Businesses Must Take Information Security Seriously

 

 

 

Several companies have suffered data breaches recently. The list includes tech-savy companies, like Sony and Apple and companies, and major financial giants whose data is closely regulated, like  Citi Bank.  However, no business is  immune from a data breach, and the laws protecting the personal data apply to all companies, both big and small.

Does your business have a plan in place to protect the personal information of your customers?  Do you know the legal obligation imposed on your business if  a breach happened?  Do you have a plan in place to handle a potential breach of your data/information and to make the necessary disclosures and/or notification of a breach?

The improper handling of a breach not only can be bad for business, it can also create legal issues for your business.  There has been a significant increase in the enforcement (and fines issued) in connection with data breaches. Recently, WellPoint Inc. reached a settlement with the Indiana Attorney General over a delayed notification concerning a data breach – see http://www.healthcareinfosecurity.com/articles.php?art_id=3824&pg=1

 

WellPoint had a data breach that allowed the personal information of approximately 32,500 customers to be potentially accessible over the Internet. The exposed data included social security numbers, financial information and health records. WellPoint agreed to: pay $100,000 to the Indiana Attorney General’s Office; provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach; and provide reimbursement  of up to $50,000 (to each customer) for any losses that result from identity theft due to the breach.

There are at least two lessons that your business should learn from WellPoint’s case:

1.   Act quickly to notify the affected parties and report a material data breach to the appropriate authorities.  In WellPoint’s case, it took approximately 3 months to report its breach to the Indiana Attorney General.  Data breaches happen, but when they happen be sure to comply with the applicable laws. Many local and federal laws require disclosure and/or notification of the breach “without an unreasonable delay.” Some statutes require a business to report a data breach within a specified time period. So, it is imperative that the party responsible for your business’ information security is familiar with the applicable laws and the requirements imposed on your business.

2.   Investigate and Monitor your third-party vendors who handle any personal and protected information.   In a statement, WellPoint indicated that the breach occurred during an update of its online application system and was told by its third party vendor that there were security measures in place – which they were not. To make matters worse, WellPoint apparently did not know about the data breaches for four months.

You company must take its information security responsibilities seriously. You must have a plan for protecting your data and information and a plan to handle a potential breach. Your business must also have  a person who is responsible to implement and monitor these plans, watch any third-party vendors and put your plans into action if a data breach occurs.