by Daniel J. Solove
I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.
Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.
The recent data breach at Target, for example, has made a huge financial impact. According to the AP: “Target, which based in Minneapolis, earned $520 million, or 81 cents per share, for the three months that ended on Feb. 1. That compares with a profit of $961 million, or $1.47 per share, a year earlier.” The Washington Post reports: “If the government’s probe finds Target at fault for not complying with industry-specific security standards, the company faces fines in the range of $400 million to $1.1 billion, according to an estimate by Jefferies, an equity research company. That figure did not include lost sales or customer goodwill, the firm said.”
The Target breach involved payment card data, where the payment card industry (PCI) has issued data security standards that companies handling payment card data must follow. PCI requires a forensic investigation in the event of an incident, and this is a cost that the companies suffering a breach must pay. Moreover, if there is a violation of the PCI data security standards, fines can be issued. These are fines that are separate from those issued by government regulators.
In addition to federal regulators, state regulators can also take action and issue fines.
Another cost of a privacy or security incident is the time and attention it demands. The investigation, dealing with public relations and the media, responding to regulators, fighting lawsuits, and informing customers, among other things, is tremendously costly not just in terms of money but also in terms of time. A significant number of important personnel will be tied up dealing with these issues.
Over time, I am confident that more resources will be devoted to privacy and security at a wider array of organizations. The C-Suite is beginning to wake up, but there still needs to be greater education and awareness of the C-Suite about the gravity of privacy and security risks.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter