Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Contractor Folds After Causing Breaches

kdawson posted more than 7 years ago | from the left-holding-many-bags dept.

Security 274

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

Sorry! There are no comments related to the filter you selected.

And that's the problem with corporations (5, Interesting)

Overzeetop (214511) | more than 7 years ago | (#20247877)

Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.

(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)

Capitalism Rules! (3, Insightful)

FatSean (18753) | more than 7 years ago | (#20247913)

Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Re:Capitalism Rules! (3, Informative)

peragrin (659227) | more than 7 years ago | (#20247969)

But it's governement regulations that have made it that way. the BOD of corporations should be ultimately responsible for the actions of the entire company. Since Corporations are a government protected body by removing the regulations protecting them opens the BOD up to others.

Re:Capitalism Rules! (2, Insightful)

marx (113442) | more than 7 years ago | (#20248407)

That's the whole point of a corporation though (Wikipedia):

A corporation is a legal entity (technically, a juristic person) which has a separate legal personality from its members.
If you take away the property that the members aren't personally liable, then it's no longer a corporation, but some other type of organization.

Re:Capitalism Rules! (0, Redundant)

Hatta (162192) | more than 7 years ago | (#20248489)

Right, so get rid of corporations. That's what the OP was trying to say in the first place.

Re:Capitalism Rules! (3, Insightful)

CmdrGravy (645153) | more than 7 years ago | (#20248823)

Right, so then no one forms a company to do anything at all, no capital can be raised and nothing gets done.

Conservatives strike again! (0)

Anonymous Coward | more than 7 years ago | (#20248547)

Yet another "deregulation" attack on America! As always, the conservative hatred of America strikes again!

Go Enron-style accounting!
Go War-on-Terra!
Go record shattering deficits!
Go investor bail-outs!

Go "Fiscal Conservatives"!

Re:Capitalism Rules! (4, Insightful)

thc69 (98798) | more than 7 years ago | (#20248985)

Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!
Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

Can he magically make the security breaches un-happen?

At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.

Re:Capitalism Rules! (4, Informative)

nmx (63250) | more than 7 years ago | (#20249059)

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.

Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

Re:And that's the problem with corporations (4, Insightful)

grogdamighty (884570) | more than 7 years ago | (#20247917)

Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens. How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

Re:And that's the problem with corporations (2, Insightful)

Raul654 (453029) | more than 7 years ago | (#20247933)

Engineers are legally responsible for all of the design decisions that go into their work. I see no reason now to hold corporate shills - erm, CEOs and other board members - to the same standard.

Re:And that's the problem with corporations (1, Troll)

Gorshkov (932507) | more than 7 years ago | (#20248107)

Engineers are legally responsible for all of the design decisions that go into their work.
Yes, they are - and they should be. But you're not held responsible for the decisons of *others*. If some contractor says "Rebar? We don't need no stinkin rebar!" and the bridge falls down, he's sued, not you - because it wasn't your design decision.

I see no reason now to hold corporate shills - erm, CEOs and other board members - to the same standard.
They are - that's the whole idea behind due diligence - showing that you DID do your job. But how the bloody hell do you think it's fair to hold a director responsible because some wanker forgot to put the firewall back in place? And wtf was it doing down in the FIRST place?

Re:And that's the problem with corporations (1)

Qzukk (229616) | more than 7 years ago | (#20248239)

And wtf was it doing down in the FIRST place?

Sounds like something some management-type would tell someone to do. Or maybe the admin saw too many Star Trek reruns and thought the company should lower the shields so they can beam the data up.

Re:And that's the problem with corporations (1)

Raul654 (453029) | more than 7 years ago | (#20248749)

Aren't these the same directors who (for Enron, Worldcom/MCI, Adelphia Communications, etc) claimed that they had no idea that their companies were operating deeply in the red and that their quarterly earnings reports weren't worth the paper they were printed on? These are the same people who go before congress and suddenly develop very bad memories.

Re:And that's the problem with corporations (2, Informative)

Gorshkov (932507) | more than 7 years ago | (#20248865)

Aren't these the same directors who (for Enron, Worldcom/MCI, Adelphia Communications, etc) claimed that they had no idea that their companies were operating deeply in the red and that their quarterly earnings reports weren't worth the paper they were printed on? These are the same people who go before congress and suddenly develop very bad memories.
No, they're different directors. That lot WAS jailed - and they were jailed because of THEIR decisions, not those of their underlings.

Re:And that's the problem with corporations (1)

MikeBabcock (65886) | more than 7 years ago | (#20248203)

Because major corporations have no chance at ruining peoples' lives the way engineers do? Ask yourself why professional engineers are held to such a standard in society, then ask yourself what effect other private corporations can have on peoples' lives.

Large corporate decision makers should not be immune from blame for their mistakes -- with great power and all that.

Re:And that's the problem with corporations (2, Insightful)

Raul654 (453029) | more than 7 years ago | (#20248699)

How many thousands of people lost their life savings when Enron folded? (Days before the end, the CEOs and other higher ups were selling their stock like it was on fire, while other investors - mostly employees of the state of California - were locked-out and unable to sell their holdings). What about MCI/Worldcom? What about ValueJet, which had dozens of safety violations prior to the crash of Flight 592 [wikipedia.org] and for which the company was later indicted on 100+ counts of murder? What about Power Fasteners, which did such a shoddy job of constructing the Big Dig that the roof collapsed [wikipedia.org] and killed someone (they were also indicted). What about ExonMobile, which (as a result of its operations 1888-present) is responsible for something like 5-8% of all global warming and will almost certainly face future lawsuits [redorbit.com] about it? Corporations can and willingly cause massive destruction on a global scale. They destroy lives, but they are ultimately a legal fiction created for the purpose of shielding the true decision makers from the legal liability of their decisions.

Re:And that's the problem with corporations (4, Interesting)

Applekid (993327) | more than 7 years ago | (#20248241)

I think you missed the point. If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk. Maybe instead of figuring out how to line their pockets with money with their "certifications," Novell, Microsoft, Cisco, et al. could pool resources and lobby for a legally-weighty certification for Software Engineers much conventional Engineers already have. Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.

CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.

Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.

Re:And that's the problem with corporations (1)

Yoozer (1055188) | more than 7 years ago | (#20248419)

You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.
And still you'll find a huge share of WTFs because if anything, the licenses will create a false sense of security and trust. "Of course it can't be Mr. Class-A, we've paid good money for his expertise and he can't possibly be wrong." Also, companies might think that they could replace 3 Class Cs with 1 Class A which then gets overworked, and because he's the top dog nobody has the guts to offer critique. More eyes will reveal more bugs (unless they're all equally incompetent, of course).

What you need is not a license but accountability; when you put your John Hancock under the QA document you give your word that the system's fault-free to the best of your efforts, and that you will take care of support.

Being forced to take responsibility does a whole lot more than having a fancy piece of paper on your wall. The same responsibility would be nice for CEOs: lousy track record? Then you don't get any fancy stock options or nonsense like that.

Re:And that's the problem with corporations (1)

firewrought (36952) | more than 7 years ago | (#20248945)

...when you put your John Hancock under the QA document you give your word that the system's fault-free to the best of your efforts...
Not all software needs to be engineered to space shuttle reliability [fastcompany.com] . Humanity has things to do and places to go, and we wouldn't have a technological revolution if was tied to some 40 lines of code per man-year. We don't have the time and talent for that. It makes sense to stratify our level of quality according to how critical the code is.

Re:And that's the problem with corporations (1)

SillySlashdotName (466702) | more than 7 years ago | (#20248701)

Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

Check out the Code of Hammaurabi, a Babylonian king, which said that, if a person builds a building for another and the building falls in and kills the owner, the builder shall be put to death. There are other parts as well, but the total is that the builder/engineer is held responsible/liable for the construction done by that builder/engineer.

Not an engineer, but I do watch the discovery channel...

Re:And that's the problem with corporations (1)

Lord Ender (156273) | more than 7 years ago | (#20249181)

I can already tell you the results: Every failure is a result of both management and engineer failures.

You are suggesting that all of senior management and many of the engineers at Boeing should all go bankrupt when a plane crashes due to a design flaw (because some jury awarded 10 billion for pain and suffering), then I would no longer invest, work, or serve in the US. I wouldn't be the only one.

Basically, you are suggesting the economic suicide for an entire country.

Your reasoning is flawed (3, Informative)

BlackCobra43 (596714) | more than 7 years ago | (#20248279)

The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.

Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?

Re:Your reasoning is flawed (1)

Smidge204 (605297) | more than 7 years ago | (#20248503)

The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.


And so will the engineer, because his responsibility doesn't end once construction starts... part of his job is to monitor the quality of materials, methods and installed equipment and to make necessary adjustments to the design if things can't be worked out in the field.

An engineer's responsibility for a job isn't over until either some other engineer takes responsibility or he dies.
=Smidge=

Re:And that's the problem with corporations (1)

Hoi Polloi (522990) | more than 7 years ago | (#20249015)

And if those corporate executives push faulty designs or pressure bad descisions? Mansluaghter charges are being saught [boston.com] in connection with the Power Fasteners company after it was found they knowingly ignored issues with epoxy based fasteners that later led to a woman's death in the Boston Harbor tunnel. Other companies involved in this and massive cost overruns and poor design descisions (major leakage in tunnel), such as Bechtel and Modern Continental Construction, have seemingly gotten off the hook.

Re:And that's the problem with corporations (1)

jamesh (87723) | more than 7 years ago | (#20247989)

I think the idea would be that you could only sue the board if you could prove negligence, eg that a problem was pointed out to them but because it would cost money to fix, nothing was done.

Re:And that's the problem with corporations (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20248007)

Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens.
Yes. In fact, sue the shareholders as well-- it's their company.

How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?
Wow, that's retarded, even for /. Business is about risk. If they're not prepared to assume that risk, then they should stay the hell out of business.

Re:And that's the problem with corporations (0)

Anonymous Coward | more than 7 years ago | (#20247959)


I would agree to this the day politicians are also held personally liable for their actions, including lies (even when not under oath) and on having ties to business or organisations that benefit.

I am from a European country. Imagine a corrupt organisation that you can never cease to do business with, is the permanent employer of every one of its auditors and data providers, and on the rare occasion a wrongdoing is found, one division of it fines the other but noone is affected because any shortfall is covered by the central authority. Noone has ever lost their job.

Most recent case, turns out that the biggest party has been writing letters to editors under false names alleging to represent the opposition's view but wording their arguments poorly and offensively, and then writing arguments representing their own view. Noone has resigned, noone has been punished, covered only in a small local paper, will not lead to any consequences at all.

Personal liability is not a solution (1, Interesting)

TheSciBoy (1050166) | more than 7 years ago | (#20248081)

Who would take a job where you could be held personally liable for any mistake your subordinates may do? You have a company where the size is small enough that you can check everything, I guess, or you wouldn't be taking that responsibility, but would you really want to be personally liable if you had 1500 employees? Would you be able to check all their work for flaws?

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

Personal accountability is great but in a company, that accountability is handled internally. If an external party has been harmed by the mistake, they sue the corporation and the corporation pays. Internally, the company may fire anyone and everyone they find responsible but they cannot and should not be able to take the money they lost from those people. The whole point of starting a corporation, for goodness sakes, is to create an entity that is separate from the employees and even the owners so that the employees and owners are NOT personally responsible.

Sorry if I'm not crying when there is no one left to sue.

Re:Personal liability is not a solution (2, Insightful)

Jah-Wren Ryel (80510) | more than 7 years ago | (#20248185)

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?
I tend to agree with you, especially since the problem didn't kill anyone. But, some questions remain - we don't know how much influence that primary investor had over operations. What are the chances that he will just open up shop again under a different corporate charter and continue the same sort of poor practices that got his first company in trouble?

I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if the problems remain, than the mere dissolution of the corporation is not sufficient.

Re:Personal liability is not a solution (1)

RESPAWN (153636) | more than 7 years ago | (#20249017)

It's been over a year since I last read the HIPAA regulations, but its possible that whomever was responsible for the coding problem could face fines and/or jail time. Personally, I think it's unlikely that it would happen since there was no malice involved, but I'm not quite sure how the laws are written, so if somebody decides to seriously press the matter, we may yet see some people getting in trouble.

Re:Personal liability is not a solution (0)

Anonymous Coward | more than 7 years ago | (#20248189)

this company has already been punished for their mistake. They exist no more.

Bullshit, their "investor" will take the money they sucked out of the corp and reform the board, name the company "Shell Corp Mk. II", buy the assets back from themselves at the bankruptcy firesale and continue on their merry way.

Personal accountability is great but in a company

Yep, there it is, everyone should be personally responsibile, except for my precious, precious corporations. If the purpose of punishment is to dissuade people from fucking up, you're going to have to do better than "internally" handling it by firing a scapegoat in order to stop the sociopaths from fucking up bigtime then moving on to fuck up the next one even better.

Re:Personal liability is not a solution (1)

R2.0 (532027) | more than 7 years ago | (#20248213)

"In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?"

No, restitution. The civil court system is primarily concerned with damages and making an injured party whole. "Punitive" damages are tacked on at the end if the conduct has been egregious. So the hospital sues not to punish the company but to recover damages - fines, labor for fixing the contractor's mistake, etc. Since the primary investor bailed, it is presumed that he either extracted his investment, or at least has some signifigant holdings independent of the bankrupt company.

We can debate the merits of piercing the corporate veil for civil liability, but talking about "punishment" in this context is a red herring.

Restitution (1)

TheSciBoy (1050166) | more than 7 years ago | (#20248833)

We can debate the merits of piercing the corporate veil for civil liability, but talking about "punishment" in this context is a red herring.

I disagree. Suing individuals for a mistake like this would be revenge and would serve no other purpose than giving some people a misplaced sense of "justice". My question (largely rhetorical in nature) was more regarding the intent of suing someone rather than the purpose of any legal system. The governmental branches mostly have very lofty purposes which just as often are corrupted by the public/politicians/coroporations.

Re:Personal liability is not a solution (1)

jridley (9305) | more than 7 years ago | (#20248715)

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

It's not at all clear that they've been punished. And there has been no restitution to the injured parties.

Hypothetically; a company makes a program that makes it super easy to do stock transactions, and makes a billion dollars selling it. Then one day it's discovered that there's a vulnerability that allows a black hat to get your account data, and billions of of dollars worth of stocks and cash are drained from tens of thousands of personal accounts.

The company folds the next day and the owners and employees walk to their next job with money in the bank.

Have they "been punished" for their mistake? Would you think so if you'd had your entire retirement fund stolen by their software at age 64?

Dissolution and reconstruction, the perfect escape (1)

TheSciBoy (1050166) | more than 7 years ago | (#20249105)

What you describe is of course an undesirable (to say the least) turn of events. However, I find it unlikely that there is no failsafe for this. How do you "fold" a company and what is involved? Can you dissolve a company if you know a lawsuit is coming? At what point are you unable to dissolve a company so that you lose no money?

Otherwise this seems like the perfect failsafe for any corporation when a large lawsuit is pending. Dissolve the company, reconstruct it in a new name and continue business as usual. I would think that there must be some legal problems with this approach or it would be standard operating procedure.

Re:Personal liability is not a solution (1)

TheMeuge (645043) | more than 7 years ago | (#20248905)

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

Well, the problem is that when corporations fold, what happens is that the Board Of Directors winds up leaving with multi-million dollar severance packages, while everyone else is thrown into the street. Some of the severance packages are so great as to make it almost more profitable for some individuals to be let go, then to continue working.

That's the biggest problem with corporations in my view - the people who set the policies are the people with the LEAST to lose in the case of the corporation going bankrupt.

Re:Personal liability is not a solution (1)

mgblst (80109) | more than 7 years ago | (#20248941)

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?


Star wars fan heh? I suppose when Darth Vader killed the Emperor, all his sins were forgiven as well? All the people he killed, planets and ship destroyed, all forgotten?

You bastard!!

But really, how is this much punishment? They will just start up another company, slightly different name, and keep doing the same thing? Nobody is actually anything more than slightly inconvenienced by this.

Re:And that's the problem with corporations (4, Informative)

deftcoder (1090261) | more than 7 years ago | (#20248125)

A judge can reinstate a business for the duration of a trial though, even if it was dissolved (with no objections) through the normal channels.

Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.

If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.

American business law is very interesting.

Re:And that's the problem with corporations (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20248151)

>I happen to own a corporation

I did too, and I knew that as a director of the corporation I was personally liable for the corporations actions. You don't just get carte blanche as everyone here thinks you do. A corporation gives protection to its shareholders, who, in a larger corporation, have nothing to to do with the business.

The liability is still limited compared to a proprietorship, but it is necessary, as running a business opens up a huge can of worms -- If someone slips and falls at your house, they will not win millions of dollars against you (they may win a reasonable settlement, though). As a business, the standard is higher, and you will lose everything you own as a sole proprietorship and end up bankrupt. And, with that issue in mind, few to no people would open new businesses, since the business wouldn't have the money to cover all losses to that extent.

I studied this concept very carefully, as I owned a satellite company in Canada, a VERY dangerous and VERY liable to be sued (by the government) business. More than half of the satellite companies in my city have been sued out of existence, the government managing to end up seizing not only the assets of the company, but eventually managing to seize personal assets as well. The "crime" being selling US satellite equipment or service. Considering it took my company 18 months to be signed on to sell for a Canadian satellite company (ExpressVu), which only happened under CRTC threat, I can understand the motivation. The last move by the government here was to extend the fines and reach of the laws (luckily it didn't pass as it was election time) so that a corporation importing a single US receiver (not even selling it or purchasing service for it) would be liable for up to $750,000 in damages between the government fines, and set fines for ExpressVu and StarChoice. Ho-hum. For a canadian household it would "only" be $200,000... Enough whining, anyways. :D

Nobody ever got fired for chosing ColdFusion (1)

ArsenneLupin (766289) | more than 7 years ago | (#20248301)

I guess this technically still holds true. They didn't get fired, their company only went bust...

That is the problem (1)

WindBourne (631190) | more than 7 years ago | (#20248377)

I would bet that even the investor did so only through an INC. It is this lack of responsibility that is occurring in incs and politics which are destroying society. IMHO, it would behoove the country (and perhaps countries) to re-do corporate laws in a fashion that holds boards/CEO, and even investors responsible.

One interesting side note about this is that corporations are suppose to have nearly all the same rights as humans. But they do not have the same responsibility. That is, they can not be jailed for 20 years or even executed. As I watch their actions, more and more they appear to be sociopathic. They operate with less care about the community and are more about making money for the CEOs (interestingly, not even for the investors rate that high).

Re:That is the problem (1)

Overzeetop (214511) | more than 7 years ago | (#20248849)

Actually, I'd like to see the rights of corporations curtailed. There are actually good reasons for shielding directors, officers, and sharholders (though there are bad reasons, too). I say we make corps less powerful first, then deal with the internals.

in a country with the death penalty? (1)

fantomas (94850) | more than 7 years ago | (#20248825)

"Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable."

That's really not going to work too well in a country where you still have the death penalty. Who's going to want to be a director? You are going to have to go round executing a lot of CEOs every time bridges collapse, trains crash, etc. Mind you I suppose that's what happens in China.

Though I take the point you're making in spirit. We had some train crashes in the UK over the last decade and people are left with their husbands dead, while the top bosses just say sorry and take home another pay cheque. At worst they get sacked and instantly head hunted by other companies for another stupidly high wage. Maybe a few years in prison might not be a bad idea.

Re:in a country with the death penalty? (2, Insightful)

Overzeetop (214511) | more than 7 years ago | (#20248875)

Who's going to want to be a director?
At the salaries these places pay, there will be people knocking at the door. And I wouldn't worry too much about the death penalty - captial murder has very narrow limits. I think the CxO would still have to stalk and kill someone to be eligible.

Re:And that's the problem with corporations (1)

Zaiff Urgulbunger (591514) | more than 7 years ago | (#20248935)

But then again, couldn't they sue the person who did the acceptance testing? I mean, they *did* have someone acceptance test it, right?

left with no one to sue (5, Insightful)

YrWrstNtmr (564987) | more than 7 years ago | (#20247883)

The hospitals, which initially reported their breaches separately, were left with no one to sue."

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

Re:left with no one to sue (1)

EXMSFT (935404) | more than 7 years ago | (#20248011)

It depends on the type of organization it was, and where it was founded. Like it or not, forming a corporation or LLC is often done to specifically shield founding/leadership individuals from liability of the company. And to a large extent, it does.

Re:left with no one to sue (1)

westlake (615356) | more than 7 years ago | (#20248555)

forming a corporation or LLC is often done to specifically shield founding/leadership individuals from liability of the company.

Well, duh. Limited liability company [wikipedia.org]

Re:left with no one to sue (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20248257)

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

Not if they're a corporation.

People think that anti-corporation people are all hippies who want every business to be a small business. Not the case at all. I'm very anti-corporation, not because I care about size (which I don't), or care that they're putting small business out of business (because I don't care: the big guys give me a better price).

Rather, it's because when a small business messes up, people are held liable.

When a corporation messes up, NO ONE is held liable, except in extreme cases. The "corporation" is itself a legal entity, just like you or I, which absolves the responsibility for the actions of the people who work for it. This is bullplop. If I personally sell something that has a lethal defect, why can't I just wave my hands and absolve myself of the consequences? Is it because I don't have enough employees or because I don't have stock? Or is it because the government created the legal entity known as the "corporation" for the express purpose of shielding wealthy people from the consequences of bad business?

Re:left with no one to sue (2, Interesting)

Gordonjcp (186804) | more than 7 years ago | (#20248439)

(because I don't care: the big guys give me a better price).

Do they really? Remember that the price is rather more than a number written on a ticket - you need to look at the value of what you're buying too. For instance, I buy most of my groceries in small independent shops rather than supermarkets, because I get better value for money. Yes, the number at the bottom of the receipt is a little higher, but the quality of the produce is much higher.

Re:left with no one to sue (1)

archen (447353) | more than 7 years ago | (#20248933)

Yes they typically do. Look closely at what you are saying; you are looking at VALUE not necessarily price. Smaller businesses often have better quality, service, value, whatever - yet it's the domain of the big business (ala Wallmart) that can leverage its sheer mass for lower prices due to scale. Some times this is unintuitive to people. If you buy cheap crap paint, and it takes you more than twice as much paint, did you really save 30% compared to the more expensive paint? Yet people will still buy the cheap paint because it's cheaper.

Re:left with no one to sue (2, Interesting)

bepo (709117) | more than 7 years ago | (#20248923)

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

If accountability is what you want then why are you looking at the CEO? Shouldn't the technician who left the router down be personally liable? You could say that the CEO had the responsibility for ensuring methods were in place to prevent this. You could also say that the data was the responsibility of the hospital and paying a contractor does not eliminate that responsibility.

Nice (3, Funny)

catdogven (947172) | more than 7 years ago | (#20247885)

This is another of the many advantages of outsourcing...

Can't pass the buck (5, Insightful)

nicolaiplum (169077) | more than 7 years ago | (#20247909)

You can outsource work but you can't outsource responsibility.
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.

Re:Can't pass the buck (2, Insightful)

Keys1337 (1002612) | more than 7 years ago | (#20247947)

you can't outsource responsibility.

What's that thing called insurance do?

Re:Can't pass the buck (1)

AndersOSU (873247) | more than 7 years ago | (#20248421)

I think Matel agrees.

As often as they blame a "rogue supplier" everybody is still going to blame them for lack of oversight, and rightfully so.

Re:Can't pass the buck (1)

HangingChad (677530) | more than 7 years ago | (#20248455)

You can outsource work but you can't outsource responsibility.

Oh, yeah? Let's ask Karl Rove.

HIPPA (2, Insightful)

morgan_greywolf (835522) | more than 7 years ago | (#20247923)

HIPPA laws are no joke. There are serious fines and even criminal penalties for letting confidential patient records out. It's so serious that companies working with health care data often have special training programs for their employees that handle any sort of hospital data -- even for IT workers.

Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.

Re:HIPPA (4, Informative)

Jhon (241832) | more than 7 years ago | (#20248027)

There are serious fines and even criminal penalties for letting confidential patient records out.
Great summary of HIPAA here. [ama-assn.org]

Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
Notice that "knowingly" statement?

Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...

Re:HIPPA (1)

macz (797860) | more than 7 years ago | (#20248057)

Yeah, but who is responsible for enforcing HIPAA penalties, and how many have been levied for this yet? Is Phase 2 even complete?

Well now... (2, Insightful)

MrNaz (730548) | more than 7 years ago | (#20247925)

"The hospitals, which initially reported their breaches separately, were left with no one to sue."

In this day and age, all I can say is BOO HOO.

Re:Well now... (0)

Anonymous Coward | more than 7 years ago | (#20248195)

While I agree that someone should be held accountable, I also see where you're coming from on this. I think that the "lawsuits for everything" is long past the point of being really out of hand.

Re:Well now... (1)

Bardez (915334) | more than 7 years ago | (#20248285)

I agree, and I'm quite surprised to see the first of these sentiments so far down the page.

Re:Well now... (1)

Billosaur (927319) | more than 7 years ago | (#20248295)

The problem is, people are going to be suing the hospital for allowing their information to be let out into the wild. If Verus is no longer there for the hospitals to sue, then they don't stand to recoup any losses suffered when the plaintiffs win these lawsuits, and as a result the hospitals have to shell out hard-earned cash to make these people go away. End result: medical care costs go up or hospitals may close. Litigation is not always the answer, but in this case, it was the only way to make sure that the people who properly deserve the blame were held accountable. This does not absolve the hospitals completely, but it puts them and they people they serve in a bad spot.

Re:Well now... (1)

hawkinspeter (831501) | more than 7 years ago | (#20249057)

The hospitals deserve to be in a tight spot/go out of business if they make such a poor decision about suppliers. If they bought some cheap syringes that gave everyone blood poisoning, they should be held accountable - why not hold them accountable for buying rubbish software?

Start looking at MedSeek (3, Interesting)

faloi (738831) | more than 7 years ago | (#20247935)

I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.

For that matter, I would the federal government would be all over it for violation of HIPA regulations.

External security auditors were needed (5, Interesting)

Dekortage (697532) | more than 7 years ago | (#20247965)

Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

Re:External security auditors were needed (1)

Billosaur (927319) | more than 7 years ago | (#20248339)

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

I bet you won't. Why? Because their competitors are slapping each other on the back, laughing themselves silly, and convincing themselves it won't happen to them, their IT guys aren't that dumb. Unfortunately, with the given state of IT talent, this is going to happen to one of them next -- not this precise failure, mind you, but something similar. Data security is a joke right now, and not just for hospitals. Until there is a universal outcry and until companies that cause data breaches are hit in the wallet hard, this kind of thing is not over by a long shot.

Re:External security auditors were needed (1)

Dekortage (697532) | more than 7 years ago | (#20249019)

Yeah, but after all the back-slapping and laughing-themselves-silly, somebody is going to get the bright idea that a security audit would be a great marketing tool. "You should hire us because we're secure. Really -- just ask !" And some customers will notice.

Re:External security auditors were needed (1)

Dekortage (697532) | more than 7 years ago | (#20249063)

Oops, that should have been: "just ask <security audit firm>!". Curse those HTML tag interpreters...

Re:External security auditors were needed (1)

SatanicPuppy (611928) | more than 7 years ago | (#20248789)

Still stupid. What were they transferring with, unsecured Samba? Anonymous FTP? Windows File sharing? And why were they transferring files in the first place? Secure files should reside on one machine or cluster, with nightly (or whatever is appropriate) backups. Two locations = two times the security risk.

Sometimes you have to take that risk (a redundant colo or something), but in that case you have a secure medium for file transfers and it should happen pretty damn often if not constantly ...Certainly not the kind of special occasion you would need to bring the firewall down for.

Did I say you should never bring down the firewall? I know a guy who (in lieu of network troubleshooting) will plug his PC directly into the cable modem when he has networking issues; gets virused all the time. And why was there only one firewall between this system and unsecured systems?

Sounds like these amatuers needed to go out of business.

Oh good god. (0, Flamebait)

Lumpy (12016) | more than 7 years ago | (#20248015)

The hospitals, which initially reported their breaches separately, were left with no one to sue."

OMG! Can we set up a paypal fund to help find someone for these hospitals to sue?

boo fricking Hoo. Even IF the guys were still in business they were more than likely a LLC which means that you can sue them all you want it wont do squat, you wont get squat.

I just love though how the summary makes it out how it's a horrible thing that the Hospitals cant sue anyone. Oh the Humanity!

Re:Oh good god. (1)

catbutt (469582) | more than 7 years ago | (#20249027)

I just love though how the summary makes it out how it's a horrible thing that the Hospitals cant sue anyone. Oh the Humanity!
What is your point?

What if it was worded "none of the responsible parties were there to accept the consequences" or "those that caused the problem escaped without repercussions, while others had to pay for the costs of their negligence"?

See how far you'll get litigiously when... (3, Interesting)

ahuimanu (237298) | more than 7 years ago | (#20248061)

The company is in India, or China, or Indonesia or.... you get the point.

Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.

But noooooo...

We gotta OUTSOURCE because it looks good on a quarteryly statement.

Stew in it boyos, STEW IN IT!

Can someone explain (1)

Critical Facilities (850111) | more than 7 years ago | (#20248063)

, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another,


I confess, I am not someone who works professionally in the IT field, so I may be off the mark here, but can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? I guess it just sounds a little unusual to me. Is this a systemic flaw in the way these systems were being administered or is this someone leaving out an obviously crucial step in an otherwise routine operation?

Re:Can someone explain (1)

Mark J Tilford (186) | more than 7 years ago | (#20248135)

One possible explanation is that there are difficulties with a computer behind one firewall communicating with a computer behind a different firewall.

Re:Can someone explain (3, Insightful)

Dancindan84 (1056246) | more than 7 years ago | (#20248167)

can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another?
A) Laziness (didn't want to set up a VPN or just open the necessary ports)
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C

Re:Can someone explain (1)

Lord_Frederick (642312) | more than 7 years ago | (#20248215)

In IT there is the correct way to do something, the cheap way and the easy way.

Very often things like this happen because something is being done the cheap or easy way. There was a way to setup data transfer so that it would be secure, but I guarantee that someone either didn't want to pay for it to be setup or IT didn't want to go through the trouble of setting it up.

You put too much faith in journalists (1)

smitth1276 (832902) | more than 7 years ago | (#20248675)

You're assuming that the person who wrote the article understands the distinction between a "firewall", an open port, or any number of other things.

Re:Can someone explain (1)

Alpha830RulZ (939527) | more than 7 years ago | (#20249083)

so I may be off the mark here, but can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another?

Easy. The firewall probably prohibited FTP traffic and they wanted to use FTP or similar to move the files, which is generally regarded as a Good Thing. A better approach would have been to put in a rule temporarily that would have allowed the connection, just between the computers in question. Probably the workers in question didn't know how to config the firewalls to do this, so they unplugged it, and forgot to put it back. However, even taking the firewall down for a few minutes is an egregious breach - the mean time to a port scan these days for an exposed machine is on the order of minutes, and the machines would almost certainly have been scanned and compromises attempted during this time.

Imaginary discussion (-1, Offtopic)

rdrd (1142449) | more than 7 years ago | (#20248153)

- Jimmy, have you seen that our CEO got syphilis ?
- Must be the new girl from downstairs ...

hmm (2, Insightful)

thatskinnyguy (1129515) | more than 7 years ago | (#20248217)

Enron folded after some financial misdeeds. The investors still had someone to sue. There is always someone to sue.

All right IT monkeys.. (3, Interesting)

Anonymous Crobar (1143477) | more than 7 years ago | (#20248231)

From the FA:

While reports of the breaches have been issued in dribs and drabs, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another, according to David Levin, vice president of marketing at MedSeek.
Can someone explain to me why you would need to open EVERY PORT on a computer to transfer data across two machines? Is there any possible reason why this would be considered? Seriously?

Re:All right IT monkeys.. (2, Insightful)

archen (447353) | more than 7 years ago | (#20248871)

Looking at the clues here: File transfer + Firewall + needed to drop firewall... I'd say it was probably someone who couldn't figure out passive ftp. Needless to say they were transferring the data without encryption in the first place.

Next time... (2, Funny)

OpenSourced (323149) | more than 7 years ago | (#20248325)

The hospitals, which initially reported their breaches separately, were left with no one to sue

Next time, theyll buy IBM, I guess.

Specifics? (1)

ArcadeX (866171) | more than 7 years ago | (#20248383)

Would be interested if someone could find out more, TFA didn't have much in the way of details. Was this a server in a DMZ, completely internet facing; hardware or software firewall; was the the file sharing ports left open, or the everything? I've made a few mistakes in my time, but never that big, not to mention the fact that (and i'm saying this without real details) it's pretty sad if you have to mess with a firewall to do file transfers...

Any self proclaimed basement dwelling lawyers know if criminal charges can be files for HIPPA violations from individuals, or does the corporate liability umbrella going to save someone's ass.

I am not a lawyer, but... (1)

davmoo (63521) | more than 7 years ago | (#20248461)

...I do know a thing or two about corporate law, having served on a couple of corporate boards.

Granted this may vary a bit from state to state, but directors and executives of a corporation, and sometimes, depending on the circumstances, the investors, do not get total automatic blanket immunity from prosecution by virtue of incorporating. If the hospitals here can show there was willful negligence, and not simply "someone fucked up", they can go after the directors and executives for every penny they have, and the state(s) involved can go for criminal charges.

Enron is a perfect example of this. Willful negligence along with criminal activity. Several former execs are now forking out money and wearing prison uniforms.

This is the same as if someone forms a corporation for their business, and then goes to work with the attitude of "I don't have to watch what I do, I'm a corporation and can't be sued"...boom...they just lost legal protection if there is infact a problem with their work. Under most circumstances, the law does not allow one to be negligent in their work. Ignorant maybe, but not negligent.

BUT... In Actual Practice... (0)

Anonymous Coward | more than 7 years ago | (#20248753)

This RARELY happens. Enron is an anomoly. For every Enron (e.g. a corp that gets caught), there are literally several hundreds (if not thousands) of smaller corporations that regularly and routinely fuck over both their customers and investors, and not diddley-squat ever becomes of it. No criminal prosecutions (the cops and prosecutors say "sorry, that's a civil matter, not our job"), and no civil lawsuits either since every blood-sucking lawyer who might otherwise be inclined to take on a plaintiff's case knows there's not a snowball's chance in hell of getting enough useful evidence against them in the discovery phase since the target corp will have shrewdly avoided producing as much possibly evidence that could be used against them in the first place, or will destroy any last remaining shreds of paper-trail evidence they might possess since it's extremely unlikely anything will happen to them for doing so. This is "business as usual" in most of the larger "big business" cities of the USA, like Dallas, Houston, Chicago (where you may get real dead real fast for stirring up any trouble for a "corp"), Los Angeles, etc. (but not necessarily northeastern cities like Boston or NYC where things are run the old school, way not too unlike Chicago)

I call BS (1)

uncreativeslashnick (1130315) | more than 7 years ago | (#20248467)

Just because a corp folds up doesn't mean there is no one left to sue. A corp doesn't just disappear into thin air when someone wants to "pull the plug." The corporation has assets, and those assets have to get distributed to somebody, and that process takes time. A corporation with no assets is in serious danger of losing the liability shield (meaning people can go after the individual shareholders and/or corporate officers). Also, any liability insurance policies in place when the corporation was operating would still be accessible to claimants.

At the very least, this corp is out of business and won't be making insecure web sites anymore, which is a good thing. With any luck, a smart customer will attach what's left of the assets so that nobody walks away with all the money scott free.

THE country? THE government? (1, Offtopic)

BestNicksRTaken (582194) | more than 7 years ago | (#20248561)

"....managed the websites of as many as 60 of the country's largest hospitals"

Which coutry might that be then, as I'm sure there's more than one country in the world.

Slashdot is not USA-specific.

I'd better shut up now before the World Police come-a-knocking.

Re:THE country? THE government? (0)

Anonymous Coward | more than 7 years ago | (#20248733)

Re:THE country? THE government? (1)

Dunbal (464142) | more than 7 years ago | (#20248861)

Which coutry might that be then

      The country where everyone sues everyone else. Also the country that has incredibly restrictive legislation on health care information (HIPAA). Am I getting warmer?

Re:THE country? THE government? (0)

Anonymous Coward | more than 7 years ago | (#20248881)

Um, yes, slashdot IS USA-specific.

Dumbass.

Knee jerks the wrong way (3, Insightful)

bhmit1 (2270) | more than 7 years ago | (#20248563)

Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.

Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.

If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".

Let's Ignorantly Blame Capitalism! (0, Troll)

smitth1276 (832902) | more than 7 years ago | (#20248613)

Because it isn't like this sort of thing EVER happens with giant, inefficient, incompetent government bureaucracies (like the VA). The difference is that in this case--with a free market--the people who suck go out of business, while the VA just says "whoops" and continues to suck.
Okay, you may resume your blind faith-based, anti-capitalist religious babbling now. Chomsky told you to think something, so it must be true!

No One to Sue? (1)

Compulawyer (318018) | more than 7 years ago | (#20248735)

There is ALWAYS someone to sue. A corporation is a legal fiction. In most, if not all states in the US, corporations continue to have an existence to sue or be sued for three years after ceasing business operations. In the right cases, courts will readily disregard the existence of a corporation (or LLC, LLP, or other limited liability entity) to reach the individuals (managers / shareholders / sometimes even investors) who ran the company.

One factor courts look at to determine whether a corporation's existence should be disregarded is whether the corporation was undercapitalized. That is, did the corporation have sufficient assets on hand to properly conduct its business and address liabilities that arise from forseeable business risks (including insuring over those risks). Closing up shop so quickly like this is a big indicator, to me at least, that someone is worried about personal liability.

I've been in this business for too long... (1)

simong (32944) | more than 7 years ago | (#20248817)

When I read that a single contractor was responsible for 60 hospital websites, I thought 'he must have been a busy chap.'

I think I'll go and lie down.

It's just P.R. (1)

Pig Hogger (10379) | more than 7 years ago | (#20249095)

Standard business practice.

They will reopen after changing their name to "Virus".

No one to sue... (3, Insightful)

Glen Ponda (599385) | more than 7 years ago | (#20249101)

The hospitals, which initially reported their breaches separately, were left with no one to sue.

A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?