As lawmakers and regulators around the world are implementing data breach notification laws and rules, they will be subjected to many consultants and lobbyists with limited experience in dealing with data breaches and notification laws. Particularly in health care, data breaches tend to be presented as betrayals of fundamental obligations of patient confidentiality best deterred through punishment of organizations experiencing breaches. One problem with this view, as breach regulators have seen as they become more familiar with the area, is that it forces breaches underground, depriving patients and others of critical opportunities to protect themselves and preventing valuable information-sharing about threats and their management. This article summarizes lessons learned from eight years of dealing every week with breach notification laws and managing breach response to attempt to enable legislators, regulators, lawyers and risk managers around the world to be prepared for the misinformation coming their way.
1. “Your organization and clients are not suffering regular breaches.”
Every health care organization is suffering regular breaches of personal information, not to mention trade secrets and intellectual property. All information systems – within and outside of health care – are vulnerable, and most are infected with malware to a greater or lesser extent. That is why information security has moved from security at the perimeter of the network to focus also on monitoring of activity within the network, including detecting and stopping the efforts of malware to send personal information and trade secrets to bad sites (sometimes called data loss prevention). Health care as currently structured is an inherently decentralized and porous system, and therefore inherently insecure as compared with, say, nuclear power facilities, while it generally does not yet have the sophisticated data loss prevention systems of, e.g., nuclear power facilities. Health care institutions, networks, exchanges and portals – online as in the physical world – all involve many players sharing data, entering and exiting, linking through multiple endpoints.
2. “The purpose of data breach notification law is primarily to expose and punish organizations with weak security.”
If health care organizations are inherently insecure, and if the more sophisticated their security systems become, the more they know about the breaches they are suffering, then to have a breach and find out about it is not necessarily a sign of weak security at all; indeed it may be a sign of improving security. And notifying patients and others whose information was breached is therefore not principally a confession of bad security; so what is it? For the individuals notified, if they are notified quickly enough it is primarily an opportunity to protect their own identities and/or financial accounts against theft and fraud. For other parts of the organization and similarly situated organizations, it is a chance to learn about the threats and improve security and incident response systems. It MAY also be a confession of bad security or poor response to a breach; that is for the individuals (who can vote with their feet, ceasing to be patients or customers) and regulators to figure out.
Punishment establishes important deterrent effects; that is why it is so important not to deter the wrong behaviors. Therefore, the more thoughtful regulators punish organizations not for simply having breaches—which deters immediate disclosure—but for disclosing too slowly or otherwise responding poorly to the breaches, or based on investigative findings for failing to deal effectively with their other security obligations. In other words, deterrents are structured to incentivize prompt and open communication with breach victims and regulators.
3. “Breaches of healthcare information will make you lose patients or customers, and severely damage your brand.”
This statement was true in the US in 2005, when breach notification laws spread across the country as a result of the ChoicePoint breach, and two studies showed customer losses of 20% or more of the customers receiving breach notices. Health care in the US was introduced to this breach-as-stigma view – which is based on the mistaken belief discussed above that having a breach indicates poor security –much later: In 2009, the HITECH Act and HHS regulation establishing a more regulatory rather than a consumer notice-focused framework, including what the health care world universally dubbed the “Wall of Shame,” a webpage on which the names of organizations suffering breaches of 500 records or more were posted, signaling also that they were about to be subjected to long federal investigations (breaches of fewer records were not until recently subject to them). Nonetheless, as organizations became more effective at communication about breach, and consumers got used to receiving notices, the effect has lessened.
In recent years, organizations with the best security in health care know they are experiencing breaches regularly. That being the case, breaches are best seen as essential, challenging but perhaps not-too uncommon moments in customer relationship management. To deal effectively with the customer relationship implications of a data breach, one needs strong, clear, and above all credible and accurate narratives regarding (a) the security program that existed before the breach, (b) immediate and effective breach response – including very prompt containment of all systems issues and other vulnerabilities (stop the bleeding!) and notice to breach victims and regulators as soon as possible, sometimes including informal and immediate notice such as outbound phone calls or emails (see 5, below) – and (c) the prompt and effective security remediation after the breach to prevent recurrence of the type of breach in question if possible. This need to get your act together so that your story will fly with ever-more-sophisticated B2B customers and consumers who can walk with their feet and social media critics is what has made breach notification – particularly when the regulators strongly encourage it – in my experience more effective than regulation as a “nudge” to better security. Sometimes it is a story of good initial security and breach response, and sometimes – as with ChoicePoint/LexisNexis — it is a story of transformation.
4. “A requirement to tell regulators about a breach makes some sense in the absence of a requirement to tell consumers about a breach.”
If the primary purpose of breach notification is to enable individuals to protect themselves as suggested in 2, above, and breach notification is being treated by organizations with advanced security and breach response as a fairly ordinary if challenging moment in customer relationship management as suggested in 3, above, then a requirement to tell regulators but not to tell consumers about breach risks losing the very essence of what makes breach notification law so powerful. And given my view that the effectiveness of breach notification law rests on the need of sophisticated organizations to give data breach an essential place in customer relationship management, you can well imagine what I think (and what I believe all organizations should think) about the latest proposal from the LIBE Committee of the European Parliament that National Data Protection Authorities be empowered to conduct direct breach notification to your patients and customers.
5. “Breach notification and consumer protection should happen in the same way in all breaches.”
Different types of information breached, types of victims and other dimensions of breaches should in fact drive very different responses. In many types of breaches, such as social security number breaches in the US, what the victims need is to get a service such as credit monitoring in place as quickly as possible, notifying victims through the formal notice letter that contains enrollment codes. Credit monitoring may do absolutely nothing for many victims of medical information breaches, for whom specialized identity theft prevention and restoration services make sense, or for children. For victims of credit card breaches, many clients have benefited from sending an immediate email at the first sign of trouble and long before any investigation, saying in effect, “We just discovered there may be an issue with your credit card number. We’re investigating fully and will keep you fully apprised, but want to warn you to check your bank/credit card statements, and if you see any strange charges, call your bank and get it to reissue your card.” Since the banks have thirteen months in which to decide whether it’s worth it to them to reissue cards, and all the estimated fraud costs are passed back to the “merchant” suffering the breach, this immediate warning cuts off the possibilities of both consumer hassle and what can be large estimated fraud costs to be imposed on the merchant. The major risk associated with email address breaches is phishing attacks, so an immediate email warning of such attacks can also be immensely effective.
The more interesting aspect of customized breach response, however, comes from using the knowledge of their customers that all organizations have or are developing and using it to craft the most useful and satisfactory message, remediation approach and mode of communication for each group of customers or individual. This application of customer relationship management knowledge and technology is the best way for organizations to save money in data breach, because by far the largest costs associated with data breach can be lost customers and other symptoms of diminished customer trust (see illustration, and note that the total cost per record has already dropped to $136 according to the 2013 Report). This CRM approach to breach, on top of the strong, clear, credible and accurate narrative described in 3, above, enables even data breach to be an enhancer of trust.