You’d think by now that companies of all sizes, but especially large publicly traded companies, would have gotten the security and privacy message loud and clear. We’re now more than a decade into the worst of the epidemic of cybercrime, identity theft, and privacy violations, and yet in spite of all the warnings, media coverage and legislation, companies you trust with your personal information are still betraying that trust.

Rite Aid, the third largest pharmacy in the country, recently agreed to pay $1 million to settle charges that the company allowed its employees to dump very sensitive customer medical information, unshreded, in its own dumpsters.

Most companies are supposed to have policies and training in place so that all employees, no matter where they work, know how to handle sensitive information. But in the case of Rite Aid, apparently employee security awareness is not yet at this level.

And not only did the company allow employees to toss medical records in dumpsters, job seekers who left employment applications with the company (presumably including their Social Security number) suffered the same dumpster indignation.

According to a Federal Trade Commission (FTC) investigation, Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC concluded that the claim was deceptive and that Rite Aid’s security practices were unfair. No kidding.

And as part of its punishment, Rite Aid is also required to now do all those things that it should have been doing all along – like develop a data security program, put customer privacy policies in place, and train its employees. Chances are the company already had all these in place, but like many companies, all these important security and privacy plans sit on the shelf and never make it into the culture of the company.

Lessons learned?

• Never take your right of privacy for granted. It is a trust too easily betrayed.
• Might be safer to assume that because your personal information has already been leaked and is in the hands of the bad guys, you should focus on monitoring for any abuse and exploitation rather than worrying about it leaking in the first place.

RELATED STORY: Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees

http://www.ftc.gov/opa/2010/07/riteaid.shtm

No related posts.