New data breach legislation
In the past two months, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. There are already 46 different data breach notification laws in 46 states with somewhat different and inconsistent provisions regarding the notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. These bills are important to keep an eye on—and likely to be controversial—especially if you maintain and manage large amounts of consumer data.
The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use “reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”
In addition to requiring organizations to use appropriate security technologies and processes to safeguard the personal information of consumers, the legislation would require companies to periodically assess their risk profile and take corrective actions in addressing security weaknesses. The Act would also require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”
Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” in July. This bill focuses on entities such as financial institutions, retailers, and federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.
Proposed new legislation follows health care lead and pitfalls
These bills are likely to have some of the same issues and problems that currently exist with health care’s Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers. While this may sound fairly logical, it has been met with resistance and disdain from consumer advocates. The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details.
Risk assessments important to determine level of harm to individuals
Why is it more difficult to determine the personal impact of the unauthorized disclosure of health care data (such as a recent medical procedure or prescription) versus your social security number? Here’s the problem. Today both federal and state data breach notification laws require that the affected organization perform an incident risk assessment to determine if there is risk of harm. Or in other words, if the people affected may become victims of identity theft. If a social security number is included in the lost or stolen data, these assessments will focus on whether financial harm will befall those affected, making it easier to support going to notification. (Notification is expensive and creates the opportunity for reputational risk to the organization).
One of the challenges in doing an effective incident risk assessment is determining the impact of data other than social security number. The other challenge is trying to figure out what to do once these data elements are lost to correct the problem.
First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm? Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measurable costs such as customer churn and reputational damage, which are just as real. Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.
Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists. Especially when these factors are so subjective and open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, and if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to affect your reputation in a negative way. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information were exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.
The way I see it, the problem starts with determining what the financial impact is of losing data elements, beyond the social security number. Specifically, answering the question “What is the financial impact of heath care-related data on reputation and other factors?”
I believe there should be a harm threshold in HITECH and other pending breach legislation, including the recent proposed Data Security Act of 2010 and Data Security and Breach Notification Act of 2010. Current legislation relies on organizations to determine the risk without much guidance resulting in inconsistencies. What is missing today—which is causing confusion, ambiguity, and increasing the length of incident risk assessments—is guidance on the level of risk of various breached data elements on reputational, financial, and other harms which could result in identity theft and health care fraud.
My position is based on these considerations:
1. Organizations and businesses must perform a risk assessment when they discover a privacy incident in order to determine “risk of harm” to understand what happened and to assess what steps are necessary to mitigate the risks created by a breach.
2. All organizations are at risk of unauthorized disclosures of unencrypted electronic, paper based, or verbal personally identifiable information (PII) and PHI happening. If all unauthorized disclosures required notification, businesses would grind to a halt. This would also put a significant burden on regulators having to track and investigate these incidents, potentially overrunning the capacity of these organizations to perform this function in any meaningful way.
3. Organizations do not typically have the internal expertise or experience to assess the risk of harm to individuals from identity theft and fraud. Today, a few organizations use outside experts in the area of forensics, breach response, legal, and privacy to assist in this exercise. External tools and resources can help organizations with this process that are available in the market today.
4. In healthcare, the Department of Health and Human Services (HHS) can provide more guidance on the risks associated with specific data elements in a data breach. The current risk of harm threshold provides specific exceptions, which is useful. But there is currently little guidance on the risk created by the breach of specific data elements in the area of reputational, financial, or other harm. I think HHS should look at both the private and public sectors and experts in the industry to share knowledge and best practices.
A possible solution to the proposed legislation’s potential problems
I propose that a consortium of experts from industry, academia, law makers, legal, and consumer privacy define the problem and develop possible solutions and implementation approaches. The focus would be to define the financial impact of the unauthorized disclosure of specific data elements that make up PHI. This would provide the missing variable in the risk equation that will facilitate organizations future investment in information security to protect consumer PHI and give legislators and solution providers a metric to create more effective legislation and industry solutions.
If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.
I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach to personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into the topic of how to assess whether a “data security incident” is in fact a “data security breach.”