Cost Of Doing Business
I got a message from Google/Microsoft asking permission to crawl any data I send via email on Outlook, including attachments, etc. A little about me – I work at the intersection of law and healthcare. As a result, I access private client information as well as patient health information. This brings up two concerns, protecting the private legal information of my clients and protecting their PHI, Protected Health Information. I don’t have permission to share this information with Microsoft, so when I was asked for permission to crawl this data, I pressed the deny button.
You would think that would be the end of it, but you would be wrong. Pressing the deny button removes the request for about a minute, and then it pops up again. Over, and over and over; never ending! I keep pressing the deny button and every time the request reappears. It is as if I am in the middle of a hack attack by Microsoft/Google; with no way out unless I press the accept button.
I did some research. I learned that this was a real thing and that I was not being spammed or hacked. I learned that if I press the accept button and the information is misused, the legal responsibility falls on me, and me alone, because I gave access without permission. So what am I to do?
Large multinational companies are setting up servers in the EU and buying their software from Microsoft and Google GMb (Germany). By doing this, their data is subject to protections offered by the EU. They’re crawling of emails and attachments, etc., is not permitted. If the multi-national is a big enough customer, I have been told that Microsoft/Google will put in a patch. The patch allows the multi-nationals the ability to make their purchases and continue to maintain their servers in the US. Their data is not subject to the pesky interference and the violations of privacy that people like me can’t avoid.
However, for most American companies, their ability to do business in the EU and set up foreign servers is limited at best. What they can do is assess the risk of being sued by their customers and insure or reserve for this possibility. Most I spoke to consider this a cost of doing business.
The problem is for the small business, their ability to insure or reserve for this possibility is out of the realm of possibility. According to https://secureframe.com/hub/hipaa/violations, non-compliance events involving HIPAA violations cost, on average, $4 million per incidence in 2021.