It is a rare day when the news headlines don’t include yet another organization experiencing a data breach. The list of organizations affected by data breaches grows daily. It is now clear that a data breach can affect virtually any type of organization and can result in many negative and costly consequences.
If a data breach occurs at your organization, a timely and appropriate response is crucial. Below is a list of the major steps that should be taken if an organization discovers that its confidential information may have been compromised.
- Confirm if a Data Breach Occurred. If a data breach is suspected, the first step is to immediately investigate the incident to confirm whether a breach has occurred.
- Conduct an investigation to determine whether the confidential information was compromised or accessed by an unauthorized party.
- Engage technical experts, if necessary.
- Do not delay the investigation.
- Accurately document the investigation findings.
- Consider attorney-client privilege issues when conducting the investigation.
- Identify the Nature, Extent and Scope of the Breach. Once the data breach is confirmed, evaluate the nature, extent and scope of the breach. Some of the key issues to evaluate are:
- What confidential information was improperly disclosed?
- Did the information include protected health information subject to HIPAA?
- Did the information include personal information subject to state data breach laws?
- When and how did the breach happen?
- Was the compromised information electronic?
- Was the compromised information encrypted?
- How many individuals were affected by the breach?
- Does the breach involve residents of multiple states?
- Identify Legal Obligations Triggered by the Breach. It is important to fully understand the organization’s legal obligations triggered by a data breach. Specifically, it is necessary to:.
- Determine if the breach triggered legal obligations under HIPAA, state data breach and data security laws, FTC requirements and other applicable legal standards.
- Determine if the breach triggered any contractual obligations.
- Consider if the breach triggered procedures under the organization’s internal policies (e.g., employee sanctions if the breach were due to employee misconduct).
- Involve senior management and legal counsel in decision making.
- Provide Required Notices. Once a data breach is confirmed and the scope and nature of the breach is identified, provide all notices required by law or determined appropriate by the organization. It is important to:
- Comply with applicable legal requirements when providing notices (e.g., HIPAA and many state data security laws specify the timing, manner and content of required notices).
- Provide notices to the affected individuals in “plain English” and identify how the organization will assist those affected by the breach.
- Consider if notices to law enforcement authorities and State and Federal regulators are necessary (e.g., OCR, State Attorney General, FTC, SEC, etc.)
- Notify the employees of the incident, as appropriate.
- Notify the Board of Directors, shareholders and auditors of the incident, as appropriate.
- If no notifications were required under applicable legal standards, consider whether notices should be provided for customer relations or other purposes.
- Do not delay notifications.
- Take Remediation and Mitigation Measures. Take appropriate steps to mitigate any damages that may result from the breach and prevent re-occurrence of the incident.
- Take appropriate actions to immediately contain the breach.
- If the incident involved a stolen laptop or other device, inform law enforcement.
- Offer free credit monitoring to the affected individuals, if required by law or determined appropriate by the organization given relevant facts.
- Recommend that affected individuals place a fraud alert on their credit file.
- Consider establishing a call center and dedicating trained personnel to handle calls from the affected individuals.
- Strengthen the organization’s data security policies and provide additional education to personnel on data security.
- Cooperate with Governmental Investigations. If the organization is investigated as a result of a data breach, cooperate with governmental authorities to resolve the matter.
- Do not withhold information and fully cooperate with authorities.
- Provide prompt and accurate responses to information requests from the authorities.
- Be able to demonstrate through written documentation the actions taken by the organization to timely and appropriately respond to the breach.
Being prepared to respond to a data breach and taking timely and appropriate actions if such an incident happens would help decrease the organization’s legal exposure as a result of the data breach.
Milada Goturi is a partner in Thompson Coburn's Health Law Practice Group. She can be reached at (202) 585-6951 or mgoturi@thompsoncoburn.com.