Articles concerning cyber-security and data breach typically fall into two general categories: those discussing how to prevent a data breach from occurring and those discussing how to respond when one occurs. As I discussed in my earlier blog post, smart players in the healthcare industry are proactive in seeking to prevent data breaches from occurring before hackers strike.
In an excellent article titled, “Best Practices for Avoiding Data Breach Liability,” which was published in New England In-House, Patrick J. O’Toole, Jr. and Corey M. Dennis discuss best practices for both breach prevention and breach response. O’Toole is a partner at the Weil, Gotshal & Manges. Dennis is the U.S. Privacy Officer and in-house counsel at Pharmaceutical Product Development, LLC (PPD). (The article was later re-published in The Daily Record and Minnesota Lawyer.)
Although the technical aspects of cyber-security are complex and daunting to the layperson, O’Toole and Dennis offer common sense advice to minimize the likelihood of a data breach. Their suggestions include:
• Conducting an inventory of the company’s sensitive data and identifying all custodians and data storage locations. Simply knowing who has access to the data and where it is located is an important first step.
• Making sure that the company is aware of all state and federal data security and breach notification laws that apply to its business operations.
• Regularly reviewing and updating corporate information security policies.
• Implementing security measures with regard to computer systems (e.g., passwords, encryption, firewalls, anti-virus software). However, physical security measures (e.g., locked cabinets, shredders) can be just as important to safeguarding sensitive data and personal information.
• Implementing best practices and training employees. O’Toole and Dennis point out that data breaches may result from basic employee negligence, such as leaving a briefcase containing sensitive information in a public area.
• Ensuring compliance of vendors with whom sensitive information is shared. Some state and federal laws require companies to ensure that their vendors maintain certain data security measures.
• Conducting periodic attorney-directed data security assessments. In conducting these assessments, O’Toole and Dennis suggest that efforts be made to preserve the attorney-client privilege applicable to any assessment-related reports.
• Considering cyber liability insurance. Most cyber insurance policies today cover the costs of forensic investigations, notification of and credit monitoring for affected individuals, regulatory compliance, and lawsuit defense and indemnification.
Corey Dennis, the co-author of this article, recently spoke on healthcare breach response and preparation on a panel at the International Association of Privacy Professionals (IAPP) Global Summit 2014. During this session, entitled “Preventing and Responding to Data Breaches after the Omnibus Rule,” he discussed several points, including the steps necessary to avoid breaches and the legal analysis to conduct when determining whether a breach must be reported under HIPAA.
The costs associated with data breaches—including financial costs, legal liability, and reputational loss—have become increasingly apparent. The TJX Companies breach in 2007 resulted in 94 million customer accounts being compromised and a multi-billion dollar loss to the company, including fines, legal fees, notification expenses, and brand impairment.
The recent Target breach, which affected 110 million customers, could have similar repercussions, and has already lead to dozens of class action lawsuits, along with scrutiny from both Congress and regulators. In an age where nearly every major organization faces data security incidents, and large-scale breaches regularly make headlines, implementing the best practices above is essential for all companies.