Great, here I am with about a half-hour to say something about what I teased yesterday.

I have seen a comment or two in e-mails suggesting that posting on this matter is dragging out something that shouldn’t be. I don’t think so; the questions asked yesterday should make it clear that I’m not interested in saying anything more about the historical-record drip-drip disclosure, or the intern firing, or even the OIG report.

Added at 9:30p.m: What I’m looking at is whether the state’s communications to those affected by the data breach will enable those who should be protected, and those who would want to be protected, to sign up for the protection being offered. I believe the state’s due diligence has, overall, been quite a bit less than perfect.

So here goes, following the lines of the four questions I asked yesterday (if you want to reference the documents involved, open this post in a new window or tab):

1. How likely is it that those who receive the letter from the state or visit Debix’s web site will think that the whole thing is just another clever phishing expedition designed to fool people into giving up their private and personal information?

In my view, “not likely, but more likely than it should be.” I believe the letter to those affected should have been signed by the Governor. That would increase the assurance the average person would feel that the letter is legit.

2. Assuming those who receive the letter believe that the communication is legitimate, will they understand what needs to be done to become eligible for the year of protection?

I think there’s a big hole here. The second-last sentence in the ODAS letter’s third paragraph says:

You will also need an e-mail address to complete the process.

This is not true, and I have confirmed that with people at Debix and at the State. Nonetheless, the letter says the opposite. Additionally, the related Debix Identity Protection Registration From asks for an e-mail address, and does NOT say that it’s optional.

A person I spoke with at the State’s help line told me that she feels that people who are confused about this will typically call for clarification. Perhaps most will, but not all. At least some of those without an e-mail address (perhaps 20% or more of those affected) will decide that they can’t get the service promised and will not sign up. Others will intend to follow up but not make the clarifying phone call. Still others may decide (yeah, this one’s a stretch, but we’re talking hundreds of thousands of people with widely varying degrees of techno-literacy) that since an e-mail addy is required and they don’t have one, only those with e-mail addys must be vulnerable.

Unfortunately, it sound cliched, but it’s true — Those most likely to make the incorrect choices just noted will be late-teens and the elderly. The elderly are less likely to be applying for credit, meaning that they won’t catch ID-theft problems that are often detected by getting turned down for credit. Late teens who have no credit or only skimpy credit like a retail card or two also likely won’t get the warning signal of a turndown. Neither group is likely to check their credit file on a regular basis.

I believe the state should be doing something to reach those affected to make up for this (in my opinion) potentially serious error in communication that has the potential to leave many who should be protected unprotected.

3. In tone, has the State and Debix, its selected protection service vendor, been discouraging, encouraging, or neutral in describing the service and the importance of signing up for it? In other words, based on what has been conveyed, will those affected feel as if they should sign up for the protection, or that it’s either too much trouble to bother with or a waste of time?

I think the State should have conveyed a greater sense of urgency; after all, the data, while on a device that cannot be easily accessed, is nonetheless NOT encrypted. I don’t think that “If you would like to take advantage of the service” does the job. If the State didn’t feel like making a recommendation itself, it could have quoted any number of respected security-industry officials who have counseled signing up for the kind of service Debix is offering when data breaches occur. I get the sense that the State is being penny-wise, pound-foolish, consciously or not, in not being more assertive in suggesting that people affected sign up for the service.

4. Is Debix being allowed to capitalize unreasonably on the business the state has dropped in its lap to promote its consumer-paid protection services to those affected?

There are two aspects to this: What’s happening now, and what’s happening a year from now.

Right now, Debix and the State have probably handled the situation well. The State’s link goes directly to an activation page at Debix, and Debix has a blue box link on its home page referring those affected by the State’s breach to that activation page.

I spoke with Kathy Fergerson of Debix, who informed me that those affected are getting the same service that ordinary consumers are paying $99 for, and that the $99 service is the only service Debix offers.

I’m not so sure about what happens later. About 11 months from now, Ms. Fergerson says that those who have signed up for the free service will be sent an expiration letter reminding users that their service will end soon, and that to renew they will have to start paying. Ms. Fergerson is not sure whether Debix will charge the normal $99. I’m frankly not sure what to make of all of this. A lot will depend on the tone of the expiration/renewal letter; I sure hope that users don’t feel unduly pressured to enter into a paid subscription.

The points being made here have nothing to do with partisanship or politics and everything to do with due diligence. Added 9:30 p.m.: But it is worth asking why the items discussed here, particularly the flat-out error in claiming that victims need to have an e-mail address, are being totally ignored (as far as I can tell) by Ohio’s Old Media.

Jill at Writes Like She Talks did a great job in compiling the 75th Carnival of Ohio Politics, and its ever-growing pool of Buckeye State-based talent.

There’s some very good “Can’t Help But Notice” material that I’ll notice in the coming days.

Whine of the day:

Vick indictment blindsided Falcons

“We had absolutely no idea that the indictment was coming on that day at that time,” Falcons General Manager Rich McKay said at a news conference Tuesday afternoon at the team’s Atlanta office.

I didn’t know prosecutors had an implied duty to notify an employer about a pending indictment of an employee. (/sarcasm)

_____________________________________

Sherrod Brown’s outrageous vote — Either he really doesn’t believe that those who report what they believe is suspicious criminal or criminal activity in good faith deserve legal protection, or, fully knowing that he is shielded from voters’ wrath until 2012, he did Harry Reid’s bidding to ensure that a bill the Democratic leadership opposed wouldn’t pass.

I believe it’s the latter, for this reason: Several weeks ago, he voted against immigration shamnesty cloture after years of being a nearly across-the-board supporter of illegal-immigrants’ “rights” — waiting until he knew that the measure would fail to cast his vote. This time Brown’s political radar detected an issue that will stay alive and cause problems at re-election time.

Conclusion: A Sherrod Brown Senate vote is primarily an exercise in political calculation, not personal conviction.

________________________________________

Hold the Birthday Cake — The Sarbanes-Oxley Act (SOX) passed five years ago. Its harm is only partially measurable, in higher external audit costs and thousands of hours devoted to internal compliance (read “busywork”). Additionally, the market for initial public offerings (IPOs) has quantifiably changed for the worse:

Not long ago, about 90 percent of major IPOs were handled in this country and about 10 percent elsewhere. Now the numbers are reversed. In 2006, 350 companies raised $86 billion in European initial offerings. In the U.S., 235 companies raised $48 billion. Hong Kong too has been gaining ground as Chinese companies have largely stopped coming here for financing. Last year, New York did not participate in any of the 10 ten largest offerings.

But getting back to SOX — here’s the biggest cost:

….. less easy to quantify but certainly real is the harm to U.S. competitiveness that occurs when CEOs obsess over the tiny details of SOX compliance (lest they face jail time because a subordinate gets a detail wrong) instead of concentrating on innovation.

If, as I believe is the case, this preoccupation with bureaucratic compliance, i-dotting, and t-crossing is shaving a half-point from annual GDP growth in a $13-plus trillion economy, the biggest cost of SOX is over $65 billion in lost economic growth — which compounds on itself.

________________________________________

Speaking of losing business overseas, you would think that Sherrod “Offshoring Is Evil” Brown might have something to say about the aforementioned loss of IPO business. But Brown, whose Senate home page still describes his site as “temporary,” doesn’t have much to say about anything:

Mr. Brown would be well-served to put Mrs. Brown, aka Connie “And His Lovely (But Not Humble) Wife” Schultz, into HIS currently empty newsroom. This would have two benefits: Brown would actually start proactively communicating to his constituents, and Mrs. “I’m Still an Objective Reporter Because I Say Am” Brown could leave her hopelessly conflicted position (definitely in appearance, if not in fact) at the Cleveland Plain Dealer.

Actually, make that three: The PD would excise the perfectly justifiable perception that its reporting and editorial positions on Mrs. Brown’s husband are incurably tainted. Would a fair and balanced PD have thus far ignored hometowner Brown’s virtually barren Senate site, or the fact that after six months in office he still (according to his contact page) has only a Cleveland office (George Cut-and-Runovich Voinovich has six)?

From Massachusetts:

Monday, July 23, 2007 - Updated: 01:11 AM EST

For 18 minutes one cold, predawn morning in February, Claire Simmons’ heart quit beating. No oxygen was feeding her brain and by most accounts, the 71-year-old grandmother shouldn’t have made it.

But she did.

“She was one of our miracles,” said Colleen Snydeman, nursing director in the cardiac intensive care unit at Massachusetts General Hospital where Simmons underwent an emerging treatment that saves brain cells after a heart attack by inducing hypothermia.

Hypothermia was endorsed by the American Heart Association in 2005, but cooling is still not widely practiced and it could be saving thousands of lives, she said.
“Some hospitals don’t understand this is a therapy that could be an option,” she said. “It gives people the possibility of recovery.”

Simmons was one of 12 cardiac patients cooled in 2006 at MGH, one of several Boston hospitals that use it. It must be done within six hours of the heart attack.

Hypothermia lowers the body’s metabolism, reducing the brain’s need for oxygen, said Robert Kline, CEO of Colorado company Medivance, maker of Arctic Sun, a device that uses pads and chilled water to cool. Hypothermia also halts the cascade effect that starts when oxygen-starved cells die.

“When we’re cooling we’re not trying to salvage the heart, we’re trying to salvage the brain,” he said.

There are 150 U.S. hospitals using Arctic Sun, up from 40 in 2005 and 7,000 patients have been cooled, up from 500 in 2004.

Go here for the rest of the story.