Our guest blogger this week is Gant Redmon, General Counsel & Vice President of Business Development at Co3 Systems.

Working for a company that navigates 46 different state breach notice laws and a plethora of sector based federal breach notice laws, I’m often asked what I think the likelihood is that the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws. While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place.

Put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.

The first challenge is choosing a single standard in the face of wildly different state standards. How will affected states feel about the Federal government imposing a different standard than the one they’ve settled on? Changing the rules in dozens of states will cause upheaval with political fallout.

The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.

The third challenge is that some states, like California and Virginia, go above even Federal notice requirements. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?

When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Software solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.

“The opinions reflected in this article are solely those of the author and do not reflect the views of Experian Data Breach Resolution or any of its sister companies.”

Get ready, Connecticut. A new data breach law is now in effect that brings the Office of the Attorney General (OAG) into the reporting loop.

The new law requires notifying the OAG by email no later than when affected consumers are notified. Previously, businesses were only required to report a breach to consumers. Yet Attorney General George Jepsen and his office were tasked with enforcing state breach laws – hard to do when you don’t know about the incidents.

But that’s all changed. Assistant Attorney General Matthew Fitzsimmons and the office’s Privacy Task Force will monitor the incoming emails. The new reporting requirement and newish task force (it was created last year) give the OAG more oversight of breach activity that may be putting consumers at risk. With more oversight comes better enforcement – at least that’s certainly what the OAG hopes.

Connecticut requires consumer notification when a breach involves unencrypted, computerized personal data. The state’s definition of “personal data” includes someone’s first and last names in combination with at least one of three data types: a Social Security number; a driver’s license or state identification number; or a financial account number, such as a credit card number, along with the access code for the account.

Businesses that don’t comply with the new law may find themselves in violation of the state’s Fair Trade Practices Act. Remember that sooner is better than later when it comes to breach reporting. At least if you want to avoid fines and violations.

Here’s the new email address for reporting breaches in Connecticut: ag.breach@ct.gov.

Experian Data Breach Resolution surveyed a sample of clients to find out who they are and what they think of our services.

The U.S. tops Germany, the U.K. and France when it comes to data breach notification costs. In other words, it costs American companies more to notify people of a data breach when their personal information is lost or stolen.

The Ponemon Institute, which recently conducted a global data breach study, found that it cost U.S. companies an average of $561,500 to notify victims per breach, compared to $303,600 for German companies and $223,100 for companies in the U.K. Even more interesting, is that in some countries – like India and Australia – companies only spend an average of $31,000 (India) and $80,000 (Australia) to notify customers of a data breach. (All figures are U.S. dollars)

So why do American companies spend so much more on data breach notification?

The answer is mainly due to numerous laws and regulations. Currently, 46 states have breach notification laws and several federal agencies, such as the Department of Health and Human Services, require organizations to notify potential victims when their unsecured protected health information is breached.

In contrast, countries without breach notification laws – like India and Australia – spend much less because they don’t have to notify all of their data breach victims. Countries like Germany and the U.K. have strict notification requirements, although not as tough as the U.S.

American companies and organizations may not be able to do much about notification costs, which are expected to continue to rise. But there are other measures that can be taken to lower the cost of a breach. For example:

• Negotiating a pre-breach agreement with a data breach resolution provider to lock in a good rate ahead of time.
• A chief information security officer (CISO) who is responsible for enterprise data protection can reduce the cost of a breach by as much as $80 per record, according to the Ponemon Institute.
• Increased loyalty by treating potential victims fairly and providing them with credit and/or identity protection can prevent the loss of customers and potentially save millions.

The latest Ponemon Institute Medical Identity Theft survey reflects the classic good news, bad news scenario. The good news is that more consumers understand how medical identity theft happens, and the importance of checking healthcare invoices and records for accuracy. The bad news is that the victim count has hit an all-time high (nearly 2 million annually), while breach frequency and financial damages continue
to rise, unabated.   

Losses up 44% from 2010

Data extrapolated for 2012 reveals that losses from medical identity theft will top $40 billion, up 34% from last year and 44% from 2010. During any given hour thieves using pilfered credentials will steal nearly $5 million worth of medical services, equipment and prescriptions.

The survey also revealed:

• Higher costs for recovery and resolution: victims pay on average $22,346
  (up 10% from 2011) to resolve medical identity theft, including the cost of identity theft protection and retaining legal counsel
• Difficulty knowing when the crime occurred: one quarter of those asked did not know when their medical identity was stolen, while 34% said it took more than a year to find out
• Collection letters still top the list: though more consumers learn of medical identity theft from suspicious statement or invoice entries, nearly 40% of victims first hear of their misfortune through collection letters

In a subtle but potentially instructive revelation, just 4% of survey respondents said a healthcare provider or insurance company notified them of the theft.  

Providers beware

So how is all this flavoring consumers’ attitudes toward healthcare and insurance providers? The biggest non-financial consequence, according to Ponemon, is a loss of trust and confidence. If people perceive a lack of effective data safeguards, most (58%) feel no compunction about going elsewhere for services. If their medical records were ever lost or stolen 56% of respondents would also feel justified making a change.  

Watch the vital signs

The top three actions desired by victims following medical identity theft include: reimbursement for the costs of changing providers; prompt notification of the loss or theft; and free identity theft protection for at least one year. (Hint: Providers can use these survey insights to develop post-breach strategies and programs aimed at reestablishing trust and confidence.)  

Employers can also play a role in medical identity theft awareness by encouraging (and if needed, teaching) employees how to:

• Keep medical information private
• Regularly check medical records for accuracy (57% of those surveyed don’t)
• Be more proactive about monitoring statements and charges
• Review and interpret credit reports
• Engage an identity theft protection service

Bottom line? When it comes to medical identity theft, vigilance is good medicine–for consumers and healthcare providers alike.

Still using the less-is-more approach to notification letters? As it turns out, consumers want more – much more than they’re getting.

In a new study, 72% of consumers who recall receiving a notification letter express disappointment. The Ponemon Institute explores why in the 2012 Consumer Study on Data Breach Notification.

Among all survey respondents, those who do and do not recall receiving a notice, 85% verify that learning about the loss or theft of their data is pertinent to them. But only if there’s a certainty of risk, a belief shared by 57% of respondents. An even larger percentage (63%) feels entitled to compensation, such as credit monitoring or identity protection, if their data is lost.

Yet, despite having clear ideas on what they do or don’t want following the loss of their data, most consumers aren’t paying attention to breach notices, according to Ponemon. Only 25% of participants in the study could recall receiving one. Among that group, 35% recalled receiving at least three.

It’s this subset of the study that provides valuable insight into why today’s notifications aren’t working. Here are three flaws:

1. Too Few Details
Sixty-seven percent of respondents who recall receiving a breach notice did not receive enough information about the incident. That includes 44% who did not know what type of data had been lost or stolen, leaving them unsure of what steps to take to protect themselves.

2. Difficult to Understand
Sixty-one percent did not understand the notification, largely due to the length of the letter and complexity of the language. In addition, 37% had no idea what the incident was about even after reading the notice. This led 41% to assume their data had been stolen.

3. Not Believable
Forty-five percent found the message in the letter unbelievable, and 44% of them believed the company was hiding key facts about the breach.

Consumers acted on their disappointment to varying degrees:
• 15% planned to terminate their relationship with the breached company
• 39% contemplated doing so
• 35% would continue the relationship so long as the organization doesn’t experience another breach

The numbers reflect poorly on today’s notification efforts, confirming the need for change. Consumers want simple language and clear explanations of what happened and the risks they face, plus a protection product to compensate for the data exposure, according to the study.

So why not work with your legal counsel to deliver just that in a way that protects your company and satisfies your consumers? Otherwise, your breach notices will continue to alienate and confuse. As this study shows, that only serves to erode customer loyalty and trust, making data loss even more costly in the long run.

As data breaches have exploded in frequency and scale, it’s no surprise that corresponding lawsuits have also flourished.  Do these lawsuits have a common pattern?  A recent draft research paper, Empirical Analysis of Data Breach Litigation, takes a look at federal data breach lawsuits to assess the common characteristics.

The findings were illuminating:

1. The odds of a firm being sued in federal court are three and a half times greater when individuals suffer financial harm, but over six times lower when the firm provides free credit monitoring.
2. The odds of a firm being sued from improperly disposing data are three times greater relative to breaches caused by lost/stolen data, and six times greater when the data breach involves the loss of financial information.
3. Defendants settle 30% more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.
4. Plaintiffs seeking statutory damages are not more likely to achieve a settlement.
5. The odds of a settlement are 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware.
6. While the compromise of financial information led to more litigation, it does not appear to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is most strongly correlated with settlement.
7. Only about four percent of reported breaches result in federal litigation.
8. Of the federal actions coded, there are over 86 different kinds causes of data breach actions brought by plaintiffs for essentially the same kind of event.

The report hopes that the research will serve as a useful guide to firms trying to determine the chances of exposure to a lawsuit and the likelihood of settlement.  Insurance markets might also find the report helpful as a measure for pricing cyber-insurance policies, and plaintiffs and defense attorneys can be helped through insight into the trends around data breach litigation.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

• An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
• Many breach notifications (at least what is disclosed by the entity) underreport the number of records
• Many breach notifications also do not clearly define the types of information exposed.
• Public information is often incomplete in detailing how the breach occurred
• Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws

http://www.youtube.com/watch?v=KTHWhscxGeU