No Harm, No Foul? Companies Need a Better Way to Assess Risk of Harm

0
1174

Risk management concept

RickKam (2)By Rick Kam
rick.kam@idexpertscorp.com

In 40 states, data breach notification laws require companies to perform some type of risk of harm analysis to determine whether an incident triggers a breach notification to the individual. Assessing risk of harm (i.e., whether personal information has been compromised) is a significant part of the overall risk analysis of security incidents—and frankly, it’s an area in need of improvement.

Companies want to do right by consumers and avoid costly lawsuits, but many lack the tools, experience, or expertise to recognize whether the risk of harm threshold has been crossed. Instead they make a judgment call, and that judgment can be based on flimsy evidence or a complete lack of evidence—because in some cases they haven’t even looked.

Theodore Augustinos, a partner at Locke Lord LLP, said companies use a wide range of methods to assess risk of harm. “Some are very sophisticated and have highly developed internal and external strategies,” he said, “but other companies perform more primitive types of assessments, just looking at the types of data they have and the basic level of perceived threats and vulnerabilities.”

To perform more consistent assessments, privacy and security officials would be wise to go above and beyond state notification laws and rely on other well-established standards. For instance, the HITECH Act’s four-factor analysis assesses:

  1. The nature and extent of the protected health information (PHI) involved
  2. The identity of the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made
  3. Whether the PHI was actually acquired or viewed, or whether only the opportunity to do so existed
  4. The extent to which the risk to the PHI has been mitigated

[bctt tweet=”No Harm, No Foul? Companies Need a Better Way to Assess Risk of Harm @rickkam” via=”no”]

Although it was obviously designed solely for healthcare entities, the four-factor analysis could put any company on more solid footing when it comes to determining whether their consumers are at risk.

And while we’re on the topic of healthcare, businesses of all kinds would be wise to include medical identity information in their risk analyses, even if their particular state law doesn’t require it (and few do). If your company handles health information, include it as part of your risk analysis to protect consumers from one of the fastest-growing crimes in the world.

These steps mean more work for companies, which is why it’s also important to seek out the best tools available to help you assess risk of harm.

Augustinos said that when companies struggle with their risk of harm analyses, “We encourage them, either through their internal security and IT people or through outside consultants, to assess the tools that are available in the marketplace. The better their tools, the more efficient, effective, and accurate they can be with their assessments.”

What’s most important is to improve your risk of harm analyses—because doing the minimum to meet state requirements may not be sufficient to do the right thing by your consumers.

Rick Kam is president and co-founder of ID Experts, http://www2.idexpertscorp.com/

Care to comment? Click here and scroll to the bottom of the page for the comment-enabled version.