It’s 2013 and everything old is new again. It’s 10 days into the year and so far we’ve heard about at least two key data thefts and a summary penalty for exposing personal health info in the U.S.
One of the reasons I like reading SC Magazine is for its Data Breach Blog. It’s a good window into the follies of many organizations out there and serves up great examples of why companies should encrypt the data that resides on laptops and desktops.
So far, two recently announced ‘breaches’ this year happened due to a stolen, unsecured device. A hospital in Indiana had nearly 30,000 patient records exposed after a laptop was stolen and a health care vendor in California lost nearly 70,000 patient records. Those are serious numbers and it’s shocking given the U.S. Department of Health and Human Services Office (HHS) is starting to crack down on these things.
This week it was announced that the HHS Office for Civil Rights (OCR) financially punished an organization for a data breach. This was the first time the OCR ever levied a fine against an organization for a data breach and really hammers home the point that the protection of things such as personal health information (PHI) is critical and must be taken seriously.
The organization that was fined is a non-profit organization with 100 employees plus volunteer staff. The cost to deploy an encryption solution at an organization of this size would have been far less than the $50,000 in fines they have to pay right now. How many records were exposed? 441. That’s approx. a $113 fine per record. If we assume they have perhaps 75 laptops in use at the organization (which I would expect to be a very high estimate) they’d be looking at less than 10% of the cost of that fine to secure their data with SecureDoc in their first year and significantly less after that.
Now, if you look at the two other examples mentioned above, and if we go with the precedent of $113 per record levied against the organization in Idaho – the hospital in Indiana could be facing a fine of nearly $3.4 million and the California-based company could be facing an $8 million penalty. While this is pure speculation, these fines most certainly wouldn’t be pocket change.
It’s a pretty clear value proposition. Organizations really need to start looking at data encryption and security solutions as insurance. You wouldn’t drive a car without insurance because (beside the fact that it’s illegal) if you get into an accident the costs to address the damage, personal injury etc. would be astronomical. The same can be said for the privacy of data. Data encryption solutions are a form of insurance in the event a device is lost or stolen it limits risk and exposure both legally and financially.