In recent weeks, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”

This act would require organizations to use appropriate security technologies and processes to safeguard the personal information of consumers. It would also require them to periodically assess their risk profile and take corrective actions in addressing security weaknesses. It also would require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” a few weeks earlier. This bill focuses on entities such as financial institutions, retailers, federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.

Today, there are data breach notification laws in 46 states that each have somewhat different and inconsistent provisions for notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. This is likely to be controversial, however in states like California and Massachusetts where they have enacted stricter regulations that either of these two bills for the privacy protection of their consumers.

Additionally, these bills are likely to have some of the same issues that currently exist with the HITECH Act which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers.  While this may sound fairly logical, it has been met with resistance and distain from consumer advocates.

The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details. First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm. Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measureable costs such as customer churn and reputational damage, which are just as real.  Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.

Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists, when these factors are so subjective, quite open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to adverse to your reputation. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information was exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.

If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.

I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into this topic of how to assess whether a “data security incident” is in fact a “data security breach” for purposes of notification.

This past week, the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) released a groundbreaking document that is aimed at assisting the Chief Financial Officer of major corporations and organizations in managing the financial risks inherent in protecting an organization from cybercrime.

Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the finanical implications of cyber risk.

Melissa Hathaway, President of Hathaway Global Strategies and fomer Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”

This paper is must reading for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.

The context and perspective of this paper is best summarized in the executive summary where it states:

“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data….In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addresssed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”

If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.

If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.

The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

Red tape and bureaucracy seem to be the leaders in the recently highlighted struggle between Medicare and the Social Security Administration over the display of social security numbers on members’ ID cards. While at least 31 states, various private entities and government agencies ceased using the PII (personally identifiable information) years ago, Medicare as recently as June claimed the suggested removal to protect affected consumers would be too costly and might startle or alarm beneficiaries.

Since the SSA’s founding in 1936, its numbering system has been relied upon as the identifier for such items as drivers’ licenses, employee records, bank and credit accounts and, as in the issue at hand, health records. However, in quite the impasse, most Americans are not legally required to give their SSNs in order to receive services, albeit there is no law prohibiting companies from requesting it and denying services unless it is provided.

In May, the inspector general for the Social Security Administration released a report urging Medicare to stop using Social Security numbers, especially on wallet-sized cards patients receive and are told to carry. Additionally, last year, the Office of Management and Budget sent a memo ordering federal agencies to stop the unnecessary use of Social Security numbers as identification.

Also, federal legislation is pending in the form of H.R. 3046 (Social Security Number Privacy and Identity Theft Prevention Act of 2007) which would limit the use of SSN as an identifier by government and business, and as recently as this summer New Hampshire congressman Paul Hodes introduced the Medicare Card Security Act (H.R. 6399) to protect seniors by amending the Social Security Act in this manner.

While this potentially dangerous nine digit sequence is still widely in use, actions are in effect at citizen and government levels to protect us from giving a free pass to identity thieves. We may still be at risk, but protection of our SSN by not carrying, displaying or providing it verbally unless absolutely required to do so should be at the heart of our defensive efforts.