According to information-age.com, a recent poll on 1,000 British has revealed dissatisfaction when it comes to news of corporate data breaches. While the poll does not show the general public’s opinion on whether safe harbor should be extended to companies that made use of data encryption solutions like AlertBoot (most legislation around the word does make an exception for properly protected data), it does make a number of obvious yet surprising revelations.
Penalize Organizations, Reveal Data Breaches
The poll has shown that:
- People don’t believe enough is being done to penalize organizations that suffer a data loss.
- Legislation that forces organizations to go public when suffering data breaches was supported by two-thirds of the respondents. (Current legislation only required affected people to be notified.)
- A little over half admit that “they would think twice about doing business” with organizations that suffered a data breach.
- Nearly half also admitted that it would be impossible to prevent hackers from compromising their data.
- Only 16% believe that government organizations are doing enough to protect data from threats.
- Healthcare providers and financial services institutions were viewed positively when it comes to data protection; social media and gamin websites were viewed most negatively.
Wisdom of the Crowds
The British public may be on to something. In the USA, there are a number of competing regulations and legislation that govern data security, especially when it comes to sensitive personal data. Of the numerous federal, state, professional, and other laws and regulations, HIPAA is one of the most rigorous and open to the public.
HIPAA’s governing body – the Department of Health and Human Services (HHS) – is authorized to assess monetary penalties of up to $1.5 million (and already has, in a number of instances). Furthermore, they’re required to publicly list any data breach incidents that involve more than 500 people. HIPAA covered organizations are also required to alert public media about a data breach if it involves more than 500 patients, regardless of whether they’re able to directly get in touch with all of those affected. (HIPAA has a separate but similar rule where public notice must be given if the affected entity is unable to reach all individuals.)
And what’s the result of all this? Well, I can only testify to what we’ve experienced over here at AlertBoot, but I can confirm that, of all the different sectors we’ve contacted, those in the medical sector – especially those who are covered by HIPAA – tend to sign up for our services.
While this could be because those in the medical sector are more sensitive when it comes to protecting “client” (i.e., patient) data, “to comply with HIPAA” is the number one reason given for signing up with AlertBoot. Indeed, we saw an uptick once the deadline for the final omnibus rule approached (and passed).
Based on the above, I can see why people, not just in the UK but anywhere in the world, would be interested in harsher penalties for organizations that play fast and loose with data, and would think that being more open and transparent about data breaches is a good thing.