It is a rare day when the news headlines don't include yet
another organization experiencing a data breach. The list of
organizations affected by data breaches grows daily. It is now
clear that a data breach can affect virtually any type of
organization and can result in many negative and costly
If a data breach occurs at your organization, a timely and
appropriate response is crucial. Below is a list of the major steps
that should be taken if an organization discovers that its
confidential information may have been compromised.
1. Confirm if a Data Breach Occurred. If a data
breach is suspected, the first step is to immediately investigate
the incident to confirm whether a breach has occurred.
Conduct an investigation to determine whether the confidential
information was compromised or accessed by an unauthorized
Engage technical experts, if necessary.
Do not delay the investigation.
Accurately document the investigation findings.
Consider attorney-client privilege issues when conducting the
2. Identify the Nature, Extent and Scope of the
Breach. Once the data breach is confirmed, evaluate
the nature, extent and scope of the breach. Some of the key issues
to evaluate are:
What confidential information was improperly disclosed?
Did the information include protected health information
subject to HIPAA?
Did the information include personal information subject to
state data breach laws?
When and how did the breach happen?
Was the compromised information electronic?
Was the compromised information encrypted?
How many individuals were affected by the breach?
Does the breach involve residents of multiple states?
3. Identify Legal Obligations Triggered by the
Breach. It is important to fully understand the
organization's legal obligations triggered by a data breach.
Specifically, it is necessary to:.
Determine if the breach triggered legal obligations under
HIPAA, state data breach and data security laws, FTC requirements
and other applicable legal standards.
Determine if the breach triggered any contractual
Consider if the breach triggered procedures under the
organization's internal policies (e.g., employee sanctions if
the breach were due to employee misconduct).
Involve senior management and legal counsel in decision
4. Provide Required Notices. Once a data breach
is confirmed and the scope and nature of the breach is identified,
provide all notices required by law or determined appropriate by
the organization. It is important to:
Comply with applicable legal requirements when providing
notices (e.g., HIPAA and many state data security laws specify the
timing, manner and content of required notices).
Provide notices to the affected individuals in "plain
English" and identify how the organization will assist those
affected by the breach.
Consider if notices to law enforcement authorities and State
and Federal regulators are necessary (e.g., OCR, State Attorney
General, FTC, SEC, etc.)
Notify the employees of the incident, as appropriate.
Notify the Board of Directors, shareholders and auditors of the
incident, as appropriate.
If no notifications were required under applicable legal
standards, consider whether notices should be provided for customer
relations or other purposes.
Do not delay notifications.
5. Take Remediation and Mitigation Measures.
Take appropriate steps to mitigate any damages that may result from
the breach and prevent re-occurrence of the incident.
Take appropriate actions to immediately contain the
If the incident involved a stolen laptop or other device,
inform law enforcement.
Offer free credit monitoring to the affected individuals, if
required by law or determined appropriate by the organization given
Recommend that affected individuals place a fraud alert on
their credit file.
Consider establishing a call center and dedicating trained
personnel to handle calls from the affected individuals.
Strengthen the organization's data security policies and
provide additional education to personnel on data security.
6. Cooperate with Governmental Investigations.
If the organization is investigated as a result of a data breach,
cooperate with governmental authorities to resolve the matter.
Do not withhold information and fully cooperate with
Provide prompt and accurate responses to information requests
from the authorities.
Be able to demonstrate through written documentation the
actions taken by the organization to timely and appropriately
respond to the breach.
Being prepared to respond to a data breach and taking timely and
appropriate actions if such an incident happens would help decrease
the organization's legal exposure as a result of the data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Remember how Medtronic, Inc. v. Lohr, 518 U.S. 470 (1996), dismissed the §510k "substantially equivalence" medical device clearance as non-preemptive because it was supposedly "focused on equivalence, not safety"? Id. at 493.
The US Food and Drug Administration (FDA) related portions of the 21st Century Cares Act, found in title III, establish a streamlined process for the exemption of certain Class I and II devices from the premarket notification requirement and allow for the establishment of revised regulatory standards for accessories to high-risk devices.
Hospitals are commonly named as defendants in medical malpractice lawsuits for claims arising from alleged injuries within their walls, but what is their exposure to liability for claims that arise from alleged sexual assaults by staff on their premises?
Eric Fader was quoted in a November 9 article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA's Health Care Fraud Report. Eric said that the incoming Trump administration may eventually be forced to reduce funding for some healthcare initiatives to pay for other priorities, such as large tax cuts and increased spending on the military.
Title III of the 21st Century Cures Act includes portions of the FDA Device Accountability Act of 2015, Promoting Biomedical Research and Public Health for Patients Act, and FDA and NIH Workforce Authorities Modernization Act.
A February 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Hospital Hit With $3.2M Penalty for Ongoing Health Data Security Lapses," reported that Children's Medical Center of Dallas received a $3.2 million civil money penalty after years of noncompliance with HIPAA rules and after failing to request a hearing on the penalty.
The 21st Century Cures Act includes portions of the Helping Families in Mental Health Crisis Reform Act of 2016, which was approved by the US House of Representatives in July 2016, but not advanced by the Senate.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).