It does not matter if you are a large or small company; being hacker-ready is your legal responsibility to avoid compromising your customer’s and employees’ data. Here we tell you how.
Data breaches and cyber-attacks that compromise personal records, financial information and medical data are becoming more common and growing in intensity as a result of technological globalization. Hospitals, insurers, health clinics, employers with their own health clinics, pharmacies, provider groups and even individuals could be exposed. The second largest health insurer in the United States is the most recent case of a major cyber attack. Restaurants, hotels, grocery stores, and online and brick and mortar retailers have all fallen victim to this crime resulting in critical exposure of personal information of millions of customers and employees, including names, personal and email addresses, social security numbers, checking and savings account information, other banking and financial data, health plan ID numbers, among other. You probably keep such information in your business’ electronic records; but, do you know if your business has in place the adequate mechanisms to prevent being at risk?
Major cyber-attacks prompt serious questions as to the safety and privacy of the information being kept by companies. The consequences can be insurmountable and measures have to be taken immediately to diminish or prevent possible exposure to fines, penalties or claims from affected consumers. These could include exposure to damages claims and class action suits by consumers or employees whose private information has been compromised.
Privacy and Security laws and regulations, especially in the healthcare industry, require covered entities and their business associates who handle, receive or have access to Protected Health Information (PHI) to take the necessary measures to protect the information. Moreover, employment laws and the Constitution of the Commonwealth of Puerto Rico recognize privacy rights in the private employment context. Encryption is just one of such measures, but others are available. Some other measures to prevent exposure include the following:
- Hiring cyber-security experts;
- Verifying if your company has the encryption technology required to protect the information of current and former customers and employees;
- Cooperating with authorities and delineating a collaborative strategy;
- Drafting and adopting required written protocols, policies and procedures for data management, its protection and to immediately address a cyber-attack;
- Providing credit monitoring services to consumers or employees actually or potentially affected.
The expense of securing the protection of the information is not a guarantee of immunity against cyber-attacks, but certainly reduces the exposure to both, the breaches and the potential claims. As the healthcare industry and our businesses become more complex and technology oriented, the issues arising in the context of privacy and security of information increase. Thus, learning how to protect your information, and that of your customers and employees is increasingly vital.
This document has been prepared for information purposes only and is not intended as, and should not be relied upon as legal advice. If you have any questions or comments about the matters discussed in this notice, wish to obtain more information related thereto, or about its possible effect(s) on policy or operational matters, please contact us.
- Roberto F. Náter-Lebrón – rnater@ferraiuoli.com
- Katherine González-Valentín – kgonzalez@ferraiuoli.com
- Roberto A. Cámara Fuertes – rcamara@ferraiuoli.com