I’m sure by now, you’ve heard about Rite Aid and their one-million dollar problem. For those of you not inclined to look up the press coverage of the thing, the TLDR version of the story is as follows: Rite Aid employees were dumping prescription bottles into dumpsters that are accessible to the public. The OCR got wind of it, investigated, and now Rite Aid is anteing up a cool million in fines.
Folks who follow this kind of thing might notice that it’s similar to the fine levied against CVS Caremark last year where they were similarly disposing of data in an inappropriate way. It’s difficult to try to establish any kind of pattern or trend from two events, so I’m not entirely sure that what I’m about to say will hold up over time – but does anybody else think this is way light?
I mean, the press is making a big deal about it because a million dollars sounds like a lot of money – but really? One million dollars? Using the most current numbers I could find), that’s about .0018% of their revenue. For someone making 50k a year (the current average household salary in the US), the same percentage works out to a fine of just over 90 dollars. So for Joe Average, it’d be like getting fined $90 – for example, like a parking ticket.
Follow my logic here: In college, there was a parking lot that was intended to be used just for faculty. Commuters who parked there would get a ticket for 20 bucks… if they got caught. But most of the time they didn’t get caught – it was pretty rare that anybody would get ticketed. Now what happened? The lot was always full of commuters – so full, in fact, that staff were often late to class because the lot was completely full of commuters. Apparently, the commuters did the cost/benefit and decided that it was worth it to occasionally pay the fine in order to be able to park in that lot. In that case, the enforcement action (the ticket) was so minimal and the chance of getting caught so unlikely, that it was a no-brainer.
Isn’t this the same thing? As an enforcement action, is this acceptable? Do we think the parking ticket for Rite Aid is sufficient to deter this kind of privacy violation from them or others? I’m not sure it does. Sure, there’s some bad publicity which has some associated cost… sure, there’s the fact that they have to do some audits going forward (not cheap.) But do we really think that anybody will take notice of this?
Tuesday September 7, 2010
Diana Kelley's profile