The U.S. tops Germany, the U.K. and France when it comes to data breach notification costs. In other words, it costs American companies more to notify people of a data breach when their personal information is lost or stolen.

The Ponemon Institute, which recently conducted a global data breach study, found that it cost U.S. companies an average of $561,500 to notify victims per breach, compared to $303,600 for German companies and $223,100 for companies in the U.K. Even more interesting, is that in some countries – like India and Australia – companies only spend an average of $31,000 (India) and $80,000 (Australia) to notify customers of a data breach. (All figures are U.S. dollars)

So why do American companies spend so much more on data breach notification?

The answer is mainly due to numerous laws and regulations. Currently, 46 states have breach notification laws and several federal agencies, such as the Department of Health and Human Services, require organizations to notify potential victims when their unsecured protected health information is breached.

In contrast, countries without breach notification laws – like India and Australia – spend much less because they don’t have to notify all of their data breach victims. Countries like Germany and the U.K. have strict notification requirements, although not as tough as the U.S.

American companies and organizations may not be able to do much about notification costs, which are expected to continue to rise. But there are other measures that can be taken to lower the cost of a breach. For example:

• Negotiating a pre-breach agreement with a data breach resolution provider to lock in a good rate ahead of time.
• A chief information security officer (CISO) who is responsible for enterprise data protection can reduce the cost of a breach by as much as $80 per record, according to the Ponemon Institute.
• Increased loyalty by treating potential victims fairly and providing them with credit and/or identity protection can prevent the loss of customers and potentially save millions.

Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

Can you imagine losing backup disks containing information for 300,000 patients? Or having computer back-up tapes stolen? What if someone hacked into your network servers or lost important laptops? These aren’t hypothetical scenarios. They’re real data breach cases that have occurred in recent years. Can this happen to you? You bet. The key is being prepared for the inevitable.

I would like to invite you to participate in an informative webinar on this important issue. I will be joined by Dr. Larry Ponemon, a data protection “think tank” pioneer and Chairman of the Ponemon Institute, and Karen Murray, Vice President, Chief Compliance Officer of Steward Health Care System in a discussion focusing on the latest data breach trends, how to prepare for a data breach and the best ways to respond to a breach.

The 90-minute webinar, delivered in conjunction with the Health Care Compliance Association (HCCA), will be held at noon CST on July 25, 2012 and participants may be eligible for CEUs.

In addition, the webinar will feature:

• The latest research about consumer notification from the Ponemon Institute
• A look at healthcare data breach statistics
• Best practices for data breach preparation from a compliance officer’s perspective.
• Examples of what works – and doesn’t work – when responding to a data breach
• How and why data breaches happen
• How to budget the resources for a  potential breach
• What do regulators expect from an organization that experienced a breach?
• A question and answer period for participants

Come learn the best ways to try and prevent a data breach and the most effective methods to respond to one. Learn to minimize your costs and help protect your reputation.

The latest Ponemon Institute Medical Identity Theft survey reflects the classic good news, bad news scenario. The good news is that more consumers understand how medical identity theft happens, and the importance of checking healthcare invoices and records for accuracy. The bad news is that the victim count has hit an all-time high (nearly 2 million annually), while breach frequency and financial damages continue
to rise, unabated.   

Losses up 44% from 2010

Data extrapolated for 2012 reveals that losses from medical identity theft will top $40 billion, up 34% from last year and 44% from 2010. During any given hour thieves using pilfered credentials will steal nearly $5 million worth of medical services, equipment and prescriptions.

The survey also revealed:

• Higher costs for recovery and resolution: victims pay on average $22,346
  (up 10% from 2011) to resolve medical identity theft, including the cost of identity theft protection and retaining legal counsel
• Difficulty knowing when the crime occurred: one quarter of those asked did not know when their medical identity was stolen, while 34% said it took more than a year to find out
• Collection letters still top the list: though more consumers learn of medical identity theft from suspicious statement or invoice entries, nearly 40% of victims first hear of their misfortune through collection letters

In a subtle but potentially instructive revelation, just 4% of survey respondents said a healthcare provider or insurance company notified them of the theft.  

Providers beware

So how is all this flavoring consumers’ attitudes toward healthcare and insurance providers? The biggest non-financial consequence, according to Ponemon, is a loss of trust and confidence. If people perceive a lack of effective data safeguards, most (58%) feel no compunction about going elsewhere for services. If their medical records were ever lost or stolen 56% of respondents would also feel justified making a change.  

Watch the vital signs

The top three actions desired by victims following medical identity theft include: reimbursement for the costs of changing providers; prompt notification of the loss or theft; and free identity theft protection for at least one year. (Hint: Providers can use these survey insights to develop post-breach strategies and programs aimed at reestablishing trust and confidence.)  

Employers can also play a role in medical identity theft awareness by encouraging (and if needed, teaching) employees how to:

• Keep medical information private
• Regularly check medical records for accuracy (57% of those surveyed don’t)
• Be more proactive about monitoring statements and charges
• Review and interpret credit reports
• Engage an identity theft protection service

Bottom line? When it comes to medical identity theft, vigilance is good medicine–for consumers and healthcare providers alike.

Still using the less-is-more approach to notification letters? As it turns out, consumers want more – much more than they’re getting.

In a new study, 72% of consumers who recall receiving a notification letter express disappointment. The Ponemon Institute explores why in the 2012 Consumer Study on Data Breach Notification.

Among all survey respondents, those who do and do not recall receiving a notice, 85% verify that learning about the loss or theft of their data is pertinent to them. But only if there’s a certainty of risk, a belief shared by 57% of respondents. An even larger percentage (63%) feels entitled to compensation, such as credit monitoring or identity protection, if their data is lost.

Yet, despite having clear ideas on what they do or don’t want following the loss of their data, most consumers aren’t paying attention to breach notices, according to Ponemon. Only 25% of participants in the study could recall receiving one. Among that group, 35% recalled receiving at least three.

It’s this subset of the study that provides valuable insight into why today’s notifications aren’t working. Here are three flaws:

1. Too Few Details
Sixty-seven percent of respondents who recall receiving a breach notice did not receive enough information about the incident. That includes 44% who did not know what type of data had been lost or stolen, leaving them unsure of what steps to take to protect themselves.

2. Difficult to Understand
Sixty-one percent did not understand the notification, largely due to the length of the letter and complexity of the language. In addition, 37% had no idea what the incident was about even after reading the notice. This led 41% to assume their data had been stolen.

3. Not Believable
Forty-five percent found the message in the letter unbelievable, and 44% of them believed the company was hiding key facts about the breach.

Consumers acted on their disappointment to varying degrees:
• 15% planned to terminate their relationship with the breached company
• 39% contemplated doing so
• 35% would continue the relationship so long as the organization doesn’t experience another breach

The numbers reflect poorly on today’s notification efforts, confirming the need for change. Consumers want simple language and clear explanations of what happened and the risks they face, plus a protection product to compensate for the data exposure, according to the study.

So why not work with your legal counsel to deliver just that in a way that protects your company and satisfies your consumers? Otherwise, your breach notices will continue to alienate and confuse. As this study shows, that only serves to erode customer loyalty and trust, making data loss even more costly in the long run.

As far as data security goes, 2011 was a dismal year.  Relentless, high-profile breaches punctured any sense that hack attacks are a remote threat, and by year’s end it was clear (if it wasn’t before) that protection against security disaster can only come from the most rigorous breach defense.

Unfortunately, disaster is exactly what has befallen the healthcare industry.  As health care regulations like HIPPA have become more pervasive, and healthcare records have increasingly moved online, the healthcare field has become a larger target of hackers and fraudsters while also becoming more vulnerable to breach by accident (such as a lost laptop).   That’s why health data breaches were up a whopping 97% last year, according to Redspin’s 2011 PHI Breach Analysis Report, with 19 million patients’ health records affected, with 59% of all breaches involved a business associate.

The increasing use of portable devices, such as tablets, has not kept up with security policies to protect new technologies and systems (such as electronic health records) against data breaches.  Of 385 breaches of protected health information during this period, 39% occurred on a laptop or other portable device, 25% occurred on a desktop PC or server, and 60% resulted from malicious intent such as theft or hacking.

The rise of healthcare data breaches have been a known problem.  Last year’s Ponemon Institute’s Second Annual Survey on Medical Identity Theft estimated that more than 1.49 million Americans had at that point been targeted by this crime.  With an average cost per victim of $20,663 the total national economic impact of medical identity theft crimes was calculated to be in excess of $30 billion.

Some of the key takeaways from the Redspin report:

●     The federal government should update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule so that healthcare providers have more relevant and practical guidance.

●     Healthcare providers should conduct a HIPAA security risk analysis on an annual or, at the least, bi-annual basis and put a plan in place to address any vulnerabilities found.

●     Hospitals should conduct a specific “portfolio” risk analysis of the numerous vendors, contractors, and consultants they work with to focus on the subset of business associates that present a high risk of potential damage from data breaches.

●     Healthcare providers must make their employees more security-conscious.

Consumers need to do what they can to protect their own health information, but healthcare organizations must mount vigorous defenses to ward off data breaches and implement incident response plans to quickly address breaches when they happen.

Your server crashed. You dropped your storage device. Your computer drive failed. And there’s no back-up in sight. Who ya gonna call? A data recovery vendor, of course.

Not so fast. Before you madly dial for help, beware of unscrupulous providers who turn data recovery services into data breach scams. According to a recent report from the Ponemon Institute, organizations are overlooking security precautions when turning to third-party data recovery services, prioritizing speed over safety at their own peril. And that peril can come in the form of a major disruption in business, financial loss, and in some cases the closure of the affected company.

Ponemon’s recent “Trends in Security of Data Recovery Operations,” which surveyed 769 IT professionals, noted that 87% of respondents had experienced a data breach in the past two years. Of these respondents, 21% admitted that the breach occurred while the drive containing the data was with a third-party data recovery service.

The report also found that:

• 85% of respondents report that their organizations have used or will continue to use a third-party data recovery service provider to recover lost data, with 39% saying they use third parties at least once each week or more.

• 54% of respondents confirmed that IT security is excluded from selecting third-party data recovery providers, which could play a role in IT support’s placement of speed over security. 81% of respondents said that speed of recovery was the most important factor in choosing a vendor, with 75% stating that the ability to successfully recover data was the paramount concern.

• 54% of respondents do not require third-party data recovery vendors to comply with leading security guidelines.

• 83% of respondents agreed that third-party vendors should be required to ensure that data is securely and permanently destroyed from their systems after the information has been recovered, but only 9% actually do so.

The report recommends that organizations institute policy and guidelines for selecting and using a data recovery service provider. This includes precautions such as agreements for cloud storage providers that outline the need for notification should a data loss occur and a data recovery service provider is hired. If third-party recovery service providers don’t adhere to the strictest data security guidelines, the healthcare, government and financial organizations that hire them could be in breach of the laws that bind them to the highest security standards.

Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.