financial leaders and their organizations. And we have all learned that when the financial sector is affected, all sectors will see and feel some impact.
Credit unions are now in line for their bailout.
According to CNN Money article, bank fees are like game of Whac-a-Mole…the minute some bank fees are banned, a whole new set of bank fees pop up.
http://money.cnn.com/2010/09/24/pf/new_bank_fees/index.htm?hpt=T2
FINCEN proposes mass new wire transfer reporting requirements that could represent a massive burden on banks and money services businesses to report international wire transfers to the government.
http://www.fincen.gov/news_room/nr/html/20100927.html
In Michigan, the Office of Financial and Insurance Regulation ordered a shutdown of a “business” that were actually scammers posing as a legitimate credit union in order to obtain information used in identity theft.
http://blogs.bankinfosecurity.com/posts.php?postID=725
Credit card fraud continues to go global and losses continue to mount.
The Consumer Financial Protection Bureau is coming…how will it affect your business?
The bad news: Many of these challenges are out of your control.
The good news: Organizations can control the postitive impact they have on their community, their customers and their employees.
So for all the organization leaders – financial, government, schools, healthcare, faith-based and others…Is your organization ready to take the lead in your community?
No Comments
Email This Post
Are Financial Institutions Ready for CFPB?
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on September 21st, 2010 Tags: ABA, CFPB, Compliance, Consumer Financial Protection Bureau, Consumer Protection, Elizabeth Warren, NAFCU
As of Friday September 17th, Elizabeth Warren was appointed as special advisor to oversee the creation of the new Consumer Financial Protection Bureau (CFPB).
As outlined in the legislation, the CFPB’s purpose is to implement and enforce federal consumer law to ensure that markets are fair, transparent and competitive. The CFPB has also been described a watchdog to protect consumers in their dealings with financial institutions.
Consumer protection is important and I think most everyone would agree that consumer protection is a good idea. But lessons learned lead me to ask a few questions:
Are financial institutions aware of and ready for the new consumer laws?
How will the CFPB enforce the new consumer laws and how soon will CFPB begin enforcing the laws?
According to a Reuters article, Ms. Warren has until July 2011 to get the new agency up and running. So it will be interesting to watch and learn how the agency intends to ensure consumer protection, ensure markets are fair, transparent and competitive.
Of course the financial sector is not too thrilled about adding more regulations, the NAFCU has long opposed the new consumer protection agency and the ABA released a news release earlier this year that said the law will result in more than 5,000 pages of new regulation for traditional banks.
As regulations continue to mount, have financial institutions built an environment of compliance that is efficient, scalable and ready for the new consumer protection laws?
Are financial institutions ready and prepared for additional examinations with audit-ready and legal-ready documentation?
Are financial institutions ready to take building trust with consumers to a new level?
Now that the CFPB is off and running, perhaps there is a better question…..
Could the new consumer protection agency create an opportunity for some financial institutions to gain a competitive advantage by connecting the dots with consumers more effectively?
No Comments
Email This Post
Third-Parties and the Protection of Sensitive Information: Is Your Organization Lacking Contractual Assurances?
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management, Uncategorized on September 17th, 2010 Tags: contractor agreements, Data Breach, GAO, Information Security, third-party breaches
A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information.
GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information.
In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers. Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company will face the resulting lawsuits, reputational damages, fines, etc. Outsourcers, consultants, contractors and business partners were responsible for almost half of the data breach incidents in 2008 and recent incidents show third-party gaps are mounting.
It is critical for organizations to require third-parties to be aware of, understand and acknowledge their responsibilities for protecting all types of information. Organizations should:
- Train contractors on best practices for protecting information
- Require contractors to sign non-disclosure agreements
- Require contractors to review and acknowledge organization-specific policies and procedures
- Require contractors to review ongoing updates as risks, challenges, requirements change
- Track all contractor agreements with legal-ready and audit-ready documentation
Lessons learned have shown that third-party data breaches will continue to occur if organizations do not change their status quo processes and connect the dots with third-parties more effectively.
How are you addressing your third-party relationships today?
Have your business partners, contractors, etc. signed off on your organization’s policies and procedures?
Do they understand their individual roles and responsibilities for protecting your customer / sensitive information?
No Comments
Email This Post
Whistleblower Line vs. Hero Line
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management, Workplace Violence on September 8th, 2010 Tags: bullying, Ethics, joint commission, Security, whistleblower, Workplace Violence
What is your first thought when you hear the word WHISTLEBLOWER?
Whistleblower definitions commonly say a whistleblower is any person that reveals wrongdoing or malpractices taking place within an organization. And in many cases a whistleblower may face retaliation or other negative ramifications and by law may require special protection.
What is your first thought when you hear the word HERO?
Hero definitions run from mythical and legendary figures to a person that is admired for their achievements or noble qualities to a central figure in an event, period or movement.
When is the last time you heard an organization promote their Hero Line? What if organizations promoted their Hero Line in targeting Workplace Violence or Bullying or Cyber Bullying or Ethics?
I recently came across a Joint Commission Sentinel Event Alert focused on preventing violence in the health care setting and I thought the Hero Line would be a great fit.
Some of the causal factors identified in the Sentinel Event Alert point out the importance of making sure policies and procedures are IMPLEMENTED (not just disseminated) and the need for ongoing education and competence assessment processes ensuring people understand what to do in different situations.
The Sentinel Event Alert cited multiple prevention strategies and said:
“…- security is a people action and requires staff taking responsibility, asking questions and reporting any and all threats or suspicious events.”
Sounds like something a HERO would do….what do you think?
No Comments
Email This Post
Whistleblowers, Incident Reporting and Incident Management…Is your Health Care Organization Ready?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 31st, 2010 Tags: dodd-frank wall street reform, Health Care, Incident Reporting, whistleblower
A previous Lessons Learned Blog mentioned the Dodd-Frank Wall Street Reform and Consumer Protection Act and a special bounty program within the Act for whistleblowers. Did you see it?
An attorney at the Healthcare Financial Management Association’s Annual National Institute legal update says healthcare providers may be heading into a storm of whistleblower suits that could cause serious problems for the unprepared.
The attorney predicts the new Patient Protection and Affordable Care Act could lead to an explosion of whistleblower lawsuits because the new law does not require the plaintiff to have direct knowledge of alleged fraud to file a suit.
So if you are involved with healthcare industry…are you ready?
Healthcare organizations to make sure they are ready for whistleblower related challenges:
- Do employees have access to trusted tools to report suspicious actions?
- Do third-parties/business associates have access to trusted tools to report suspicious actions?
- Do patients have access to trusted tools to report suspicious actions?
- Are assessment teams defined and trained on how to respond to incident reports?
- Do assessment teams have tools to access, track and document their actions and decisions?
- Do organizations have a customized compliance program implemented and documented?
The short list above represents some but not all of the challenges healthcare leadership should be targeting as soon as possible to ensure legal defensibility for your leadership and your organization…are you ready?
No Comments
Email This Post
Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
SEC Creates Bounty for Whistleblowers?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 24th, 2010
According to a recent Washington Post headline, law firms are gearing up for new whistleblower reward program.
The new program was included in the Dodd-Frank Wall Street Reform and Consumer Protection Act signed by President Obama in July 2009 has created a bounty program that rewards individuals who provide “original information” to the SEC. The SEC can then award the individual with up to 30 percent of any successful enforcement action that exceeds $1 million.
There is no doubt that federal agencies are publicly ramping up to police illegal corporate activity… future Lessons Learned Blogs will discuss healthcare, education and others.
Here are some questions your organization’s leaders should be asking:
- Are your existing compliance programs working as you want them to?
- Are your policies and procedures updated, communicated, acknowledged and documented?
- Are employees and third-parties aware of how to report incidents?
- Are you encouraging employees to report internally before going to the government?
- Are you confident in how employee complaints will be handled?
- Do you have the right tools in place to connect the dots?
If law firms are gearing up…it is probably a good idea to pay attention to headlines and this Lessons Learned Blog too.
No Comments
Email This Post
Whistleblowers, Incident Reporting, Incident Management…Are You Ready?
Posted In Incident Reporting, Information Security, Legal, Regulatory Compliance, Risk Management, Workplace Violence on August 19th, 2010 Tags: bank fraud, CYA, financial reform, Incident Reporting, online safety, SEC, whistleblower, Workplace Violence
Have you been paying attention to recent headlines?
“New whistleblower reward program has law firms gearing up”
“Attorney tells audience to brace for a storm of whistleblower lawsuits”
“Financial reforms up retaliation risk”
“Preventing violence in health care setting”
“Banks seek customers’ help to stop online thieves”
Lessons learned and headlines are mounting and organizational leaders from nearly every sector should be paying close attention if they want to prevent their name and their organization’s name from being featured in unwanted headlines and lawsuits.
In a few of our next blog posts, I will be sharing lessons learned on how incident reporting, incident management, threat assessment teams, prevention, intervention, documentation and CYA will play a critical role for the foreseeable future….are you ready?
No Comments
Email This Post
Rite Aid – HIPAA Violation – Lessons Learned Not Implemented
Posted In Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 12th, 2010 Tags: CVS, FTC, HIPAA, HITECH, Rite Aid, Security Awareness
Did everyone see this ultimate lesson regarding lessons learned but not implemented?
Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark? According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them. The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.
Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.
The HHS settlement against Rite Aid requires their pharmacies to:
- Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement against Rite Aid requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.
For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.
Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.
Albert Einstein said it best:
“Insanity is doing the same thing over and over again and expecting different results.”
Are you and your organization doing the same thing over and over again and expecting different results?
Comments (5)
Email This Post
