Why do we need overarching privacy and security rules governing how companies deal with our most sensitive data? Well, let's consider the case of the ongoing million-dollar manhunt for extortionists who have threatened to display millions of stolen health records--complete with prescription information--online.
The continuing investigation, backed by an offer of a $1 million dollar reward for information leading to the arrest and conviction of the crooks, stems from an event made public in November. Express Scripts, a large company that manages prescription-drug benefits, reported that both it and its clients had received letters threatening to reveal customer information--including Social Security numbers, addresses, dates of birth, and prescription information--if certain extortion demands were not met (for more information, visit the Express Scripts Support Site).
Neither the FBI, which is investigating the matter, nor Express Scripts has released many details, but Stephen Littlejohn, Express Scripts's vice president of public affairs, says that the nature of sample records offered by the extortionists in their letters "correlates to data" held in the company's database. Littlejohn acknowledges that Express Scripts doesn't know how the criminals obtained the customer records, including whether the data heist was an inside job or an external break-in, nor is it clear whether the thief or thieves actually have the millions of records they claim to have stolen. Littlejohn reports that the company subsequently instituted "enhanced controls" on its systems.
A few years back, an FBI agent told me that computer crime hasn't yet had its "Enron moment" (see "Internet Wars: We're Getting Our Butts Kicked"; you'll have to scroll about three-quarters of the way down a long line of blog entries). By this she meant that there hadn't yet been an attention-grabbing crime splasshy enough to prompt real action by lawmakers and regulators in response to digital privacy and security threats. Since the Express Scripts case deals with sensitive health records and privacy that, once violated, can't be recovered, it may become that Enron moment.
For the potential victims' sake, I hope that the extortionists don't follow through on their threat. But if they do, maybe the ensuing political firestorm will result in strong, sane national laws and regulations over personal information. Rules proposed by the Center for Democracy and Technology call for transparency (so that each of us knows which companies hold what data of ours) and choice (so consumers can opt out of allowing a given company to hold it).
Because privacy protections alone won't ensure that companies protect our data adequately, we also need to standardize data breach laws--which don't exist in all states--so that companies must promptly report stolen or lost data, and thus have a strong incentive to adopt appropriate security measures.
Storing and transmitting records in digital format can yield huge cost savings and may promote health safety, since quick access to drug data can help prevent dangerous prescription conflicts. But the Express Scripts debacle should serve as a wake-up call that we need to get serious about how our personal data is handled.