Should the US Adopt a Data Breach Safety Net?

In 2015, the largest health insurance provider in the United States suffered a data breach that compromised the personal information of 79 million people. The class action lawsuit against Anthem resulted in a $115 million settlement.

Though that may have been the largest settlement ever for a data breach, Efthimios Parasidis, an associate professor of law and public health at Ohio State University, finds it unsatisfactory. Patients whose valuable data were exposed in the attack were compensated for their trouble with up to $50 cash or 2 years of credit monitoring. (Lawyers in the case, he notes, collected over $30 million).

With data breaches only increasing in size and severity, like this summer’s Equifax hemorrhage, Parasidis believes the US must do better to punish companies that fumble data and compensate victims. He outlined what a data breach safety net might look like yesterday at a privacy conference organized by the Department of Health and Human Services.

The solution he proposed is based on the National Vaccine Injury Compensation Program (VICP). Vaccines are positive for public health, he argued, just as the curation of large data sets for analytics research can be. It’s also known, with statistical certainty, that some people will be harmed by vaccines, just as some will be harmed in data breaches. An equivalent “safety net” fund for data breach victims should exist, Parasidis argued.

He suggests the money come from fines imposed on negligent data stewards and companies that fail to prevent breaches.

Given the volume of patients whose data are compromised in breaches, however, it may be difficult to imagine a fund accruing enough money to adequately compensate the millions whose data are lost annually. Additional financial streams would likely be necessary. Parasidis notes that Americans pay into VICP $0.75 per vaccine.

Due to the complications, he strongly recommends such an approach be stratified on a risk-based rubric based on reasonable expectations of privacy: how data are obtained and how it will be used. The conversation, he says, is necessary, and must include patients, industries, and regulators.

“To take a step forward, we need to take a step back,” he says.