WPNT Ltd. sat down with risk management & remediation experts Aaron Carlson of Rust Consulting and Doug Pollack of idExperts. Here are their thoughts on mobilizing communications on a massive scale.
Mobilizing Communications on a Massive Scale
A conversation with two, risk/remediation experts
- Q Given the speed of communications today with the social media, blogosphere and YouTube, what is the amount of time or window of opportunity for a company to activate a large scale communications response effort in the event of a crisis or incident?
- A While social media means word can spread quickly, under the HIPAA Hitech law, companies have no more than 60 days to notify affected individuals. However, situations vary, and at times companies choose more immediate communication, whether for safety, ethical, or legal reasons. For food and product recalls, the risk of injury, illness, and potentially death means time is of the essence. Many times, we're going live with our emergency call center services within 24 hours of being notified by the affected company. With the HITECH Act requirement to notify media, in addition to the affected individuals and the US Department of Health and Human Services, it is essential to have a coordinated communications plan pre-defined as a component of a comprehensive data breach incident response plan (IRP).
- Q Can you talk about the public opinion fall-out from product recalls, data breaches and other issues for organizations for those that are prepared vs. those that are not?
- A Word gets around very quickly when a company isn't handling a situation like a data breach or recall properly. When a company delays in communicating the incident or isn't up-front about what happened, word spreads very quickly via the mainstream media and social media. Consequently, customers become outraged, feel betrayed, and may take their business to another company. As the enforcement environment has picked up, and fines and penalties are being levied, there is additional fuel being thrown on the fire for organizations that aren't prepared or aren't addressing the incidents in good faith. However, a company that is prepared and handles an incident in a timely and up-front manner can solidify its customer relationships: people tend to be forgiving. These situations provide an opportunity for a company to improve its reputation and gain customers' long-term trust.
- Q Technology has improved the speed of business exponentially, but at the same time poses a greater threat than ever when it comes to data breaches and misuse of personal identity information. This must be reflected in the growth of your organizations. Please comment.
- A The number of data breach responses with which we have been involved has steadily risen since 2005, and our increasing business directly corresponds to the number of data breaches that are reported. Sadly, it has become relatively common for a person to receive notification that a piece of sensitive information (Social Security number, account number, personal health information, etc.) has been exposed—or even misused. Additionally, the passage of the HITECH Act in 2009 has raised the bar in terms of privacy and security requirements for healthcare organizations. Because of the notification requirements in HITECH, there has been dramatic growth in healthcare data breaches where protected health information (PHI) is improperly disclosed.
- Q How do companies protect themselves from data breaches if they must rely on a third-party organizations for archiving and maintenance of personal information?
- A According to the Ponemon Institute's Cost of a Data Breach study, third-party organizations accounted for 42 percent of all incidents, so it's imperative for companies to make the right choices in their business partners. The best way for companies to protect themselves from data breaches (whether they deal with personal information internally or through third parties) is with due diligence. Companies must be sure that the third-party organizations with which they're involved have the right systems, controls, and certifications in place (for instance PCI and HIPAA Security). We undergo audits from a lot of the companies with which we work, in addition to our own annual, third-party audits.
- It's also important that companies put their own employees through the right training, as we see a lot of data breaches that are the result of human error. Lost or misplaced laptops, backup tapes, thumb drives, and PDAs all can cause data breaches. The need to have proper procedures and controls associated with maintaining the privacy of personal information, as well as mean to periodically test your organization's compliance with these controls, is essential.
- Q How much does a typical company spend on data breach incidents annually? What types of organizations and individuals are most at risk in a data breach? Are data breaches preventable?
- A According to the study just mentioned, the average cost of a data breach in 2009 was $204 per compromised customer record. Any organization that houses sensitive data is at risk for a data breach. Certainly the organizations that house the most data have the most risk. We see a lot of incidents that involve healthcare companies (especially with the HIPAA HITECH regulation that came out of the stimulus package in 2009). We also see a lot of data breaches that involve financial, insurance, and universities. While there is a lot that organizations can do to protect and secure personal information, there is no "silver bullet" to prevent data breaches from occurring. They are virtually a way of life for healthcare organizations because of the need to have PHI readily available to so many individuals.