Rarely does a day go by without news of yet another data breach. It has become clear that a data breach can affect any type of organization and the results can be detrimental. It is absolutely important that breaches are handled quickly and organizations comply with all state and federal regulations.
Some things to consider when evaluating a possible data breach are:
1. Confirm a data breach truly happened.
- Conduct an investigation to determine whether personal information was truly compromised.
- Don’t hesitate to bring in third party experts.
- Conduct the investigation as soon as possible.
2. If a breach did occur, identify the nature, extent, and scope of the breach.
- When and how did the breach occur?
- How many parties and records could possibly be affected?
- Was information compromised that may be subject to HIPAA?
3. Identify legal obligations triggered by the breach.
- Did the breach trigger legal obligations under HIPAA, the state’s data security laws, or FTC requirements?
- Did the breach trigger any contractual obligations?
4. Provide required notices to all parties involved.
- Ensure compliance with legal notice requirements (timing, manner and content).
- Notify the Board of Directors, shareholders, employees, and auditors if appropriate.
- Notify affected individuals and identify how the organization will assist them.
- Notify law enforcement authorities and State and Federal regulators if necessary.
- Send out notifications in a timely manner.
5. Resolve the breach and take measures to ensure it doesn’t happen again
- Take appropriate measure to immediately contain the breach.
- If the incident involved stolen laptops or servers, inform law enforcement.
- If applicable, offer free credit monitoring and fraud alerts to affected individuals.
- Dedicate resources to address any inquiries regarding the breach.
- Update the organization’s security procedures.
6. Cooperate with Government Investigators.
- Do not hide or withhold any information.
- Be responsive to requests.
- Be able to show documentations of all actions taken by the organizations in response to the breach.
To read the full guide or to get more information, feel free to contact our pre-sales engineers at firstname.lastname@example.org.
This article was produced using content created by Milada Goturi of Thompson Coburn’s Health Law Practice Group.