The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

Red tape and bureaucracy seem to be the leaders in the recently highlighted struggle between Medicare and the Social Security Administration over the display of social security numbers on members’ ID cards. While at least 31 states, various private entities and government agencies ceased using the PII (personally identifiable information) years ago, Medicare as recently as June claimed the suggested removal to protect affected consumers would be too costly and might startle or alarm beneficiaries.

Since the SSA’s founding in 1936, its numbering system has been relied upon as the identifier for such items as drivers’ licenses, employee records, bank and credit accounts and, as in the issue at hand, health records. However, in quite the impasse, most Americans are not legally required to give their SSNs in order to receive services, albeit there is no law prohibiting companies from requesting it and denying services unless it is provided.

In May, the inspector general for the Social Security Administration released a report urging Medicare to stop using Social Security numbers, especially on wallet-sized cards patients receive and are told to carry. Additionally, last year, the Office of Management and Budget sent a memo ordering federal agencies to stop the unnecessary use of Social Security numbers as identification.

Also, federal legislation is pending in the form of H.R. 3046 (Social Security Number Privacy and Identity Theft Prevention Act of 2007) which would limit the use of SSN as an identifier by government and business, and as recently as this summer New Hampshire congressman Paul Hodes introduced the Medicare Card Security Act (H.R. 6399) to protect seniors by amending the Social Security Act in this manner.

While this potentially dangerous nine digit sequence is still widely in use, actions are in effect at citizen and government levels to protect us from giving a free pass to identity thieves. We may still be at risk, but protection of our SSN by not carrying, displaying or providing it verbally unless absolutely required to do so should be at the heart of our defensive efforts.