We see yet another breach hitting the headlines from a Massachusetts Healthcare Service provider, Spectrum Health Services. It seems during a break-in a hard drive was stolen, which contained names, addresses, phone numbers, dates of birth, Social Security numbers, diagnostic codes and medical insurance numbers. It is interesting because, unlike other states, Massachusetts law requires mandatory reporting of data breaches, other states do not.
In a recent blog, we wrote about the reporting laws in Massachusetts, and wondered how soon other states would adopt similar legislature, or whether national laws would be passed wholesale requiring it nationwide.
With speedy reporting, consumers have a much easier time with damage control on the compromised information before it can be potentially exploited by bad guys. This is good news for consumers (during a potentially bad situation). Previously, companies fearing bad press kept the breach information on the down-low, hoping somehow it would either blow over, or somehow not fall into the wrong hands. If consumers know there’s a mandatory reporting requirement, they can at least know that they SHOULD know if there’s a breach, rather than having to wonder, which provides some comfort in an otherwise potentially nasty situation.
Organizations are still trying to come to terms with how to mitigate potential bad press and other collateral damage from data breach incidents. Insurance companies are new at the game of estimating the total damage as well, so have only slowly been wading into the waters. Since there is a lack of familiarity for standard best practices among organizations, there has been a hesitancy to dive right into a customer notification phase following a data breach.
Also, customers are fairly late to the game when determining what they should do following a notification. An official-sounding letter may be enough to scare people into blind kneejerk reactions which may make things worse. Over time and experience, organizations, governmental oversight bodies and customers all will have a much more solid understanding of the correct steps. Hopefully that pervasive education will be rapidly forthcoming.
In the meantime, letting customers know right away will help them manage a potentially scary situation very proactively, which is always a good thing.
Author Cameron Camp, ESET