It is a rare day when the news headlines don't include yet
another organization experiencing a data breach. The list of
organizations affected by data breaches grows daily. It is now
clear that a data breach can affect virtually any type of
organization and can result in many negative and costly
If a data breach occurs at your organization, a timely and
appropriate response is crucial. Below is a list of the major steps
that should be taken if an organization discovers that its
confidential information may have been compromised.
1. Confirm if a Data Breach Occurred. If a data
breach is suspected, the first step is to immediately investigate
the incident to confirm whether a breach has occurred.
Conduct an investigation to determine whether the confidential
information was compromised or accessed by an unauthorized
Engage technical experts, if necessary.
Do not delay the investigation.
Accurately document the investigation findings.
Consider attorney-client privilege issues when conducting the
2. Identify the Nature, Extent and Scope of the
Breach. Once the data breach is confirmed, evaluate
the nature, extent and scope of the breach. Some of the key issues
to evaluate are:
What confidential information was improperly disclosed?
Did the information include protected health information
subject to HIPAA?
Did the information include personal information subject to
state data breach laws?
When and how did the breach happen?
Was the compromised information electronic?
Was the compromised information encrypted?
How many individuals were affected by the breach?
Does the breach involve residents of multiple states?
3. Identify Legal Obligations Triggered by the
Breach. It is important to fully understand the
organization's legal obligations triggered by a data breach.
Specifically, it is necessary to:.
Determine if the breach triggered legal obligations under
HIPAA, state data breach and data security laws, FTC requirements
and other applicable legal standards.
Determine if the breach triggered any contractual
Consider if the breach triggered procedures under the
organization's internal policies (e.g., employee sanctions if
the breach were due to employee misconduct).
Involve senior management and legal counsel in decision
4. Provide Required Notices. Once a data breach
is confirmed and the scope and nature of the breach is identified,
provide all notices required by law or determined appropriate by
the organization. It is important to:
Comply with applicable legal requirements when providing
notices (e.g., HIPAA and many state data security laws specify the
timing, manner and content of required notices).
Provide notices to the affected individuals in "plain
English" and identify how the organization will assist those
affected by the breach.
Consider if notices to law enforcement authorities and State
and Federal regulators are necessary (e.g., OCR, State Attorney
General, FTC, SEC, etc.)
Notify the employees of the incident, as appropriate.
Notify the Board of Directors, shareholders and auditors of the
incident, as appropriate.
If no notifications were required under applicable legal
standards, consider whether notices should be provided for customer
relations or other purposes.
Do not delay notifications.
5. Take Remediation and Mitigation Measures.
Take appropriate steps to mitigate any damages that may result from
the breach and prevent re-occurrence of the incident.
Take appropriate actions to immediately contain the
If the incident involved a stolen laptop or other device,
inform law enforcement.
Offer free credit monitoring to the affected individuals, if
required by law or determined appropriate by the organization given
Recommend that affected individuals place a fraud alert on
their credit file.
Consider establishing a call center and dedicating trained
personnel to handle calls from the affected individuals.
Strengthen the organization's data security policies and
provide additional education to personnel on data security.
6. Cooperate with Governmental Investigations.
If the organization is investigated as a result of a data breach,
cooperate with governmental authorities to resolve the matter.
Do not withhold information and fully cooperate with
Provide prompt and accurate responses to information requests
from the authorities.
Be able to demonstrate through written documentation the
actions taken by the organization to timely and appropriately
respond to the breach.
Being prepared to respond to a data breach and taking timely and
appropriate actions if such an incident happens would help decrease
the organization's legal exposure as a result of the data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Recent enforcement actions by the Department of Health and Human Services, Office of Civil Rights underscore a continued focus on compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, particularly the Security Rule.
Last Sunday’s New York Times article by Anemona Hartocollis on the illegality of posting baby pictures in a doctor’s office made me wonder if anyone I know could pick my kids’ faces out of a line up of cute newborn photos posted on the wall of a doctor’s office.
In the world of healthcare policy and law, we usually discuss issues impacting providers, but don’t often report about the training and infrastructure behind what allows our healthcare system to treat patients in our facilities.