Another Day, Another Data Breach: More Lessons for Lawyers
Up to 1.1 million customers may have had their data stolen when CareFirst, a Blue Cross Blue Shield health plan, was hacked on Wednesday. According to the company, the hackers gained access to information such as names, birthdays and emails, but not private medical or financial information. The incident makes CareFirst the third large health insurer this year to have lost customer data to hackers. Across the three, more than 90 million customers may have had their personal information compromised.
With each breach, a new handful of potentially costly class-action lawsuits are filed. When Anthem compromised millions of customers' information, more than 50 class actions were filed in under a month.
What's a lawyer to do?
Whatever Your Industry, Be Prepared
Cybersecurity threats are simply an inescapable fact of doing business these days -- and losing sensitive information to hackers can open your company up to severe liabilities. For health care companies like CareFirst and Anthem, the primary liability is from violations of HIPAA, the healthcare information privacy act. But it's not just the healthcare industry that is at risk of data breaches and subsequent suits.
While the healthcare industry reports the most data breaches, partially because it has stricter disclosure requirements than many industries, no industry was unaffected by breaches. According to a recent report, data breaches are less frequent by much more sever in the professional services industry. That means that all companies, whatever the industry, must have a data breach plan, focused on securing sensitive information and responding promptly should something go wrong.
You Might Have Yourself to Blame
A good way to protect against data breaches is simple training. While hackers make headlines, most data breaches are caused by human error. Employee negligence is responsible for more than a third of all breaches. Simple firm- or company-wide training can help reduce risks.
Your focus shouldn't just be on electronic data as well. Almost one in every five breaches involve paper records, not just digital ones.
Detect and Respond
Most companies don't realize their protection has been compromised until several months after the breach occurred. Instituting plans to detect breaches early on can help limit their severity. An early response also means you'll have more time to limit the damage.
Unfortunately, many lawyers,especially General Counsels, still lack expertise in cybersecurity. According to a survey of corporate officers, cybersecurity was one of the areas where in-house counsel needed the most education and experience.
So please, brush up on your cyberlaw, before you get blindsided.
Related Resources:
- Data Belonging To 1.1 Million CareFirst Customers Stolen In Cyber Attack (Forbes)
- FCC's 1st Data Security Fine: $10M Sought for Breach (FindLaw's In House)
- Need a Cybersecurity Refresher? Check Out SBA's New Online Course (FindLaw's In House)
- ABA Debuts Data Breach and Encryption Handbook (FindLaw's In House)