The challenges that come along with securing sensitive
information are unprecedented. It has become extremely difficult to
protect data which is stored electronically, and breaches have
unfortunately become a frequent occurrence. It is now legally
required that companies take some steps to protect their
sensitive data. With that being said, there are many different
measures available to choose from. The array of options may leave
companies confused or overwhelmed not knowing where to begin. If
you are unable to figure out where to begin, consider starting with
Encryption is both an easy and comprehensible starting point.
Encryption, in the most basic sense, is a method used to encode
your data. The process converts plain text to encrypted text with
the use of an encryption key that is only given to authorized
users. Authorized personnel then use the key to decipher the coded
information. Without knowledge of the encryption key, one cannot
comprehend the encrypted text, and instead will be left with
meaningless characters that unauthorized users are unable to
Encryption provides far more than a platform of frustration and
failure for potential hackers. Instead, it serves a dual function.
Firstly, encryption provides a layer of protection for your
company's data. Secondly, encryption may be the key in avoiding
liability in certain situations.
The laws which govern technology are still continuing to evolve.
Technology develops at an incredible pace, leaving courts and
legislatures trying to catch up. As a result, the legal standard
used to hold companies liable for sensitive data being disseminated
is still in a state of flux. Courts however have suggested that if
a company takes steps to encrypt their data, they may be able to
avoid liability if a breach should later occur.
Thus far, it seems the courts have decided the
reasonableness standard will govern in data breach
liability. Essentially, they look to see if the company took
reasonable precautions under the circumstances to protect sensitive
data. Courts tend to look at the level of sensitivity of the data,
as well as the size of the organization that is in charge of
securing the information. Victims who have had their private
information stolen as a result of security breaches tend to seek
remedies through negligence or breach of contract claims. Both
actions implicate some sort of reasonableness standard. So it's
no surprise that courts chose the same standard to govern
companies' liability in breaches. While the waters of defining
the reasonableness standard remain murky, one thing is clear;
companies, who store sensitive information, must do
something to ensure its security in order to avoid
Encryption is a good place to begin when trying to satisfy the
threshold requirement of reasonableness. Encrypting data will
render the stolen data inaccessible to hackers, and therefore
reduce the chances of private information being accessed. As the
effects of a breach are significantly less severe if the stolen
data was encrypted, various agencies have limited or reduced
potential liability in situations where stolen data was encrypted.
For example, the Department of Health and Human Services (HHS) and
Office for Civil Rights (OCR), both suggest that monetary penalties
may be waived if sufficient encryption was used. Additionally, the
Health Information Technology for Economic Clinical Health (HITECH)
Act excludes healthcare entities from serious penalties for lost or
stolen data if the data was encrypted prior to the breach.
There are also cases which evidence the courts willingness to
mitigate an owner's liability if the stolen device was
protected by encryption. For example, in May 2012, an employee at
Beth Israel Deaconess Medical Center left an unencrypted personal
laptop unattended on a desk in the hospital. That laptop was stolen
and sensitive information electronically stored on the computer was
accessed and subsequently released. The hospital was ordered to pay
a $100,000 as a result of the breach. The Court however, held that
the Boston hospital could have mitigated their liability had the
stolen laptop been protected by encryption.
Companies face an array of challenges when it comes to securing
sensitive information effectively. This should not however, leave
companies feeling powerless to these challenges. There are various
options available which will provide for some degree of legal
protection. Encryption is a great place to start. As noted,
encryption will not only help lessen the chances of a security
breach, but it may also help mitigate liability should a breach
occur. It's important to remember, that although avoidance may
no longer be available, taking steps to protect your data is still
very much required.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).