“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting

In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s car was broken into and a company laptop stolen. The ramifications included:

  • spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
  • devoting 600 person-hours of staff time to the breach;
  • hiring a crisis team of lawyers and customers and a chief security officer;
  • hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
  • notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative’s Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog.