Breaches: Avoiding Legal WoesAttorney Offers Insights on Managing Response
To help avoid enforcement actions by state as well as federal regulators, healthcare organizations must first ensure full compliance with the HIPAA security rule, he says. Also, organizations need to have a breach response plan in place that can quickly be implemented in the event of a breach, he says in an interview with Information Security Media Group. "Testing of those plans are important ... how to bring the right team in to handle the breach, investigate it and get them on the ground."
Plus, organizations that experience a breach should consider proactively reaching out to attorneys general and regulators, Navetta says. "There may be circumstances where you'll want to reach out to regulators ahead of time to discuss the situation, even if the investigation is ongoing, to get their guidance and maybe some input."
Preparation for Lawsuits
Navetta predicts class action lawsuits in the wake of data breaches "will become much more frequent." As a result, he says, "Preparation now is much more important than it was two or three years ago."
When conducting a forensic investigation of a breach, he says, "Organizations need to think about e-discovery and preserving evidence ... in anticipation of potential litigation."
Entities need to consider "what information do we need to find and retain so we can address potential claims that may be filed ... and help with any defense we may have in any regulatory action or lawsuit," he says.
And while remediation services, such as credit monitoring and identity protection, are generally not mandated by law, it's wise for organizations suffering data breaches to offer these services to breach victims, he says.
"The consumer-friendliness type of exercise shows that as an organization, you're trying to help your patients," he notes. Offering credit monitoring and ID protection "can serve to blunt the impact of a lawsuit because if you provide those services, the plaintiffs may not [suffer] any damages."
Also, how an entity communicates with the public after a breach, and how those incidents are portrayed by media, can play a role in whether lawsuits are filed, he says. "What's more important now than a couple years back is understanding the public relations handling of these breaches," he stresses.
In the interview, Navetta also discusses:
- How the required time frames for breach notification vary from state to state;
- Why a recent settlement between Kaiser Foundation Health Plan and the California attorney general over a 2011 breach could set a precedent for breach notifications in other states as well;
- The importance of health entities establishing attorney-client privilege for issues involving breach investigations.
Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He's also a certified information privacy professional.