We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)
Many businesses struggle to be compliant and minimize risks in this changing environment by implementing comprehensive privacy, security and data breach response programs. Unfortunately, the laws and the government enforcers, including the FTC, HHS and State agencies and attorneys generals, can be unforgiving when a breach occurs. In Connecticut, the Department of Insurance routinely requires insurers who experience data breaches to pay for 2 years of credit monitoring – which can cost hundreds of dollars per individual per year. The Ponemon Institute, an independent think-tank on privacy and security issues, determined that for companies responding to data breaches in 2010, the cost was a staggering $214 per compromised record. We are starting to see companies, particularly small vendors, file for bankruptcy following a large, multi-jurisdictional breach that costs more than the company can bear.
This March, 2012, the well-regarded American National Standards Institute (ANSI) in conjunction with a team of experts published an important study on privacy, security and breach costs, “The Financial Impact of Breached Protected Health Information.” http://webstore.ansi.org/phi/. Although focused on PHI, it offers a useful, analytical tool for costing out a breach depending on the size, function, data use and other particulars of an organization. The study’s express purpose is to encourage businesses to avoid breaches by developing good privacy and security programs. It assumes that many organizations will buy data breach and security incident insurance. But are they buying comprehensive insurance? The bad news is many organizations haven’t bought breach and incident insurance, or don’t know what the insurance policy covers until a breach or incident occurs. The good news is that costs for these policies have been coming down as more insurers enter the market. The combination of a good privacy and security program for physical and electronic PHI and PII combined with good data breach and securit incident insurance can help protect large and small organizations. Forewarned is forearmed.