Contributed by Michael D. Wong, Tim Lessman and Colin Gainer
Recently Affinity Health Plan, Inc. (Affinity) entered into a $1,215,780 settlement with the U.S. Department of Health and Human Resources (DHHS) as a result of inadvertently disclosing medical records stored on a leased photocopier’s internal hard drive. Affinity had leased photocopiers and then failed to properly erase the photocopiers’ internal hard drives when returning them to the leasing company. Affinity was unceremoniously notified of this breach of data security by CBS evening news, which contacted Affinity regarding an investigative report it was conducting where it had been able to purchase a photocopier previously leased by Affinity that contained personal identifying information and medical information for over 300,000 people. Affinity subsequently self-reported this breach to the DHHS and entered into the $1,215,780 settlement.
That settlement is a prime example of how technology has changed and so must company security policies and protocol. Now an individual can store more data and documents on a cell phone or in a “cloud” on the World Wide Web than on some of the first computers and floppy disks. As Affinity learned many modern photocopiers have internal hard drives that store data from scans, faxes or copies. Technology has created significant security concerns for companies on how to handle and manage sensitive data, employment records, medical records and other documents that include personal identifying information, social security numbers, health/medical information, credit/background reports, and confidential or proprietary business information. Disclosure of such information can create liability through claims for privacy violations, fines for violating HIPAA and claims by the Federal Trade Commission, DHHS and other governmental agencies.
Now more than ever, identifying sensitive data and implementing a formidable policy to safeguard it are crucial steps in protecting a company from any potential data and privacy breaches. Any policy should address the procedure for securing data processed on any electronic device that stores data, including photocopiers, printers, personal computers, laptops, tablets/iPads, smart phones, flash drives, and other electronic devices. Options often include having data on the electronic device encrypted, set the device to overwrite the data, and having a procedure for how to dispose of devices and return leased devices. Of specific concern are leased devices as such are typically re-leased or sold to third parties. Prior to the return of a leased device to a vendor, make arrangements for any data on the device’s hard drive to be removed, secured, overwritten or wiped to ensure that any data on it is unreadable and/or unusable by anyone else. While a leasing company or vendor may provide this service, you should still make sure that such is done prior to the return of the device. Additionally, if you have a contract with a leasing company or vendor for this service, make sure you carefully review the contract and understand any release of liability or indemnity clause relating to the service.
Just as important as having policies and procedures in place to safeguard information, however, is having a plan in place to swiftly address any breaches and to minimize the potential adverse consequences. Companies may also consider cyber liability insurance coverage as part of a plan. This type of coverage is specifically designed to protect companies when data breaches occur, as standard insurance policies may not offer sufficient protection.
The extent of the potential liabilities faced by companies related to data breaches can be daunting. However, with proper planning, preparation and implementation, companies can minimize the risks they face.