This struck me as more than a bit problematic, and here's why:
Readers may recall that I recently underwent Marketplace re-certification training. This annual exercise is required for agents who wish to sell on the Exchange (and, increasingly, even off-Exchange). One major module was on "Privacy and Security Standards," which outlined all the various systems and protocols agents must have in place for dealing with potential clients. For example, I must encrypt any emails that include Personal Health Information (specifically, Personally Identifiable Information), and, more importantly, the "procedures required for incidence handling and breach notification."
And these were extensive.
"Accountability" is paramount, requiring that the "principles [of information safekeeping be implemented, and adherence assured, through appropriate monitoring."
Which brings us to the reason for this post: the double standard levied on agents versus those required of the folks who actually run the Exchanges.
"A security incident occurs when there has been an attempted or successful unauthorized access ... in an information system." [emphasis added]
What would you call July's "incident?"
And what is required of agents - but not, apparently, of the Feds - in the event of such an occurrence?
I'm glad you asked:
"Agents and brokers must report any incident involving the loss or suspected loss of PII or PHI ... Provide details ... Require reporting of any incident or breach of PII to the CMS IT Service Desk" [emphasis added]
And what about when that incident or breach is aimed directly at that CMS IT infrastructure? Well, it certainly appears that these rules don't apply.
So here's a question: why are agents (and brokers) held to a higher standard then the folks who actually run the Exchanges?
I think we already know the answer to that one.