Monday, October 17, 2011

Exploiting Privacy Breaches

I've described information security as a Cold War, requiring constant investment and vigilance to innovate faster than the hackers and criminals who are stealing data to commit identity theft.

I'm spending an increasing percent of my resources on regulatory compliance and data protection.

Over the past year, Federal and State governments have

1.   Specified standards to protect healthcare data during transport
2.   Required encryption of data at rest.
3.   Required breach notification to patients and prominent media 
4.   Created policy to define meaningful consent and other important patient privacy rights
5.   Launched a new initiative on data segmentation in an effort to support more granular healthcare privacy preferences

CIOs and Chief Information Security Officers are working as hard as they can, hackers are intensifying their attacks, and the world is accelerating its adoption of mobile technologies that make perfect control of data more challenging.  Despite all our efforts, breaches will occur.   Even the most sophisticated security companies have been breached by increasingly sophisticated malware.

There's a dark side to all of this that is the subject of today's blog post - using the new privacy breach reporting laws for personal gain.

There are many good attorneys.   My parents are attorneys (patent and business law).    Some of my favorite colleagues are attorneys working hard in the public interest (Deven McGraw at CDT, Jodi Daniel  at ONC).

As with any profession there are those attorneys who use the law for personal gain.    Here's a list of privacy breach class action suits, comparing payments to attorneys versus their clients.

There are many good  investors.    Accelerating new technology by providing funding to those who can build high value businesses is a good thing.     As with any profession, there are investors who put profits ahead of societal benefits.

I've heard discussion about an alarming new business model.   Investors paying attorneys to file class action suits related to privacy breaches in return for a portion of the profits.

Prviacy Breach reporting is now public.   Identifying a class is easy.

However, if the risk of harm from the privacy breach is low, attorneys may not want to bear the expense and burden of filing a suit, given that recoveries might be minimal.   If investors underwrite the risk, realizing that most healthcare organizations will want to settle rather than spend time and resources on litigation, we'll likely see a lawsuit following every reported privacy breach.

To me, there are different kinds of privacy breaches - those which are caused by true carelessness and those which occur because of sophisticated attacks that the Pentagon could not even repel.   We should hold organizations accountable for implementing best security practices to protect privacy.   We should report breaches to patients and prominent media, since breach reporting regulations provide a great incentive to invest in appropriate security.   However, we should do this in an effort to enhance the society we live in, not generate profits.

As we all work together on electronic health records and healthcare information exchange, let's try to create regulations that do that right thing

1.  Protect the data
2.  Respect patient privacy preferences
3.  Recognize the difference between hard to prevent breaches and those that occur because basic protections were not in place

Investing in class action suits that asymmetrically benefit the finance and legal professions is not something that benefits society.

As the eternal optimist, I'm convinced we can all work together for the common good and make every day better than the last.   If you hear about someone using privacy breach reporting for their own personal gain, shout out that it's the wrong thing to do.

No comments: