A Decade of Breach: The More Things Change, the More They Stay the Same

We have spent this summer highlighting some of the key drivers, trends, and characteristics surrounding the data breach phenomena of the last decade. As I’ve reflected on some of the really interesting key data points in the Decade of Data Breach Infographic, I find that a lot has changed over the last 10 years as to the nature, root cause, and types of data involved in data breaches. But while technology and social use of personal data has changed in dramatic fashion, as well as the nature of threats, the regulatory framework and enforcement of data breaches have changed not so much (except in the health care industry and some state laws—CA CT, TX, etc?).

Thinking back almost a decade to the Choicepoint data breach in September 2004, at this time very few members of the public were familiar with the term “data breach”, nor did they really understand its meaning. Even less so, did they grasp the kinds of information collected by data aggregators such as Choicepoint, nor their business models for monetizing this information about all of us.

The Choicepoint breach was a seminal moment in the history of data breach. It was the means by which data breach came into the public consciousness. It affected around 163,000 individuals, somewhat small by modern data breach standards. But it was also the first major breach that was subject to the notification provisions of the new California law, SB 1386.

Prior to this incident, breaches did occur, but they were often kept very quiet. SB 1386 was the first legislation that required breached organizations to at least notify the affected individuals of the breach. While this wasn’t “public” notification, it began to get information about breaches into the public domain. The Choicepoint breach tested in many ways what behavior we would require of organizations that breach personal information on U.S. citizens.

Choicepoint initially only notified the 35,000 California residents, a small subset of the 163,000 individuals nationally whose personal information was exposed. After a public outcry and investigations by members of Congress, the Federal Trade Commission and the U.S. Securities and Exchange Commission, Choicepoint relented and notified all of the affected individuals. But this didn’t save them from further liabilities. They ultimately were fined $15MM by the Federal Trade Commission in January 2006, $10MM for civil penalties and $5MM to compensate victims. And then finally in January 2008 settled their final class-action lawsuit for $10MM.

Now a lot has changed since the Choicepoint breach. During the subsequent years, from around 2005-2009, most US states passed data breach notification laws, modeled after the California bill. I think of this period as the Card Breach Era in data breach history, because these laws had the opportunity to affect a series of breaches in which credit and debit card information was compromised.

The first of these notable breaches that were at CardSystems, a processor of Mastercard transactions. This breach affected around 40MM card members and was an indicator of the “value” of credit card information on the black market. The CardSystems breach was followed by the breach at TJX (parent company of retailer TJ Maxx) of 94MM cards, and then what at the time was the Mother of all Breaches, the Heartland Payment Systems breach of 130MM cards.

During this era, it became common for breached organizations to provide a free year of credit monitoring to the affected individuals, in order to address their potential “harms” from the breach. This tended to make sense at this time because these breaches of card information led naturally to risks of card fraud for which credit monitoring could provide an early detection indicator, of sorts to the affected people.

So just as the Card Breach Era was running out of steam, we could see that cybercriminals and health fraudsters were setting their sights on more sensitive, more valuable health information as a new, prime target. The resulting wave of breaches, think of this as the HIPAA Breach Era, notably is where hackers are attracted by the monetization potential for personal health information. The monetization potential for health insurance information in the black market is substantial. The “value” of valid health insurance data is approaching $50 each, by some calculations, 100 times the value of a valid credit card record.

Just as this wave was approaching, our U.S. Congress coincidentally passed the very first national data breach notification law, incorporated in the HITECH Act. This law required notification not just of the affected individuals, but also of the public at large and regulators, when a breach of PHI (protected health information) occurred. It also required that the US Department of Health and Human Services (HHS) maintain a public database of reported breaches. This new regulatory framework and associated organizational focus on protecting health information has come into play just as electronic health information is exploding in size, with medical and health insurance records going into electronic health record systems and moving across health information exchanges.

So in many ways, the data breach world today is vastly different than that of the Choicepoint breach a decade ago. The data is more sensitive and more valuable. The black market is operating on a global scale using the Internet. But interestingly, the laws haven’t changed much, although enforcement of privacy and security regulations has risen substantially.

The laws are based around and focused on the notification. I suspect that the rationale for this approach is that it would “embarrass” organizations that have breaches for their failure to protect their customers’ private information. This assumption is validated somewhat by the informal name for the HHS breach database, known affectionately in the industry as the “Wall of Shame”. But I’m really not sure that this is working, or that it is sufficient.

Breaches have become so commonplace today, that management of the breach response process has become primarily a legal exercise, ensuring proper notification of individuals and authorities as dictated by law and rule, rather than one where the focus and intent is on addressing the perceived and actual risk of harm to the breached population.

The laws are not at all prescriptive in how breaching organizations should address the “harms” that occur to individuals victimized by breaches. During the Card Breach Era, organizations voluntarily provided credit monitoring by convention, as a means of addressing the associated harms that could occur with such breaches. But this approach is neither mandated nor would it be effective, in addressing the potential consumer harms in a health information data breach.

This leads me to share a few thoughts and perceptions on data breaches moving forward. Now that we’re well into the HIPAA Breach Era, I perceive that organizations that are entrusted with our health information are finding it difficult, if not impossible, to protect this data from both accidental and malicious exposure. The environment is too fluid, too much information is now digital, the use of portable devices is exploding, and the data is too profitable for bad guys. Healthcare fraud is a remarkably huge financial problem in the U.S.

So what can we all do differently to address the harms that consumers are exposed to by data breaches?

1. Help consumers detect & prevent health fraud.

Develop technologies and products that can assist in identifying and preventing health fraud, and medical identity theft. During the Card Breach Era, there was credit monitoring. We need a solution for the HIPAA Breach Era that can provide a similar level of efficacy helping consumers in the early detection of fraudulent use of their health identities. Current offerings that provide scanning of the cyber black market are a great start. But better tools are needed to engage and enroll the consumer in monitoring their health identity for compromise and fraud.

2. Update laws to address consumer harms.

Acknowledge that malicious breaches of personal health information are different than incidental breaches of this data. In the case of malicious breaches, laws should require the breached entity take tangible actions to address the risks of harm to the breached individuals. If the HITECH Act was HIPAA 2.0, we then need a HIPAA 2.1 to set expectations as to how consumer harms need to be addressed in health information breaches.

3. Make managed identity restoration the standard.

Cleaning up after fraud and identity theft intrudes on your life and can be a very complex, time consuming and arduous process. It can take months, if not years, in some cases to get yourself back to a “pre-theft” position. Managed Identity Restoration (MIR) services, which operate under an LPOA (limited power of attorney) have become the “gold standard” in addressing consumer harms related to data breaches. But in only a very small number of breaches, do the breaching entities offer MIR. In this new HIPAA Breach Era, an offer of MIR should become the standard, just as credit monitoring was during the Card Breach Era.