By Maryling Yu
It is with great trepidation that I write this first blog post on my own, without my trusty sidekick, Ron LaPedis. Okay. Who am I kidding here? I am HIS sidekick. There, I’ve admitted it. So you can imagine how scary it is for the sidekick to set out alone into the blogosphere minus the hero. But it is a story that has to be told – a story of how I fought the law and the law won. And unfortunately, ignorance of the law was not an excuse.
Copyright by Lorelyn Medina
Last February, I got pulled over for talking on my cell phone while driving my husband’s car to work. Because I didn’t try to lie and say I wasn’t on the phone, the officer decided to be lenient with me and gave me a “Fix-It” ticket for a cracked windshield and not having proof of insurance in the car (my dang husband keeps his proof of insurance in his wallet, not his car). “Otherwise,” he said, “a ticket for a cell phone violation would run you about $300.” Oh my goodness, Officer. I am ever so grateful.
I tucked the Fix-It ticket in the glove compartment and continued on my merry way to NetApp. That was February 24, 2011. Fast forward to September 8, 2011. I get back from a two-week vacation in China, and find a letter in the mail that states that my driver’s license is suspended as of October 5. WHAT?! What’d I do?
It turns out that I was supposed to “appear” in court sometime before the end of April 2011 to verify that I had fixed the windshield and put the proof of insurance certificate in the car. Because they had been sending communications to the address on my driver’s license and not the address in my DMV record, I had not “appeared” in court and was therefore in the process of getting my driving privileges suspended. So let me get this straight: even though I updated my mailing address with the DMV, because the California DMV does not send out new licenses in order to save money, I have to pay the price? Well, yes.
Anyway, when I called to find out if I could just pay the Fix-It fine, I was told my account had been sent to collections (because of many months of not having received a response), and that in order to un-suspend my license, I would have to pay a whopping $1,678. AAAGGGHHHHHH!
The kind-hearted officer’s attempt to save me $300 turned into a burden that was 5 times more onerous. And, as the courthouse clerk kept telling me, I had no one to blame but myself. The onus was on me to dig the Fix-It ticket out of the glove compartment, the onus was on me to call up the courthouse to set a court date, and the onus was on me to appear on said court date, show evidence of having fixed my problems, and pay the $50 fine. I walked around feeling like the victim of a drive-by shooting for a week, but I gotta say: she was right. I had to take full responsibility for my own actions (or inaction, as it were).
Yeah yeah, you’re thinking, “Nice sob story, but what brings you to tell this tale on a data storage protection blog?” Just that in the world of data, there are also a lot of rules: rules about how long to store data for, whether it has to be encrypted, who has access to it, whether it can be changed, and what happens if you lose it. Just like in the real world, these rules carry penalties for failure to comply. And just like in the real world, ignorance is no excuse. Take the payment card industry’s data security standard, for example, called PCI-DSS. Even if you’re the smallest business in the world – like my Mom, who was a jewelry crafter who sold her wares in tents at art fairs – if you accept credit cards and store them, you’ve got to secure that information. (I can guarantee you my mother has never heard of PCI-DSS). And if you don’t, you will pay the price – $5,000 to $50,000 a month for each non-compliant month, and up to $500,000 for egregious violations. Or, you could even lose your ability to accept Visa, Mastercard, American Express, and so on. You can plead ignorance all you want, but those pleas will fall on deaf ears. And that’s just a rule made up by an industry group.
Governments also make up rules – like HIPAA for healthcare and HITECH for health IT providers, GLBA for financial institutions, and SOX for publicly held companies in the United States. And believe me, they don’t care if you know about the rules or not...they still apply to you, so best be proactive and prepared in your approach to regulatory compliance and data protection.
As for what happened with my fix-it ticket: I wrote a letter to the Traffic Commissioner and said, in essence, that I was very sorry for driving while talking on a cell phone, very sorry for not following up on the Fix-It ticket, and that even though I had properly updated my address with the DMV, I did not receive any official communications about the violation, so I was very sorry for not knowing when or where to show up. Oh, and I was also very sorry for not having $1,678 on hand to sign over, so would a $300 check suffice, since that was how much I should have paid for talking on my cell phone while driving in the first place? Believe it or not, his answer was YES! I guess you can try to talk your way out of fines for a massive data breach, but you may not be as lucky as I was…