By Lee Kim, Director of Privacy and Security, HIMSS
Twitter: @lkimhimss
Data breaches are happening with increasing frequency. There may even be breaches that have occurred, which you may not have heard about. Many companies rely on their attorneys to help them make the decision on whether or not to report a breach. Indeed, some state breach notification laws are fairly narrow in scope and cover only certain situations, such as computer intrusions resulting in the unauthorized access of only certain types of information. In addition to the state laws, attorneys also must determine whether any federal breach notification requirements apply and, if and to the extent they do, they must inform their clients accordingly.
However, the attorney has several choices in advising the client about what to do in the face of a breach (or a suspected breach or security incident), including the following:
- What priority do I assign this matter, compared with other matters that I have to deal with on my to do list?
- What is the depth of advice that I give the client?
- Can I give the client additional advice in terms of mitigation?
Handling breaches and responding to security incidents are very serious matters. These matters can potentially make or break a company, including with regard to how the breach situation is handled, whether or not a breach notification letter is issued and the timeliness of the same, and the company is doing in any event in regard to its security practices.
First, the attorney should make the breach/security incident response matter a top priority of his or hers and diligently work with the client to address it. The longer the client has to wait for the attorney’s legal advice, the more time will pass and the “timeliness” of notifying potentially affected individuals of a breach may ebb away. Even if the applicable breach notification statute says that there is a time window of 30 days or 60 days, for example, a best practice is to respond expeditiously and without unreasonable delay. (Of course, the specific requirements with regard to breach notification may vary depending upon which state or federal laws or requirements may apply to your situation.)
Second, the attorney should at least consider advising the client about the various options. For example, the absolute minimum may be (hypothetically) issuing a standard, breach notification letter, minimally tailored to the circumstances pertaining to the confirmed breach. However, another option which the attorney may wish to advise the client on is to consider issuing a letter to potentially affected individuals if a breach has been suspected, but not confirmed, with the information that is known to date. This second option promotes transparency, by fully disclosing information which is known to date, and may help “cushion” the impact of the formal breach notification letter (especially if a large breach is suspected).
Third, the attorney has a role in terms of breach mitigation. Though the attorney’s role can and should be a legal one, that does not prohibit him or her from advising the client about the need to update its risk assessment, conduct a gap analysis in view of the recent breach or security incident, and/or to recommend an appropriate cybersecurity professional to assist with the client with its post-breach mitigation needs. Especially for a client that may not have a robust security incident response program, the attorney recommending to the client to take proactive steps to improve its security posture may have profound and lasting (and positive) effects. Otherwise, the attorney may be helping the client to responding to breaches which may have the same root cause and assisting the client minimally, as well as condoning its reactive security posture, will do relatively little to service ultimately what the client needs or wants. Attorneys should not be afraid to suggest to the client that it conduct a “post mortem” analysis of the breach or security incident and to become more resilient and thus hardened to future attacks.
In light of the foregoing recommendations, it can only help the attorney service his or her clients by learning more about cybersecurity and thus be better informed. Not only will it enable the attorney to give better advice to his or her clients, but it may also help the attorney better safeguard the client information which he or she is entrusted with as well. Even if you are a practicing attorney and you have not yet handled a breach situation, this, too, may be in your and your client’s future. As those of us in the information security field say, nowadays: presume the breach and act accordingly.
Finally, in closing, you may find these resources useful to learn more about cybersecurity.
IC3 Business E-mail Compromise
Don’t Catch That Phish—How Not to Become a Victim
The 2014 Healthcare Organization’s Guide to Keeping Information Safe and Secure
About the Author: Lee Kim is the Director of Privacy and Security at the Healthcare Information and Management Systems Society North America and a member of the SANS Institute Securing the Human Healthcare Advisory Board. Kim is licensed to practice law in Pennsylvania, the District of Columbia, and before the United States Patent and Trademark Office as a registered patent attorney. Kim holds an AV Preeminent® peer review rating in health care and intellectual property law.