WEDI released its most recent Data Breach Notification Decision Process document, an update with Final HIPAA Omnibus Rule Breach Notification changes, but something strange stands out. Why is an organization which is focused on “electronic data interchange” recommending a paper process? Do you complete your taxes on paper? Does your accountant prepare anything on paper? Why is it that a privacy or security officer is expected to navigate this complex assessment process without the help of software? The WEDI Breach Assessment document should come with a bottle of Advil and a fifth of whiskey.
Another shortcoming of the WEDI process is that it only covers HIPAA/HITECH. What about all the inconsistent state laws? The most recent Target data breach has thrust the idea of a national data breach law back into the headlines but that still seems like a long shot. Some state AG’s have even come out against it, “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” Completing a privacy or security incident assessment against all the state laws will continue to be a major issue and makes a software tool even more attractive. Software ROI on one law, maybe… the software ROI on 30+ laws, definitely.
We rely on software to do everything, why not privacy & security incident assessments, management & notification? Although a lot of GRC platforms have “risk assessment and reporting” plugins or attachments they aren’t built with data incident breach assessment, management and reporting in mind. Currently the only 2 purpose built software products out there are Co3 & ID Experts RADAR.
You can read the whole WEDI document here: Breach Notification Decision Process