The importance of being prepared for a privacy breach
Thomas Edison said that genius is 1% inspiration and 99% perspiration. In the realm of privacy breach responses, the formula for genius might be expressed as 1% perspiration and 99% preparation. The contrasting responses of Hamilton Beach Brands and of Health Net to recent breaches demonstrate the importance of being prepared to act swiftly when the time comes.
In early January 2011, Hamilton Beach discovered that some malicious code had been placed on the server processing its online ordering. The hacker code captured credit card data entered by would-be purchasers, before that data was encrypted and sent for processing. The credit card information was then automatically sent to two different email accounts provided by the hackers.
Hamilton Beach discovered the problem after only 24 individuals were affected. In short order, it took the following actions:
- Shut down the affected site;
- Commenced a forensic investigation into the cause and scope of the breach;
- Performed a code scan check to identify the hacker code;
- Removed the offending code;
- Contacted the affected customers by phone and email;
- Notified the relevant credit card companies;
- Notified the New Hampshire Attorney General’s office in accordance with its breach notice law; and
- Contacted the FBI
In its letter to the affected consumers, Hamilton Beach recommended that they consider taking various actions to protect themselves against fraudulent charges. These included:
Filing a police report or obtaining a copy of any police report filed by Hamilton Beach in the consumer’s jurisdiction;
- Place a fraud alert on the individual’s credit file with one of the three credit reporting bureaus (Equifax, TransUnion and Experian);
- Place a credit/security freeze on the individual’s credit file with each of the three credit reporting bureaus; and
- Report suspicious activity on their credit card and other similar account statements to their local law enforcement agencies.
Hamilton Beach did not appear to offer free credit monitoring services. Credit monitoring services are not required by any of the breach notice laws now on the books, and privacy insurance policies generally include language protecting insurers from any reflexive, reactive rushes by insureds to offer these services. With such a small number of individuals affected by the breach and such a quick, thorough response, perhaps Hamilton Beach simply felt that there was little risk of actual identity theft.
Also in January 2011, the Vermont Attorney General settled with Health Net over allegations that Health Net violated Vermont’s breach notice law in its response to the loss of a portable hard drive (see earlier blog post describing the Health Net breach here. Health Net waited six months before notifying individuals that a portable drive containing their unencrypted protected health information had been lost.
Health Net’s delay in notifying the affected individuals was not its only error, according to the Vermont Attorney General. The AG also charged Health Net with violating Vermont’s Consumer Fraud Act by telling the affected individuals that the risk of harm was “low” because the missing files were in a format not easily accessible. The files were in fact saved in the relatively easy-to-view TIF format. The Vermont AG also charged Health Net with failing to safeguard protected health information as required by HIPAA (state attorneys general are authorized to enforce such HIPAA violations).
Health Net’s settlement with Vermont required it to pay a $55,000 fine, file reports about its data security programs with Vermont for two years, and submit to a data security audit. How much Health Net spent on legal, forensic and other expenses in dealing with the Vermont contretemps was not reported — although earlier accounts detailed how Health Net had spent $7.5M dealing with the breach generally.
It is clear that Hamilton Beach’s timely and well-prepared response helped to mitigate its exposure, while Health Net’s delayed and incomplete response compounded its costs. Their experiences provide a useful reminder that appropriate breach-response plans are essential for mitigating the costs of data security breaches.
Bonus question: There are several different aspects of the Health Net situation that could have caused it to lose coverage under many or most of the commonly used privacy insurance policies, unless certain provisions were amended through negotiation. How many can you identify?
Connect with John Doernberg on LinkedIn.