May
17
2011

Data breaches – to prepare or not to prepare? The answer is simple.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

Share