What is the cost of a data breach? Especially one that is related to the breach of protected health information, PHI? The American National Standards Institute and Shared Assessments (an industry-standard body) have combined forces to find out. I covered in the past the “savings” one could achieve with the use of disk encryption software like AlertBoot, which were significant.
However, it always irked me that defining the cost of a data breach in this manner has limitations. It includes monetary fines and penalties; costs of offering ID fraud protection services; theoretical values attached to negative PR; and/or costs associated with lawsuits.
What it doesn’t even begin to include are the costs to society at large. One or two SSNs lost or stolen and eventually used in fraud is an individual matter, but the loss of tens of thousands of SSNs takes on a different dimension (and even more so when the cumulative total is in the hundreds of thousands — or even millions — of SSNs). Based on the fact that last year’s national cost of ID fraud is quoted in the tens of billions (at least!), it seems that the definition of data breach costs is severely lacking in its parameters.
I’ve always felt that the value that is derived from using the correct data protection tools, of which encryption software is an important part, was being shortchanged due to the lack of reliable data. Hopefully, this ANSI/Shared Assessments project will shed some light into breach cost figures that so far have been, as far as I know, unsubstantiated.
The first phase of the project, “a report that details how health care organizations can calculate the financial impact of a breach,” is expected for completion within three months. While I doubt that the calculations will be anything more than business-centric, I think we can raise our hopes for a more-inclusive study:
…what is the effect on a patient who has sensitive health care information exposed? And what will those implications mean to the health care organizations charged with keeping that information private?
A recently formed collaboration plans to find out. [ ama-assn.org, my emphasis]
Related Articles and Sites: