The US House of Representatives recently passed the Health Exchange Security and Transparency Act to require the government to notify users of the government’s health exchange if their information had been compromised. This is an excellent step in the protection of consumers from cybersecurity threats. If the fact of a breach must be disclosed, along with notification of those impacted: that protects consumers (users) and that’s good. Potentially it can reduce the prospect of breaches because it will encourage enhancement of security thereby reducing bad publicity.
Recently personal information of up to 110 million Target customers was allegedly compromised. Some of the information is reportedly for sale on the Internet. The details of the actual attack remain unclear, except possibly that the software in point-of-sale devices was modified. I have read arguments for and against that suggestion and I don’t want to murk up the waters here by going into the details of those arguments. The point is that Target notified those impacted and even offered a free year of identity theft monitoring.
Disclosure of the fact of a breach may be good or bad. It may reduce trust of an organization (imagine a bank reporting repeated breaches, even if nothing was stolen or reports of breaches in databases of sensitive military information), and it may drive customers to a competitor. It may also build customer trust if the disclosure leads to increased security. The EU and most states have requirements for disclosure of computer security breaches and have for some time.
Notification of those impacted is imperative, good business, and the appropriate ethical response. Letting people know that their personal information may be available for sale on the Internet allows them the opportunity to alert card issuers, change PINs and so forth. Helping the consumer with those time-consuming tasks is an even more responsible response. Having been there, I can assure you it’s a lot of work.
The Health Exchange Security and Transparency act is a step in the right direction. Here is the text of the bill:
To require notification of individuals of breaches of personally identifiable information through Exchanges under the Patient Protection and Affordable Care Act.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. Short title.
This Act may be cited as the “Health Exchange Security and Transparency Act of 2014”.
SEC. 2. Notification of individuals of breaches of personally identifiable information through PPACA Exchanges.
Not later than two business days after the discovery of a breach of security of any system maintained by an Exchange established under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual.
This is a straightforward requirement to notify those whose information has been compromised. Hopefully a Senate and a President who support cybersecurity and transparency in general will approve and sign this legislation. This is needed considering that the security of the site is still in question.
As we explain in Learning Tree Course 468, security is a mindset. I hope this carries over to the Senate and President.