Just saw, via Bruce Schneier’s great security blog, a very interesting case discussing the Gramm-Leach-Bliley obligations of a financial institution to provide security regarding customer financial information. If you don’t know, GLB is in many ways the financial institution analog to HIPAA. In any event, an employee of a Student Loan company had a bunch of applicant financial information on his home laptop computer (the employee telecommuted). The house was burgled, the laptop stolen and never recovered. There was never any evidence that any of the information on the laptop was used for untoward purposes, and because of the way the employee worked at home, there was no way to know whose information was on the computer at the time it was stolen anyway. But the company notified all applicants that their information might’ve been compromised. Even though he had suffered no damages, one applicant sued. The court threw out the suit.
This obviously has implications for the Providence case.
[Via HIPAA Blog]