Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

Our guest blogger this week is Chris Wolf, practice director at Hogan Lovells and co-chair of the Future of Privacy Forum.

Join us on Thursday, February 24th for a live webinar with panelists, Chris Wolf and Reed Freeman discussing  State Legislation Past & Present: The Effects on Data Breach Notification and Resolution.

While the talk of 2011 may be the possibility of Congressional action on a privacy bill and/or a single, preemptive federal data security law, states enter the year as the primary enforcer of data security laws in the U.S.   While state laws requiring “reasonable” data security have had a positive impact, data breach notification laws have had the most profound effect on the improvement of data security.  These laws have motivated companies – through negative incentives – to improve data security to avoid publicity, embarrassment, and the risk of notification.  State involvement in data breaches also has extended to the medical space, as states have begun to enforce the HITECH Act.

A handful of other states enacted passed data security laws in 2010.  Mississippi became the 46^th state (plus DC, Puerto Rico, and the Virgin Islands) to adopt a breach notification law, leaving Alabama, Kentucky, New Mexico, and South Dakota as the remaining hold-outs.  In a victory for banks, Washington passed a law that permits financial institutions recoup card reissuing costs from companies and processors whose negligence causes a breach.  The biggest data security law news of 2010, however, may very well have been the comprehensive Massachusetts data security standards.  These standards, which became effective last March, require any entity that maintains information on a Massachusetts resident to implement a comprehensive written information security program.  Though we have not yet seen any enforcement, the state may wish to make a splash in 2011.

This past year also saw individuals continue to bring lawsuits under state law alleging non-identity-theft-related damages resulting from breaches, despite the lack of success of these suits in the past.  In two cases, the Ninth Circuit, though ruling against the plaintiffs, opened the door for breach victims to sue in federal court and suggested that damages could potentially be found under California due to costs expended on credit monitoring.  In more traditional holdings, the Maine Supreme Court held time spent to prevent future harm is not sufficient to show damages, and an Oregon appellate court held that potential future damages were insufficient to support a negligence class claim for breach of medical data.

With the proliferation of breach laws and their extension to health data, cyber-risk insurance – which generally covers the cost of a data breach and eases compliance burdens – is becoming more popular.  This insurance coverage, however, has extended past the breach context.  For example, Allied World Assurance, a provider of property, casualty, and specialty insurance and reinsurance solutions, has entered into a risk management alliance with my firm, Hogan Lovells, to (among other things) provide breach planning and proactive legal representation to companies looking to avoid data breaches.

Over the past year, state data security laws have driven most of the data security compliance obligations of U.S. companies, and will continue to do so into 2011.  To stay up-to-date on the latest news on compliance obligations under state privacy and data security law, visit and subscribe to our blog at www.hldataprotection.com.

When a data breach occurs it is important to understand the breach notification laws in your State and what you have to do to abide by them. After contacting your legal counsel, the next stop you can make is the National Conference of State Legislatures which maintains a list of enacted and proposed security breach notification laws.

In general, most state laws follow the basic tenets of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.

Some important considerations to these laws include, but are not limited to:

1.       The time allotted to inform consumers of a data breach.

2.       Whether or not there are penalties – civil or criminal – for a failure to disclose.

3.       What kinds of breaches, if any, are exempt from reporting.

4.       Whether or not there is a private right of action – or the ability for the consumer or employee to pursue a case on their own.

Federal agencies, such as the Federal Trade Commission, are currently reviewing ways to better protect consumer privacy.  Their findings are likely to influence how state legislature votes on some key data breach notification and privacy acts on the floor in 2011. Some of the proposals include requirements for a reasonable effort to be made to avoid a data breach with the use of encryption, designated individuals to lead privacy departments and education throughout the organization, and data security risk assessments prior to a breach.

With the recession driven boom of cybercrime, identity theft and security breaches that is likely to continue to expand in 2011, Congress will probably enact some version of these proposals sooner rather than later. That being said, it is better to be prepared and embrace the current and proposed laws before a data breach occurs.