In the past two months, there have been two bills introduced in Washington, D.C., that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The intent of these national bills is to provide fairness and consistency in handling of data breaches, and to overcome the inconsistencies created by the existing 46 different data breach notification laws in 46 states. This is a laudable goal, but the effect of these new bills will be truly beneficial only if they can establish clear guidance for assessing reputational, financial, and other risks from a data breach. Without that, they will be replacing one set of inconsistencies with another.

The Proposed Legislation: Risk Assessment and Required Notification

The “Data Security and Breach Notification Act of 2010,” introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010, requires organizations that handle and store private consumer information such as social security numbers to use “reasonable security policies and procedures” to protect the information and to “provide nationwide notice in the event of a security breach.” In addition to requiring appropriate security technologies and processes, the legislation would require companies to periodically assess their risk profile and take corrective actions in addressing security weaknesses. The Act would also require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010″ in July. This bill focuses on entities such as financial institutions, retailers, and federal agencies that handle vast amounts of personally identifiable information (PII) on consumers. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is asubstantial risk to the consumer of identity theft or account fraud, but it does not prescribe that free credit monitoring or other services to prevent or detect identity theft and fraud.

The Pitfalls of Open-ended Risk Assessment

Like the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides for the security and privacy of protected health information (PHI), the proposed data security legislation is likely to be difficult and complex to comply with and to enforce. All three acts require consumer notification for data breaches that exceed a vaguely specified “harm threshold.” And the issue with establishing and regulating use of a harm threshold is in the details.

One of the challenges in doing an effective incident risk assessment is determining the impact of data other than a social security number. To understand the complexity of determining data risk, consider a healthcare breach situation. If your medical records were lost by a hospital, and someone could find out that you had your appendix out, that knowledge would carry little financial or reputational risk to you. If, on the other hand, the breached records showed that you were HIV-positive, the financial and reputational risk might be substantial. Determining the potential risk of other financial and personal data can be equally complex.

A second challenge lies in the conflicting interests of the organization doing the risk assessment. Where is the incentive for an affected organization to carry out a proper risk assessment and come to a fair and accurate conclusion, when a determination that the breach exceeds the risk threshold can cost them millions of dollars in data breach remediation costs, not to mention losses due to reputational damage and customer churn. How are organizations to objectively assess the risks of their own data breaches without clear guidance?

Finally, there is the challenge of figuring out how to correct the problem, once personal data is lost. Notification is expensive, but if a social security number is lost, the risks and the benefits of notification and remediation are clear. In cases where the risks are not clear, it is also less clear how to protect against them and whether the costs of attempting to do so are justified.

Defining Harm Thresholds for Risk Assessment

We believe there should be a harm threshold in pending breach legislation, including the recent proposed Data Security Act of 2010 and Data Security and Breach Notification Act of 2010, and a clearer harm threshold for the HITECH Act as well. Current legislation relies on organizations to determine risks in a regulatory vacuum, resulting in inconsistencies. What is missing today—causing confusion and increasing the length of incident risk assessments—is guidance on the potential reputational, financial and other risks associated with various breached data elements. Organizations do not typically have the internal expertise or experience to assess the risk of harm to individuals from identity theft and fraud,. And while some use outside experts or new tools on the market, objective guidelines would go a long way towards alleviated confusion and encouraging consistent handling of breach situations.

We at ID Experts propose that a consortium of experts from industry and academia, lawmakers, and legal and consumer privacy advocates define the problem and develop possible solutions and implementation approaches. The focus would be to define the financial impact of the unauthorized disclosure of specific data elements that make up PII and PHI. This would provide the missing variable in the risk equation, facilitate organizational investment in information security, protect consumers’ personal information, and give legislators and solution providers a metric to create more effective legislation and industry solutions.

In recent weeks, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”

This act would require organizations to use appropriate security technologies and processes to safeguard the personal information of consumers. It would also require them to periodically assess their risk profile and take corrective actions in addressing security weaknesses. It also would require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” a few weeks earlier. This bill focuses on entities such as financial institutions, retailers, federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.

Today, there are data breach notification laws in 46 states that each have somewhat different and inconsistent provisions for notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. This is likely to be controversial, however in states like California and Massachusetts where they have enacted stricter regulations that either of these two bills for the privacy protection of their consumers.

Additionally, these bills are likely to have some of the same issues that currently exist with the HITECH Act which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers.  While this may sound fairly logical, it has been met with resistance and distain from consumer advocates.

The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details. First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm. Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measureable costs such as customer churn and reputational damage, which are just as real.  Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.

Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists, when these factors are so subjective, quite open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to adverse to your reputation. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information was exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.

If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.

I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into this topic of how to assess whether a “data security incident” is in fact a “data security breach” for purposes of notification.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

by Doug Pollack

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:

1. The requirement for a mandatory incident-specific risk assessment for every incident
2. The fact that HITECH notification provisions do not pre-empt state notification laws
3. Encryption of data does not necessarily alleviate the risk of data breach
4. If your business associate exposes your protected health information (PHI), you are responsible

1. Mandatory incident-specific risk assessment.  When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement.  The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident.  The rules establish a “harm threshold” for notification, but unfortunately, don’t make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.

2. HITECH doesn’t pre-empt state notification laws.  While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws.  And while the intent of these laws is similar — to make individuals aware that their PHI may have been improperly disclosed — the specific details in all of these laws can actually vary a great deal.  But because HITECH is not “preemptive,” a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected.  This can be daunting especially because HITECH and state laws in some cases are conflicting.

3.  Encryption not a silver bullet.  There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents.  The general argument is that if data is encrypted, that data breaches will not occur.  Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea.  For instance, a common threat approach is for a criminal or organized crime entity to enlist an “insider” to assist in extracting PHI.  An insider with valid access credentials will not find encryption to be an obstacle in any way.  As a result, consider encryption one of many tools for information protection, not a silver bullet.

4.  You are responsible for your business associate.  For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH.  While this is a good thing, a covered entity should not consider this a “free pass” if one of your business associates exposed PHI that was provided by your organization.  While you may be able to hold them financial accountable, if you’ve specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity.  It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.

As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan.  This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.

As noted by InformationWeek Healthcare:

“While advancements in security technology better protects patient data, and regulations like HIPAA aim to set rules for information security and privacy, some breaches boil down to humans making mistakes. ‘Everything in our environment is encrypted,’ said William Fandrich, senior VP and CIO at Blue Cross Blue Shield of Massachusetts. However, despite solid attempts at security protection and other precautions, healthcare organizations need to emphasize–and continue to remind–employees about simple things they need to do to prevent patient privacy breaches.”

We continue to find that organizations turn primarily to technology to solve the data breach “problem”. This is exemplified by the perspective that once all data is encrypted, that data breach risks will be eliminated. It is great to see the thoughtfulness of healthcare CIOs at this conference where there is a prominent recognition that human error (and of course, human fraud) is a weak link for data breach risks despite the best of technologies applied.

Continuing its massive clean-up in the wake of the payment card industry’s biggest data breach, merchant acquirer Heartland Payment Systems Inc. late on Wednesday announced a $41.4 million settlement with MasterCard Inc. The settlement will reimburse MasterCard debit and credit card issuers for their costs stemming from the breach Heartland disclosed in January 2009. Heartland has already settled with Visa Inc. for about $60 million and American Express Co. for $3.54 million (Digital Transactions News, Jan. 8). That leaves Discover Financial Services as the only major U.S.-based card network with whom Heartland hasn’t announced a settlement. The U.S. attorney for New Jersey estimated the breach compromised 130 million payment cards. Several defendants, including notorious computer hacker Albert Gonzalez, have been convicted on federal charges in connection with Heartland’s and other big data breaches.

Heartland’s MasterCard settlement is contingent upon approval from issuers representing 80% of the affected MasterCard accounts. The Visa settlement had a similar 80% threshold, which issuers approved. MasterCard will make its so-called “alternative recovery offers” to issuers on May 27; issuers have until June 25 to accept them, according to a Heartland filing with the Securities and Exchange Commission. The agreement also provides that those issuers accepting a recovery release Heartland and its sponsor banks, Cleveland-based KeyBank and St. Louis-based Heartland Bank (no relation to the processor) from further breach-related claims. Heartland must obtain a loan of at least $30.7 million to fund its obligations under the settlement.

According to the Heartland filing, MasterCard will credit the settlement pool with $6.6 million in “non-compliance assessments”—network fines—that it charged Heartland’s sponsors, which those banks passed on to Heartland. That means the maximum Heartland will have to fund for the pool will be $34.8 million.

Neither Heartland nor MasterCard would comment about the settlement beyond their respective news releases. Like AmEx and Visa, MasterCard didn’t say how many of its card accounts sustained breach-related fraud losses, or how many cards its bank and credit-union clients reissued as a precaution. Gartner Inc. security and technology analyst Avivah Litan tells Digital Transactions News by e-mail that based on estimated replacement costs of $14 to $20 per card, “it would appear from this settlement that MasterCard could only prove that some 2–3 million of their cards actually had fraud losses and had to be reissued with new accounts.” She adds that, “it’s good that Heartland is finally settling with MasterCard so it can begin to put this matter behind them.”

Robert O. Carr, Heartland’s chairman and chief executive officer, said in his company’s release that, “We are pleased to have reached an equitable settlement agreement that helps issuers of MasterCard-branded cards obtain a recovery with respect to losses they may have incurred from the intrusion. We look forward to working with MasterCard to encourage these issuers to participate in the settlement program for a speedy resolution.”

“We feel that this settlement represents an appropriate and fair resolution for our issuing financial-institution customers and will enable them to avoid uncertainties and delays associated with potentially protracted litigation,” Wendy Murdock, chief franchise officer for MasterCard, said in MasterCard’s release. “The agreement underscores MasterCard’s continuing efforts to maintain the integrity of payment card industry standards and mitigate the impact of account data compromise events.”

MasterCard says issuers that refuse their offers will have their claims “determined pursuant to MasterCard’s internal processes,” and may receive more or less than they were offered, or nothing at all. Recoveries will depend on various factors, including “MasterCard’s determinations of their claims and the outcome of any litigation that Heartland may file, and has threatened to file, to challenge claim awards that exceed certain amounts,” the release says.

Issuers that accept their MasterCard settlements can expect payment in the third quarter, according to MasterCard. Since announcing the data breach 16 month ago, Heartland had expensed $108.7 million in breach costs, net of insurance recoveries, through March 31.

One of the keys to meeting the notification requirement is completing and documenting a data breach incident “risk assessment” for each and every incident that is detected. The “rules” for carrying out this mandated assessment are specified by the department of Health and Human Services (HHS) in their rulemaking. This webinar will assist information security, compliance and privacy officers and professionals at hospitals, health insurers, and other covered entities in understanding what they need to do and how to go about doing it, when faced with a potential data breach incident.

A description of the webinar follows.

The HITECH Act requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation of potential harm, for every potential data breach incident. This risk assessment will assist organizations in deciding whether they are obligated to then notify affected individuals, the Department of Health and Human Services (HHS) and the media about data breach incidents.

Kirk Nahra, CIPP, a partner at the premier healthcare law firm Wiley Rein LLP, and Rick Kam, president and founder of ID Experts, will review and discuss the HHS rules for completing these mandated data breach incident risk assessments in order to ensure compliance and utilize evolving best practices.

Learn about considerations for HIPAA-covered entities in carrying out mandated HITECH data security breach incident risk assessments. To enroll to attend the webinar, click here.

“We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users. While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it’s a lot less bad than it looks.”

There is a lot of discussion among the privacy community about the need for a federal data breach notification law that would potentially homogenize requirements for notification.  There are several bills in Congress that are attempting to take on this issue. The HITECH Act already does exactly this for the healthcare industry. Blippy’s cavalier attitude adds fuel to the argument for regulations that would require all organizations to take consumer data privacy as seriously as it deserves.

Symantec released their Global Internet Security Report for 2009 which explores in great detail the causes of data breach incidents. It finds that hacking attacks are responsible for the majority of personal identity records exposed in 2009.
“In 2009, 60 percent of identities exposed were compromised by hacking attacks, which are another form of targeted attack. The majority of these were the result of a successful hacking attack on a single credit card payment processor.13 The hackers gained access to the company’s payment processing network using an SQL-injection attack. The attackers then installed malicious code designed to gather sensitive information from the network, which allowed them to easily access the network at their convenience. The attacks resulted in the theft of approximately 130 million credit card numbers. An investigation was undertaken when the company began receiving reports of fraudulent activity on credit cards that the company itself had processed. The attackers were eventually tracked down and charged by federal authorities. This type of targeted hacking attack is further evidence of the significant role that malicious code can play in data breaches. Although data breaches occur due to a number of causes, the covert nature of malicious code is an efficient and enticing means for attackers to remotely acquire sensitive information.”

The report also highlights trends in terms of countries that originate the majority  of cybercrime activity. Brazil and India show very rapid growth in malicious activity and are both now ranked in the top 10.

This past week, the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) released a groundbreaking document that is aimed at assisting the Chief Financial Officer of major corporations and organizations in managing the financial risks inherent in protecting an organization from cybercrime.

Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the finanical implications of cyber risk.

Melissa Hathaway, President of Hathaway Global Strategies and fomer Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”

This paper is must reading for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.

The context and perspective of this paper is best summarized in the executive summary where it states:

“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data….In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addresssed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”

If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.

If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.