Slashdot Mirror
Contractor Folds After Causing Breaches
talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."
Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.
(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)
Is it just my observation, or are there way too many stupid people in the world?
The hospitals, which initially reported their breaches separately, were left with no one to sue."
I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.
You can outsource work but you can't outsource responsibility.
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.
What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).
$nice = $webHosting + $domainNames + $sslCerts
Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...
Can he magically make the security breaches un-happen?
At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.
Procrastination -- because good things come to those who wait.
Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.
Yes, but nothing's stopping these people from forming a new company and doing the same thing again.
"Well kids, you tried your best, and you failed. The lesson is, never try."
Like you could sue a corporation when it still exists.
Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).
But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...
Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, but nothing's stopping these people from forming a new company and doing the same thing again.
1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).
2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?
3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).
I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.
Actually, engineers routinely do get out of responsibility for disasters. Part of the reason is that they let their bosses and the prosecutors know about the "paper trail" that they have kept. They threaten to show in court that they knew about the problems, warned their superiors about the problems, and were ordered to ignore the problems. The prosecutors then carefully forget about them.
;-) showed that what went wrong was a known possibility during cold-weather launches, and that a lot of the engineers had indeed tried to delay the launch.
The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers
The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.
In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.