It’s easy to understand why the retail, banking and health care industries are highly motivated to protect themselves from a data breach. Less so for service providers and vendors. That is until you realize that Target’s data breach -- the largest ever -- is reported to have originated from the breach of an HVAC contractor’s access to Target’s data network. Business owners make an enormous investment in time, talent and resources cultivating and sustaining trusted relationships with companies they want to do business with. Today, more than ever, data management must be a part of that effort. Your clients and customers demand it.
Through mid-August of this year, the California-based Privacy Rights Clearinghouse reported 189 data breaches made public in 2014, spanning health care, retail, financial, government, education and miscellaneous businesses, including service providers and vendors. The breaches involve the three most common causes: negligence, criminal (hackers or the theft of a device) and corporate espionage/malfeasance.
In response to consumer demands, a total of 46 states now have data breach laws, and multiple states may come into play in a single breach. Consider the rupture of trust that would occur if a contractor performing work for a company with a multi-state operation learns of a data breach in its business that unleashes malware into the multi-state company’s network. If the business’s employee records are compromised, it can face scrutiny from every state in which its employees reside.
On the federal level, a weak link in the chain of data protection could expose businesses to penalties from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Gramm-Leach-Bliley Act (GLBA). Last year, HIPAA announced the tightening of enforcement of protected health information, expanding the federal government’s reach to “business associates,” such as a subcontractor or vendor, requiring them to comply with HIPAA. The ripple effect can be enormous. Consider the following.
A hospital contracts with a public relations firm to publicize a planned cancer wing. The hospital and PR firm plan a fundraiser to support the new wing, and the hospital provides the PR firm with names and addresses of former patients who may support the fundraiser. The PR firm contracts with a party planner to organize the fundraiser. The party planner contracts with a printing company for invitations. The printing company electronically stores information for the invitations on its equipment and also contracts with a company that services the printing equipment. All five businesses, from the hospital to the printing maintenance firm, are required to be compliant with HIPAA because each is in a position to receive “protected health information” -- the names and addresses of former patients.
To protect valued relationships, every business should carefully consider data breach vulnerabilities in its own operations and demand equal scrutiny from its business partners or vendors who could come into contact with protected information. This would include:
• Developing policies and educating employees on their role in data management. This includes establishing, publicizing and encouraging internal reporting mechanisms of suspected breaches.
• Creating a data management team with clear responsibilities and a thorough understanding of the types of data collected, processed and developed. The team should also understand legal responsibilities and regulatory requirements.
• Developing a risk assessment and mitigation plan. This includes reviewing vendor contracts to find weak links that could expose data. Even if a company shuns the exchange of data online, it can be held liable for data shared with vendors who do expose that data, however unintentionally, in a breach. If a vendor doesn’t have an electronic security policy that addresses employee background screening and data management, then your company should write one for it.
• Engaging (or consider engaging) a third party audit to review policies, compliance efforts and technical infrastructure. This is often done after a breach. It’s best to find any holes before they are compromised.
Businesses may also consider “cyber” insurance policies, which can afford some protection against losses, but be aware that not all cyber policies cover the risks a company faces. Cyber policies should cover the costs associated with the data breach, including engaging legal counsel, hiring investigators, providing credit monitoring if needed, and enlisting public relations experts to facilitate communications with all parties served by the company.
If a data breach does occur, businesses obviously need to focus on discovering its source, mitigating impact and complying with appropriate state and federal regulations. But equally important is taking immediate action to be in a position to recover from the breach. That means engaging legal counsel to provide protection from potential civil litigation and the discovery process through the attorney-client privilege. This is especially important because third party reports from IT forensic, accounting or crisis communications firms, as well as internal company communications, may be discoverable in civil litigation. If outside counsel is engaged, these communications may be protected under the attorney-client privilege.
Technology is a wonderful business tool, enabling contractors to conduct business much more efficiently. But it carries evolving risks of inadvertent exposure of sensitive information that can destroy a hard-earned reputation. Don’t waste the trusted relationship you’ve built through neglect. Show your customers that you are serious about data management.