Does the Attorney-Client Privilege Shield Data Breach Investigations?

By on September 10, 2014
Leave a comment

Whenever a privacy breach occurs at a company, time is of the essence. The theft could involve stolen sensitive financial data, credit card information, health data, Social Security information or other personal identifying information relating to customers and/or employees of the company.

Remember the attorney-client privilege is important when engaging with investigatory service providers that will create documentation such as “incident” reports or “computer forensics” reports. Since hiring outside counsel can help ensure that the investigation of the breach is protected by the attorney-client privilege, it also is important to know the limits of this protection.

The attorney-client privilege protects communications concerning the breach investigation; the privilege does not protect the fact that the breach occurred.  Furthermore, the attorney-client privilege cannot be used as a shield to void any applicable notification requirements under state and federal law.  Utilize your company’s outside counsel as a part of your data breach team to analyze the type of data breach at issue.  If required, the notification itself should be sent to all parties affected and should be issued in a clear, succinct, and precise manner.

Finally, if you hire a forensics examiner, have outside counsel engage the forensics team so that such investigation can also be protected by the attorney-client privilege.  Bear in mind that the forensics team should ideally have your top information technology team members, your in-house counsel, if any, your outside counsel and any key members of your public relations team.  Being prepared before a data breach will minimize the level of business disruption and your potential damages.

Filed under Attorney-Client Privilege, Data Breach Investigations, Forensics Examiner

How Your Business Can Avoid a Merchant/Vendor Data Breach

By on August 28, 2014
Leave a comment

In October 2015, many of the major vendors in the payment processing world will move to a new system for ensuring secure payment transactions.  The new payment systems will be chip-and-PIN or chip-and-signature, depending on the merchant/vendor.  Already successful in the earlier European rollout, the new systems should make information harder to steal and shift some or all of the liability to those vendors that have not become chip-and-PIN compliant.  Further, the Payment Card Industry Data Security Standard (PCI DSS) has issued a set of requirements to ensure that merchants process, store, and transmit encrypted data in a safe environment.

While these measures will help, they won’t eliminate the possibility of data being exposed during the point of sale. So regardless of what solutions are offered to secure data during the point of sale, one thing is for sure: It may not be enough to solve all levels of fraud.

Four Steps Merchants Must Take to Protect Themselves:

  1. Secure your perimeter IT network and web-based applications. Your IT network needs constant security updates/vulnerability assessments to ensure that no openings exist for hackers to compromise your secure data. Above all else, this perimeter or first line of defense system should be upgraded to ensure no areas of weakness exist.
  2. Monitor your systems at all times for suspicious IT and financial traffic. In this fast-driven world, you need constant 24/7 monitoring so your company can detect breaches faster and take immediate actions to stop and mitigate losses.  Vendors and merchants should formalize technologies to notify customers of potential data breaches or threats of same.
  3. Be prepared for the worst. Prepare your company with data breach response training and crisis management in every jurisdiction you are located. Develop processes and periodically perform data breach preparation and readiness training with your employees, and practice with them at various times and under different simulated data breaches.  Considering your company’s level of risk tolerance, you may want to hire a security forensics team before any breach.  Having a forensics team evaluated and retained before a breach occurs allows you to understand what it can and can’t do for your company plus you can evaluate its skills and expertise before using the team.
  4. Purchase data breach insurance. Since this is a new and growing area of coverage, insurance companies can help you focus on what level of coverage the business needs and what is financially at risk. Since insurance companies have checklists and protocols established for data protection, use your insurance company’s checklist/process to confirm that your protection systems meet its underwriting requirements before you purchase the insurance.

All told, there is no simple way to prevent data breaches but with foresight, preparation and an immediate action plan, you can prevent, minimize and respond quickly to any privacy breaches.

Filed under Chip-and-PIN, Chip-and-Signature, Merchant/Vendor Data Breach, Payment Card Industry Data Security Standard (PCI DSS), Payment Processing Systems

California Hospital Defeats $500 Million Privacy Suit

By on August 10, 2014
Leave a comment

The California 4th District Court of Appeal recently ruled that a hospital did not violate medical privacy statutes when a computer was stolen in 2011.  According to the court’s opinion in Eisenhower Medical Center v. Superior Court of Riverside County, the computer, which was stolen from the medical center, contained an index of over 500,000 patients at the hospital who had been assigned a clerical record number.  The index, which had data from as far back as the 1980s, included the person’s name, medical record number, age, date of birth and the last four digits of the person’s Social Security number.  Significant to this ruling was that the file was password-protected but not encrypted.

The proposed class-action lawsuit sought over $500 million in statutory damages, or $1,000 for each of the over 500,000 patients whose personal information was listed on the index.

Following the hospital’s appeal from a dispositive motion ruling, the California appeals court held that, under these circumstances, the hospital could not be liable for violating the Confidentiality of Medical Information Act (CMIA) because it never revealed “medical information” about the listed individuals. The court held that under the CMIA, a prohibited release by a health care provider must include more than individually identifiable information but must also include information relating to medical history, mental or physical condition, or treatment of the individual.

Although this ruling helps narrow damages arising from a data breach involving medical records under the CMIA, a health care provider should bear in mind that, pursuant to this ruling, to be liable under the act, individually identifiable information – such as a patient’s address, name and email address, plus information about a patient’s “medical history, diagnosis or care” – must have been released.

To read the May 21 opinion, click here.  This ruling is final since the California Supreme Court declined to review it.

Image courtesy of Flickr by Taber Andrew Bain

Filed under Confidentiality of Medical Information Act, Damages, Individually Identifiable Information, Medical Records

Newer posts