The recent announcement of Anthem CEO, Joseph Swedish, regarding a massive data breach at the nations second largest health insurer has caught the attention of small businesses. The Anthem data breach impacts up to 80 million subscribers and employees in at least 14 states. Information stolen in the massive hack includes name, birth dates, medical IDs, street addresses,emails, and social security numbers. The orchestrated attack is the largest healthcare breach to date. While Anthem claims that no medical information has been breached the breach of personally identifiable information could impact subscribers for decades to come.
Companies that don’t take adequate precautions to secure sensitive employee and customer data contained in records should take heed. While the Anthem breach was a sophisticated attack designed to expose a large number of records, it highlights the need for all companies to take a closer look at their systems and policiies that protect business sensitive and personal information. An employer may be held responsible for breaches of personal information that it collects, when it is transferred to a third parties. The costs of simply defending a lawsuit, even if you win, can be crippling. Aging computer systems, improper employee training, inadequate business policies and procedures will all work against companies when it comes time to assess damages. Would your company be able to show that your employee records and information were handled securely?
Notifications of Data Breach
Anthem appears to have discovered the data loss a week before they disclosed the breach to members delaying their ability to take protective measures. “Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information. Federal statutes, regulations, and a memorandum for federal departments and agencies require certain sectors to implement information security programs and provide notification of security breaches of personal information…. The Massachusetts security breach and data destruction law and security regulations are considered to “constitute one of the most comprehensive sets of general security regulations yet seen at the state level.”
“The nature of this breach is especially troubling as it strikes at the heart of an individual’s personal information,” said Rep. John Ratcliffe (R-Texas), who chairs the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. Cyber criminals can sell the information on the underground market where the information can be used within a matter of hours to perpetrate a number of identity fraud schemes. Names, birthdates, social security numbers and addresses can be used long after credit cards or bank accounts creating a long term threat to consumers.
What are the Costs of a data breach?
Reports of data security breaches are impacting consumer and employee behavior and trust. Data breaches are quite costly to companies when they occur on this scale. Data breaches involving healthcare companies cost at minimum $100 per record. The costs include setting up hotlines for customers, providing credit monitoring services for customers and meeting state and federal government disclosure requirements. According to the Ponemon institute more than 40% of health insurers experienced a data breach in 2013. Breaches are blamed on aging computer systems and inadequate security protection.
Data Breach Penalties and Law suits
The Anthem security breach raises privacy and security issues under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, as well as fiduciary issues under ERISA.
Penalties can be imposed for failure to promptly notify customers of a security breach. Penalties vary from imposition of a civil penalty of up to $500, but not to exceed $50,000 for each state resident who was not notified; a civil penalty not to exceed $10,000 per breach; assessment of appropriate penalties and damages; $1,000 per day per breach and higher. Could your company afford those types of penalties? In addition, the breach exposes Anthem to lawsuits by those impacted. Recently filed class action law suits allege that Anthem:
1. Failed to maintain the information in an secure computer system
2. Failed to implement a process to detect a data breach in a timely way
3. Failed to disclose the breach to consumers
4. Failed to disclose to customers it could not adequately secure personal information from theft or misuse.
Data breaches can have an even greater impact on a business for years Abnormal churn rates follow data security breaches incidents according to a Ponemon institute study, which measured the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The industries with the highest churn rate were pharmaceuticals, communications and healthcare (all at 6 percent), followed by financial services and services (both at 5 percent) Beyond the legal ramifications data breaches can result in:
1. Loss of customer confidence
2. Loss of vendor confidence
3. Loss of employee confidence
Intentional theft through cyber attacks is only one method used to gain access to valuable personal data. Companies keeping unsecured paper records are exposed to the same threat and face the same criminal penalities and liabilities. And there are numerous incidences of accidental release of personal information by businesses. With the rising use of unsecure file sharing sites the danger of accidental release is growing. Are your paper HR and customer records stored in secured storage areas? Are your customer, vendor and HR electronic records adequately encrypted and protected from both internal and external threats? Do you have policies in place regarding the transmission of files and the use of public file sharing services?
What are the key components of a records management system
The ISO 15489-1:2001 defines records as “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business”. Records management is “[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records” A Records manager is someone who is responsible for records management in an organization. Records management includes:
1. Setting policies and standards;
2. Assigning responsibilities and authorities;
3. Establishing procedures and guidelines;
4. Providing a range of services relating to the management and use of records;
5. Implementing and administering systems for managing records
6. Integrating records management into business systems and processes.
The practice of records management may involve:
1. Planning the information needs of an organization
2. Identifying information requiring capture
3. Creating, approving, and enforcing policies and practices regarding records, including their organization and disposal
4. Developing a records storage plan, which includes the short and long-term housing of physical records and digital information
5. Identifying, classifying, and storing records
6. Coordinating access to records internally and outside of the organization, balancing the requirements of business confidentiality, data privacy, and public access.
7/ Executing a retention policy on the disposal of records which are no longer required for operational reasons; involving either their destruction or permanent preservation in an archive.
An Electronic Document and Records Management System (EDRM) is a computer system used to track and store records. Records management systems can be slightly different than imaging and document management systems for paper capture and document management. ERM systems provide more sophisticated security and auditing functionality tailored to the needs of records managers. Automated electronic document and records management systems can go a long way in protecting sensitive business records and personal data. Robust security features which prevent unauthorized access, coupled with written policies and procedures and employee training is just one step toward protecting information. Electronic records management systems are cost effective and help mitigate risk.
PiF Technologies has been providing secure electronic records management solutions for nearly two decades. Our solutions are robust enough to meet the requirements of banks and financial institutions as well as any other industry subject to critical data protection regulations. Looking for a step by step guide to adopting a records management policy and implementing a system that is legally defensible? Contact us for a 10 minute assessment call to determine if we can help you secure your records and data with docSTAR Eclipse records management solutions.