US Attorney General Eric Holder has released a video, asking Congress to create a national data breach notification framework, citing last year’s Target and Neiman Marcus data breaches that affected over 70 million people. Currently, data breach notification laws are a mishmash of different requirements (assuming there is one. The last time I checked 44 out of the 50 states plus Washington D.C. and a handful of US Territories had some kind of notification law).
A federal statute, along with simplifying things for businesses, could potentially introduce the correct incentives to curtail future data breaches. For example, HIPAA and HITECH are the main impetus behind the heightened needs for security tools like laptop encryption software and smartphone encryption and management, now that smart phones and tablets are making an incursion into the medical workplace.
The “First” Federal Data Breach Notification Law: HIPAA / HITECH
Although the need for such security tools is a no-brainer (just read the comment section of any news articles describing how a particular hospital or clinic lost their patients’ data when a laptop, external hard drive, or USB flashdrive. You’ll find that people are remarkably informed about HIPAA and encryption) most healthcare sector businesses, and their business associates did not especially feel the need for encryption and other computer security tools. At least, not for the first 20 years or so since HIPAA was first enacted.
The US healthcare sector only started paying attention when a number of factors came together.
First, the HITECH Act, which was instrumental in updating HIPAA and creating the Breach Notification Rule (BNR), went into effect. The BNR only has two safe harbor clauses, out of which only one is usable for practical purposes: You get respite from the BNR if and only if (1) PHI data is encrypted or (2) PHI data has been destroyed. Obviously, the latter one is not amenable for daily operations, making PHI encryption one of the founding stones when it comes to patient data protection.
Second, the Office of Civil Rights at the Department of Health and Human Services (HHS) got new enforcement powers…and started to use them. Along with the BNR, the HHS got the power to fine organizations that breach HIPAA for up to $1.5 million. This alone didn’t really mean much – the HHS had the power to assess fines well before HITECH, although the amounts were niggling – but soon after the amendment, a number of covered entities were fined the maximum amount in (semi) rapid succession.
There are a number of other factors that play into the medical sector’s change of stance on data protection – the dropping of the harm threshold, the direct inclusion of business associates into the HIPAA fold, the fact that data breaches really have the potential to result in harm to the patients, etc – but the above two were the main drivers.
If an official federal breach notification law is proposed, chances are it will take and apply these lessons learned, meaning that carrots as well as sticks will be offered. This is a big change from the various state laws that are in place, where some are aggressive (like Nevada and Massachusetts, as well as Texas) and others are not.
The One Thing I Took Exception At
There is one thing that took me aback while watching AG Holden’s message. On the issue of data breaches, the AG noted that “they have the potential to impact millions of Americans every year.”
The US Attorney General is a busy man, so I don’t doubt that certain things will escape his notice, but I’m pretty sure he must know that the word “potential” in his statement is not only superfluous but misleading. Millions of Americans are already being impacted each year by data breaches, and have been for quite some time.
Related Articles and Sites: