Page 33

Data Security And The Perils Of Doing Nothing | SMALL BUSINESS





by John Conway and Angela L. Carr, Esq.

With electronic records, social media, and the Internet facilitating a constant information exchange and seemingly unlimited data access, what steps should you be taking to protect the information entrusted to you by clients, vendors, or other third parties? Similarly, what risks are you exposed to when you fail to take those steps? Many people are aware of the protections afforded to medical information as well as the restrictions placed upon health care providers and other covered entities, under HIPAA. However, these covered entities and their business associates are not the only organizations that should be concerned about compliance with federal and state privacy laws. Realistically, if your business involves receipt of consumer information (names, credit card numbers, social security numbers, dates of birth, etc.), federal and state laws obligate you to take reasonable steps to secure and protect that information where it lies. Breaches can occur through any series of unintentional or intentional actions including unintended disclosures, exposure to hacking or malware, credit card fraud or misappropriation, inappropriate insider/employee access to information, and access to information through lost or stolen devices. The bottom line is that actions, and more importantly inactions, have consequences. In the context of privacy, failure to take reasonable and proper steps to secure and protect information can expose organizations to tangible and intangible costs that will far exceed what it costs to properly secure and protect the information in the first place, as well as: • • • • • • • • • •

government investigations enforcement actions and hefty fines media exposure that can cause irreparable damage to consumer confidence levels private civil suits from affected consumers increased exposure to additional direct and indirect attacks on your organization and your clients/ customers legal defense fees increased insurance premiums loss of credibility and client/customer confidence technology and security audit fees remediation fees for education, technology upgrades, security protocols, documented policies and procedures, and ongoing monitoring and audits PR and communication fees



information of 2,743 individuals. Following an investigation by the Office for Civil Rights, ACMHS entered into a Resolution Agreement whereby they agreed to pay $150,000 and to submit to a series of training initiatives for employees as well as enhanced technical security requirements. In February 2015, Anthem was hacked, exposing over 80,000,000 of its customers’ data. To put that vast number into perspective, it is more than the populations of California, Texas, and Illinois combined. And what allowed for this massive breach to occur? It was a direct result of Anthem not taking the proper steps to protect the data where it lies. Whether you are in the healthcare industry or you operate a small business with relatively few employees, it is your responsibility to protect the private information that you are given, whether it is in transit or being stored. Regardless of whether privacy breaches result in monetary fines or settlements, cooperating with government investigations, defending civil suits, and attempting to rehabilitate an organization’s image all require the expenditure of time and resources that could undeniably be better spent furthering your stated mission and growing your organization. There are steps that you can take to secure your private information, including: 1. Identifying risks 2. Securing information 3. Limiting user access 4. Using encryption 5. Updating technology 6. Training employees 7. Preparing a strategy to respond to a breach 8. Conducting periodic self-audits You are very busy and thinking about privacy is daunting, but the cost of not effectively protecting the information that is entrusted to you can be devastating. Take action today to properly identify and protect your data. You’ll be glad you did. It all starts with engaging the proper security experts to guide you through this legal and technical process. John Conway President & CEO Ananke IT Solutions

Angela L. Carr, Esq. Partner Barton Gilman LLP

Let’s take a look at some examples of recent breaches: In December 2014, a data breach occurred at Anchorage Community Mental Health Services, Inc. (“ACMHS”) that exposed electronic personal health www.risbj.com | volume four issue three


Profile for Rhode Island Small Business Journal

Volume 4, Issue 3  

Rhode Island Small Business Journal Volume 4, Issue 3 - Technology Issue

Volume 4, Issue 3  

Rhode Island Small Business Journal Volume 4, Issue 3 - Technology Issue