Because data breaches have become such commonplace incidents, there is concern that people have become desensitized to the potential harm they face when receiving a notification letter from an organization that they’ve trusted with highly personal information, that this information has been lost or misappropriated.

A recently published report from Javelin Strategies should be a wake up call to those people.

“The Javelin report, Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud, is based on multiple years of data and includes updates on 2009 data breaches, implications of changes to the legislative landscape and the technical means by which data breaches occur.”

This report should also be heeded by those banks, healthcare organizations, government agencies, insurance companies and others that we entrust with our social security and checking account numbers, birthdates and mothers’ maiden names,  and in some cases our personal health information. There is now proof that data breach incidents put the affected individuals in harms way. The responsibility for doing everything possible to help these people address this harm — from identifying identity fraud to cleaning up the fraud — should fall squarely on the laps of these organizations.

Recently headlines have included the alarming news that the personal login information for thousands of Hotmail accounts was posted online. While an investigation is being conducted, experts have urged anyone with a Hotmail account to change their password immediately. Many experts also recommend that if you use that account in conjunction with other accounts, such as your social networking account, that you change the information used in those accounts as well.

Today, BBC News announced that more email accounts were posted: Yahoo, Gmail, AOL, Comcast, and Earthlink users appear among those accounts impacted. Again, security experts are urging those with accounts to change their login details.

The security implications of this are massive. Right now, news reports are stating that these appear to be the result of a massive phishing attack. On the other hand, it has already been determined that some of the accounts are old or inactive, which may indicate that this particular thief was operating for a long period of time. In any case, changing my password is only a start.  Personally, I will be taking the following additional precautions, and I would make the same recommendation to others. These are extra steps everyone should take at least once a year, or during situations where an account may be compromised:

*Awareness If you have an affected account, make sure all of the people you email know about this story. Everyone should know that if they suddenly get a request from “you” for emergency money to be wired overseas, that it is unlikely to actually be you.

*Change passwords to everything. Many accounts now have an option that you can have your password “expire” prompt you for a new one periodically (usually every 72 days).

*Where possible change your username and “attached” emails to financial accounts and social networking pages.

*Change your security questions and answers. These are the questions asked when you click “I forgot my password”. If there was someone snooping in your email, they probably know you better than your best friend. It is likely they would know the real answers to questions like, “What high school did you go to?” Or “what is your library card number?”

*Check your sent folder in your email to make sure you recognize all the emails that have been sent from your account.

*Be aware that this will likely result in phishing, scam, and spam attacks increasing over the next few months. In addition to the evidence of a likely successful attack, email addresses that were exposed may have been harvested by spam bots.  The upcoming holiday season makes for a great opportunity for criminals to leverage this information against unsuspecting consumers. Expect phishing attacks to appear to come from charities, your financial institutions and government entities.

*Make sure your computer’s security software is updated and automatic updates are turned on and checked weekly, at least.

*Immediately report phishing emails to abuse@domain.com or spam@domain.com. If you receive what is clearly a phishing email from your friend, call them and let them know, then forward the email to one of the reporting addresses for your domain.

*Login to your email, and using the search field type the word “password. Delete any emails you may have received from websites confirming your password change or providing a link to change your password. Then search for “user name” and delete those emails as well. Remember, if someone has access to your email you don’t want to give them ideas about which website or account to try next.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ’soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.

In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or 866-726-4271.