Putting data breach genie back in bottle? Good luck

Tools


A little more than a week ago, retail store operator TJX settled a class-action suit filed over the theft of 45.7 million credit and debit cards from its system. The settlement requires TJX to offer three years of credit-monitoring services to about 454,000 consumers, on top of paying for the cost of replacing driver's licenses and cutting checks for other minor costs.

Not only that, but TJX agreed to cut prices by 15 percent on all items in its stores--which include T.J. Maxx and Marshall's--for one designated day. Given its existing sales levels, the TJX price cut is projected to offer $10.5 million in benefits to the public.

I think you'll agree, readers, that this is a more elaborate set of reparations than most healthcare organizations ever make. Most settle for a letter of apology and credit monitoring.

The thing is, would it really make a difference if hospitals took a few extra steps, like paying $20 or $30 a person to affect patients for new driver's licenses, or even instituted temporary price cuts like TJX? In theory, yes, because that's how the law works. You get civil damages and presumably, fairness has been achieved.

The problem is, nobody can put the data breach genie back in the bottle once it's gotten out. Once data has been compromised, even a company with the billions in revenue enjoyed by TJX can make consumers feel completely insecure. And paying a huge settlement won't do a thing to fix the problems that caused the breach (whatever they may have been in TJX's case).

No, I think the right way to achieve equity in cases like this may very well be court-ordered forensic examinations of the defendant's IT infrastructure and a thorough analysis of what went wrong. Then, that company would be required to make the repairs suggested, or at least comparable ones by other consultants of its choice. No paying off people or apologizing to make it go away.

As for healthcare organizations, one could argue that they have even higher obligations, given the human cost of such breaches extends beyond the financial. Of course HIPAA does cover this situation, but given how seldom it's enforced, it appears other procedures may be needed specifically for data breach situations.

The bottom line is that we still hear far too often about data breaches in hospitals and clinics, ones that weren't exactly done by master criminals. Let's at least raise the bar. If we don't, the public isn't going to trust health institutions at all, and that could torpedo countless plans. We can't afford the luxury of "I'm sorry" any more. - Anne