Kroll Fraud Solutions Blog – A Dialogue on Data Security

States continue to individually fine-tune their breach notification laws, with California and Illinois each making changes effective January 1, 2012. The Illinois amendment adds requirements around what the notification to affected residents and owners or licensees of data must (and must not) contain. Specifically, notice to individuals must include:

1. Toll-free numbers and addresses of credit bureaus;
2. Toll-free number, address, and website address of FTC; and
3. A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Note that this does not include the number of Illinois residents affected by the breach.

It seems as though there has been a renaissance recently in the fine art of notification critique. This has most likely been caused by the increased incidence of high profile breaches this year, followed by ubiquitous reprinting of notification letters in various media outlets – the perfect storm to stir up that process whereby every sentence, and sometimes every word, is picked apart in open forum.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.