In today’s electronic age, Personal Information (PI) and Protected Health Information (PHI) are being stored on multiple technological devices. Data security is increasingly a concern as companies have become targets for people, both internally and externally, misappropriating private information.
“What is most important in the data privacy arena is for your organization to partner with vendors that have significant experience advising clients on best practices, security and storage policies that deal with data breaches, while complying with state and international data security laws,” says James J. Giszczak, a member at McDonald Hopkins. “This area of law is rapidly changing and it’s critical that the complex privacy laws are both understood and followed.”
Dominic A. Paluzzi, an associate attorney with McDonald Hopkins, says, “More than 562,943,732 data breaches have been reported since 2005, according to the Privacy Rights Clearinghouse. Of course, many have gone unreported, so this figure is more than likely three times higher.”
Smart Business spoke with Giszczak and Paluzzi about data security in the age of technology.
What information is protected and who is impacted?
PI refers to an individual’s name, coupled with a Social Security number, driver’s license number, credit card numbers, credit report history, passport number, tax information or banking records. PHI refers to medical records, health status, provision of healthcare and payment for healthcare.
Every industry is at risk when it comes to data privacy, but some are more critical, such as billing, education, insurance, staffing, health care, retail, manufacturing, accounting, financial services, legal, pharmaceutical and government/military.
Are there certain privacy laws and standards with which organizations must comply?
There are at least 35 federal laws that outline data protection or privacy protections. Forty-six states, the District of Columbia, Puerto Rico, the Virgin Islands and numerous foreign countries have legislation requiring notification of security breaches involving PI and/or PHI. It is where the affected individual resides that determines the applicable notice law.
Many of the regulations include significant penalties for failure to comply. For example, there can be up to $750,000 in penalties to a company for failure to notify affected individuals; $10,000 per violation for officers/directors personally; private civil actions for instances of non-compliance, including punitive damages and attorneys’ fees; and even prison terms of up to five years.
How can an organization minimize the risk of a data breach?
It is critical to have a comprehensive approach to data privacy and network security to limit risk and exposure. For example, a Written Information Security Program outlines an organization’s privacy policies and procedures. It sets forth the various steps your company has taken to secure PI, PHI and confidential information contained in both electronic and hardcopy form.
An Incident Response Plan is the ‘go-to’ document that identifies the appropriate internal and external resources to properly deal with a data breach. It sets forth an Incident Response Team, which is a group of decision-makers, both within and outside an organization in legal, IT, risk, human resources, marketing and public relations.
Be sure to have carefully drafted confidentiality agreements for employees, vendors and visitors to protect PI. Few confidentiality agreements encompass employee or vendor obligations regarding PI and PHI privacy. An indemnification provision can be very helpful in protecting an organization from an employee or vendor whose negligent or intentional acts result in a data breach. In that case, the company can look to the employee or vendor to recover losses incurred when it must notify affected individuals, attorneys general and other state and federal agencies of the breach.
Your company can also reduce the likelihood of an internal data breach by having appropriate IT and electronic policies as part of your data security and asset protection program. These can include a social media policy; computer usage policies that cover cell phones, USBs, laptops and personal devices; a document destruction and retention policy; and a telecommuting policy.
Organizations can purchase coverage from most of the major insurance carriers for third-party liabilities, such as disclosure of employee PI or patient PHI, both through a computer network or off-line; invasion of privacy; defamation; and security or privacy breach of regulatory proceedings. Security and privacy insurance is also available for first-party coverage, such as business interruption, costs to restore or recreate data or software resulting from failure of network security, forensic costs, ID theft resources, credit monitoring and costs associated with statutory notification requirements.
What needs to be done in the event of a data breach involving PI or PHI?
- Gather the Incident Response Team.
- Call your insurance agent, law enforcement and an experienced data privacy attorney to maintain privilege.
- Assign a breach coordinator.
- Preserve evidence of the breach and secure IT systems.
- Determine whether breach notification letters need to be sent, who should receive them, when should they be sent, what should they say or not say.
- Offer credit monitoring to affected individuals and report the incident to credit card companies and credit reporting agencies if applicable.
- Draft a press release and FAQs regarding the incident so affected individuals are well informed if necessary.
- Notify appropriate state attorneys general and other state agencies.
A comprehensive approach to data privacy and network security is necessary to avoid a data breach and is the best way to be prepared to respond to a breach when necessary.
James J. Giszczak is a member with McDonald Hopkins PLC. Reach him at (248) 220-1354 or firstname.lastname@example.org.
Dominic A. Paluzzi is an associate with McDonald Hopkins PLC. Reach him at (248) 220-1356 or email@example.com.
Insights Legal Affairs is brought to you by McDonald Hopkins LLC