New York Attorney General Letitia James announced on March 27, 2023, that she had levied a fine against law firm Heidell, Pittoni, Murphy & Bach LLP for failing to secure personal and health information of clients and exposing the information in a data breach.
The law firm represents New York-area hospitals and failed to sufficiently secure the private information of its client hospitals’ patients. This lack of security put the firm in breach of compliance with New York state law and the federal HIPAA law (the Health Insurance Portability and Accountability Act enacted in 1996 and designed to publicize the standards for electronic exchange, privacy, and security of health information).
Increased Need for Vigilance
In our digital age, there is an increasing need to institute protocols for the privacy, storage, and retention practices regarding data of (customers, clients, and contacts such as in email lists) – both for the safety of that information and to be in compliance with applicable laws.
Data breaches are becoming an increasingly common occurrence. As technology advances, so too do the methods of malicious actors, who seek to exploit vulnerabilities in computer systems and networks to gain access to sensitive information. Every day, millions of people worldwide are affected by data breaches, which can have serious consequences ranging from financial losses to identity theft.
At the heart of a data breach is a security vulnerability in the system that has been exploited by a malicious actor. This can be as simple as an outdated software patch, or as complex as an intricate system of unsecured networks. Once the vulnerability has been exploited, the hacker can gain access to sensitive user data, such as usernames, passwords, and financial information.
Two Means of Prevention
The most effective way to protect against data breaches is to ensure that all computer systems and networks are up-to-date and properly secured. This includes regular patching and updating of software, as well as the implementation of strong access controls and authentication protocols. Additionally, companies should always use encryption to protect any data that is being sent over the internet. Further consideration should be given to other avenues where a business has a digital presence, for example, its website and social media profiles.
The second, yet equally important aspect of combating vulnerabilities that lead to data breaches are people. In addition to those working in the IT department, employees across a business pose opportunities for risk in how they maintain their area of data responsibility – from network passwords to record-keeping to how and when they share sensitive information. Thus, it’s important for a business to have clear procedures around informing employees of their duties regarding data privacy.
In addition to developing, documenting, and implementing an information security policy, it is best practice for organizations to establish agreements with employees regarding the security and privacy of their data. This set of policies is often seen in the form of a binding employee handbook, or contract, and should be updated annually, distributed to all employees, and require that all employees acknowledge its content and their responsibilities for securing information and technologies at the organization.
Policies should not only be approved by management, but also acknowledged and known by everyone. Some examples of data security and privacy best practices to include in your information security policy are as follows:
- Policies regarding employer-owned devices: Employees should recognize and understand that any communication or data exchanged through equipment owned by their employers is not private. Among the items that fall under this category are laptops, desktop computers, email servers, etc.
- Bringing your own device (BYOD) policies: With all the technological devices people are using today, many organizations allow employees to bring their own devices, and to sometimes use their personal devices to access the business network. To avoid associated risks, policies should clearly define the dos and don’ts of bringing your own device.
- Policies for acceptable use: An employer’s acceptable use policy establishes how a network or system should be used and how it may be used. It prevents employees from abusing access to the internet during work hours or using discriminatory communication methods.
Data breaches can have serious consequences, which is why it’s important to be aware of the risks and take the necessary steps to protect your data. By taking the necessary precautions, you can help ensure that your data remains secure and reduce the likelihood of becoming a victim of a data breach.
[NY AG press release]
Casey Erick is a Texas Commercial Litigation and Employment Law attorney. He regularly advises clients on business and employment-related matters, including preparing for and navigating litigation. He is a frequent speaker, presenter, and author on employment topics and complex, high-profile issues confronting businesses and their leadership.
