Next week at the RSA 2011 Conference, the American Bar Association (ABA) will release its new Data Breach and Encryption Handbook. This book looks at the growing threat of data breaches and how encryption solutions can prevent sensitive data from being compromised. Since the book is published by the ABA, there is a lot of focus on the legal complexities and ramifications surrounding data breach notification laws and their efficacy.
The book is a compilation of chapters of prominent legal and technology experts from the ABA Section of Science & Technology Law. The authors will discuss the book’s findings during a panel at the RSA 2011 show and of course have copies for sale.
Given the complexity of the subject, I expect the discussion and solutions to be wide ranging. Many of the laws developed in the last 10 years or so have the intention of preventing data breaches by using a stick methodology. If you disclose confidential information, you must pay a fine. Obviously this has worked in the case of many laws, but one of the areas of focus needs to be prevention in the first place. Many people are concluding that prevention is cheaper than litigation. This wasn’t always so as some organizations decided it was cheaper to fight in court than to spend the money on people, process and technology to prevent the problem from occurring.
Let me look at the example of Providence Health & Services, who in 2005 had a laptop bag stolen from an employee’s car during the night. In the bag was a laptop and portable media with 365,000 patients records. None of this information was encrypted, so the data breach notification law in Oregon specified that consumer, law enforcement, credit and other groups be notified. This included the 365,000 patients whose records were exposed.
Here are a few excerpts from the Oregon law:
“Breach of security” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person.
(11) “Personal information”:
(a) Means a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
(A) Social Security number;
(B) Driver license number or state identification card number issued by the Department of Transportation;
(C) Passport number or other United States issued identification number; or
(D) Financial account number, credit or debit card number, in combination with any required security code,
access code or password that would permit access to a consumer’s financial account.
In the case of Providence Health, the cost of this breach was approximately $7M, although the Ponemon Institute estimated the cost at $21.9M, based on their 2009 study showing the cost of a breach is about $60 per record. The $7M included legal fees, notification costs, monitoring services, consultants, investigation expenses and the eventual fix. The cost of implementing encryption for all laptops was about $700,000. That is not an insignificant cost, but is only 10% of the eventual cost of the data breach. And that doesn’t even include the damage done to the integrity of the hospital and lack of faith by patients and staff.
I think this book will add to the dialogue on preventing data breaches which are very costly in money, reputation and time. Not to mention the exposure of confidential patient, employee and customer information to the highest bidder. If you haven’t looked into data breach prevention, take a look at enterprise digital rights management as one method of protecting your documents and data. This and other forms of encryption should be a focus for technology solutions.
An ounce of prevention is really worth it in this case.
Photo credit ABA