Reporting of Data Breach incidents has been one of the most contentious aspects of the HITECH Act provisions. The initial provisions on the data breach notifications were kept in abeyance for nearly 2 years predictably because the industry did not want to expose its failures to the public. Hence the mandatory disclosures to be made on the website of the Company, on the website of the regulator, and the news papers were all resented. However, the US regulators have been firm on the data breach notification norm.
In the recently proposed rule on health insurance exchange released in US it is stated that the data breach should be reported to the HHS within one hour of its identification and this has raised lot of eye brows on the feasibility of such reporting. (Report).
This proposed rule sets forth financial integrity and oversight standards with respect to Affordable Insurance Exchanges; Qualified Health Plan (QHP) issuers in Federally facilitated Exchanges (FFEs); and States with regard to the operation of risk adjustment and reinsurance programs. Comments from the public have been invited until July 19, 2013.
Data Breach Reporting is an essential part of information security management at the industry level but the concerns of the industry need to be understood in the proper perspective. Quick reporting of data breach has its advantages at the industry level since similar breaches in other organizations can some times be prevented by timely action by the regulator. For this purpose the “One Hour Rule” must be considered as good.
However it is necessary to understand that the dissemination of a “Potential/Suspected Breach information” needs to be kept within the regulator until the exact nature and extent of the breach is ascertained. The regulator may initiate corrective action if necessary but without the disclosure of the victim. Once the regulator confirms on his own through preliminary examination of evidence that the “Potential/Suspected Breach” as a “Real Breach”, then the formal disclosure measures may be initiated.
It is therefore necessary for HHS to introduce a simple “Potential/Suspected Data Breach Notification Scheme” to implement the One hour rule. It is possible that there may be many false alarms in the process but the industry should be given the confidence that “False Alarms” will be properly identified and killed without a reputation damage being caused to the organization.
Let’s hope that HHS will take this industry demand into consideration and issue the necessary modified guidelines.