Monthly Archives: September 2014

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

At certain points in history, it becomes apparent that the only way to solve a major question or overcome a monumental challenge is to change our governing perspectives on the matter. These paradigm shifts are sparked by discoveries like the roundness of the earth and the centrality of the sun within the solar system. The concept is astonishingly simple: once we change the way we look at a problem, we may find the key to solving it. Such a paradigm shift might serve the complex and increasingly chaotic realm of healthcare data security.

Source: freedigitalphotos.net/ddpavumba

Beyond the Security Team

In a recent interview posted at Healthcare & IT News to prepare for his upcoming keynote appearance at Boston’s Privacy & Security Forum, Texas Health Resources CIO Ed Marx explains his organization’s macro-focus on healthcare privacy and security as taking the stand that security is “everyone’s responsibility.”

Instead of taking a laissez-faire approach to the issue and trusting that the IT department is running interference for the entire 25-hospital healthcare system, Marx asks his 24,000-strong workforce to look at security as an all-in proposition. Texas Health is fostering an atmosphere of vigilance amongst the entire employee team, not just the security professionals. This “culture of security” requires yearly training sessions and proficiency tests to drive home the company-wide commitment of increasing security and protecting patient records.

Never Break the Chain

This revolutionary approach to protecting personal health information goes beyond just enlisting workers in the common cause. Besides this initiative, Marx also overhauled the chains of command within his organization and formed a security task force with reporting duties to the health system’s board of directors.

Visibility and accountability are primary drivers to security at Texas Health: “We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee.” Marx continues, “When we need support, we get it because we have this governance council for security and straight access to the board.” It’s obvious that Marx and his team mean business, a mindset that patients should appreciate considering the risky state of security affairs at many other healthcare organizations nationwide.

At such a crucial time in the healthcare security realm, when many organizations lack direction while risk to consumer personal health information grows increasingly higher, perhaps this thinking will inspire a much-needed healthcare security paradigm shift.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The Challenge of Digitizing Federal Records, or Can Anyone Get Along with the IT Department?

The Challenge of Digitizing Federal Records, or Can Anyone Get Along with the IT Department?

IT departments have the dubious distinction of being the workplace department with which just about every other group struggles to get along. Whether it’s the IT pros themselves – or more likely, their understandable frustration with everyone else’s inability to understand the basic tenets of how a network functions – IT professionals are a vital to any office environment.

The IT specialists who populate the federal government are perhaps the most central, and it’s their partnership with records management pros and departments that will be the key to successfully implementing new digitization benchmarks for federal records. In light of new federal standards for digitizing and managing federal records, the partnership between IT and records management (RM) specialists has never been more important.

It’s not just cost savings and efficiency issues at stake. As the Presidential memo linked above points out, “Records transferred to the National Archives and Records Administration (NARA) provide the prism through which future generations will understand and learn from our actions and decisions.” So how can IT pros and RM specialists work together to successfully improve procedures for the classification, cataloguing, and preservation of vital federal records?

Source: freedigitalphotos.net/renjith krishnan

Clearer Communication

IT and RM folks must find a better way to communicate  to accomplish their objectives without discord. Each side uses its own jargon, complicating already tense matters of jurisdiction. Rising to meet to meet this challenge defined by the Obama administration’s federal records digitization initiative, demands common set of terms and common language.

Mutual Goals

Project managers are yet another corporate group prone to clash with those “pesky” IT folks, love to throw around the S.M.A.R.T. criteria for classifying solid goals. The acronym stands for Specific, Measureable, Achievable, Relevant, and Time-Bound.  Success in meet Obama’s directives for new federal records digitization standards, teams on both sides must agree on S.M.A.R.T. goals to unite them in common cause.

Sustainable Space and Services

Besides the mounting concern about where all these new digitized federal records might be stored, both RM and IT professionals working on this project must arm themselves with the right software and services to allow them to create sustainable records archives. Without carefully considering these issues in the short term, the long-term prognosis for digitized federal records may be rather grim; far the proverbial crystal-clear “prism” through which future generations can judge our present governmental actions.

Records Management for a Digital Future

The current administration has set a goal for federal IT and RM professionals working on this massive project; how successful or unsuccessful their work will be will likely depend heavily on their ability to collaborate on the points above. The key to success lies in collaboration.

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

The Coming Storm: 5 Tips for Protecting Revenue Cycles Now In Preparation for ICD-10

The Coming Storm: 5 Tips for Protecting Revenue Cycles Now In Preparation for ICD-10

Across the country, medical practices from local single practitioner offices to large medical groups are preparing to face a storm of epic proportions: the upcoming implementation of ICD-10. There seems to be a consensus, along with ICD-10 will come an unavoidable punch to the gut for practices’ bottom lines, but we think that might assume too much. There are several steps to lessen the blow. Here are five suggestions that can help practices prime themselves effectively to meet the coming changes.

Source: freedigitalphotos.net/jscreationzs

1. Test System Compatibility With Vendors

To be sure, that what we don’t have here is a “failure to communicate,” practices should talk to vendors now to determine when and if they plan to upgrade and how their systems will interact. Consider testing systems to determine where weak points are located and document the results so problems are actionable now – not later.

2. Hire New Staff to Shoulder Increased Work Burden

Practices may experience higher numbers of claim rejections and denials following implementation of ICD-10. Now is an excellent time to consider bringing in new staff or third-party experts to help shoulder the burden of a greater workload from increased claim denials. This extra help may better allow your organization to identify denial trends so coders can make changes and cut down on future no-goes.

3. Prepare to Protect Productivity

It’s important to invest in measuring and improving coding productivity now to create a seamless transition a year from now. Staff should practice coding in the “language” of ICD-10 on existing medical records. It may also be wise to break up coders into several specialties so they can become coding “masters” of particular diagnoses and tests. There is plenty of time now to hire new staff and train existing team members to increase productivity in the short term and protect it after implementation.

4. Learn to Avoid Audits

With greater numbers of rejected claims, implementation may also ramp up the number of audits practices see. Invest in clear communication with healthcare payers in order to weed out unspecific codes and ensure perfect matching of diagnoses and clinical reports. Ask for clear communication from payers and give them the same courtesy; this conversation will eliminate the risk for shockingly high audit numbers come fall of 2015.

5. Protect against Cash Flow Problems

To prevent financial disaster with the coming of ICD-10, adopt several strategies in the short term to protect long-term cash flow. With clear communication with healthcare payers, practices should invest in training staff on ICD-10 and clearing out any existing backlogs before the new rules go into effect. Testing reimbursement systems and examining denials and time lapse between claim submission and payment may help add clarity to the transition.

ICD-10 doesn’t have to spell disaster, but learning this new coding language will undoubtedly cause practices and healthcare payers to reenact a scene from the Tower of Babel… at least, in the short-term. Consider undertaking steps like those above to soften the blow, and invest time now into ensuring a smooth transition.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Is ICD-10 Putting Your Revenue Cycle at Risk?

Is ICD-10 Putting Your Revenue Cycle at Risk?

There is a great deal of anxiety and trepidation in the medical community right now as providers across the country brace themselves to prepare for the inevitable sucker punch that will result from ICD-10 implementation. While there will be a period of adjustment following full enactment in October 2015, ICD-10 doesn’t have to be a practice’s downfall. A few preparatory steps now will help prevent major headaches and minimize the potential impact on future revenue cycles.

Let’s look at a few potential consequences of the upcoming transition to ICD-10 and investigate some preemptive ploys practices can take now to set themselves up for future success.

Source: freedigitalphotos.net

Pain Point 1: Increased Claim Denials

Coders will likely see higher numbers of denied claims from healthcare payers once ICD-10 goes into effect due to the natural fallout of everyone figuring out the new system. To avert disaster, try these strategies for the short term:

  • Prior to launch of ICD-10, you should analyze rejection trends for ICD-9 claims to determine high rejection rates and causes of those rejection rates.  By understanding this, this will help you to plan for ICD-10 and potentially anticipate similar trends.
  • Designate one point-of-contact as your “claims denial czar.” This individual will communicate directly with insurance companies and healthcare payers when ICD-10 claims are denied.
  • The same staffer can identify claim rejection trends to improve filing processes and cut down on future denials.

Pain Point 2: Collapsing Productivity

The sudden burgeoning of new diagnosis codes coupled with a more complex coding system for procedures may throw a wrench in your staff’s efficiency levels. Following a few simple tips can help bypass a major productivity problem.

  • First, assess your staff’s current productivity levels with ICD-9 claims. This analysis will allow you to determine current productivity and forecast your staffing levels. It is better to know your productivity numbers now so you can assess any impact that may manifest as ICD-10 goes into effect.
  • Depending on your productivity analysis, you may need to bring on additional staff member or two to help bolster claim processing efficiency.  However, you need to ensure that your processes are optimized because adding staff without efficient processes may reduce your productivity.
  • Train individual coders to become masters of certain specialties to keep productivity high.

Pain Point 3: System Failures

When the new coding bible goes live, practices won’t be the only entity affected. Medical vendors are also likely to struggle to keep things running smoothly should incompatible systems create problems when interacting with practices and payers. To prevent catastrophe:

  • Communicate with vendors now so you’ll know what to expect when they upgrade their systems.
  • Identify areas that must be tested and arrange a testing schedule with each party.
  • Pay attention to the results gleaned from testing; this helps show exactly where to focus your efforts when working to improve system compatibility.

Pain Point 4: Awful Audits

It’s not just increased denials likely to turn a practice from a smooth operator into a smorgasbord of problems; ICD-10 will likely also usher in a new era of increased auditing due to changing audit criteria. With a solid proactive approach, though, audits can (hopefully) be avoided.

  • Avoid unspecified codes at all costs!
  • Get specific with healthcare payer policies for ICD-10 and know what level of specificity they’ll require to successfully process payments.
  • Verify that coders are successfully matching diagnosis codes to detailed clinical reports.

Ultimately, a practice’s success or failure leading up to the implementation of ICD-10 will come down to one key factor: clear communication. After all, that’s what coding is all about! Take time now to train existing staff, hire additional coders to handle specific functions and communicate with both payers and vendors to ensure a transition that’s as close to seamless as possible. A little preventive care is our prescription for a healthy handoff to the new era of medical claims classification.
Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

Playing fast and loose with patients’ personal health information is no small crime. In addition, for the administration at Rhode Island’s Women & Infants Hospital, a civil penalty of $150,000 is what it took to settle allegations of its negligence in safeguarding the private healthcare data of over 14,000 patients.

Though the hospital in question is located in Rhode Island, the suit was brought by Massachusetts Attorney General Martha Coakley because the vast majority of patients whose personal health information (PHI) was leaked – 12,127, to be exact – were Massachusetts residents. Information compromised in the HIPAA breach, which occurred in spring of 2012, included patients’ names and birthdates, ultrasound imagery, Social Security numbers, and physician information.

Source: freedigitalphotos.net

Perhaps most shocking is that the PHI compromised in this breach was stored on unencrypted backup tapes. In a modern healthcare security environment, there is no excuse for hospitals to forgo encryption on media, which includes patient data. The backup tapes, which numbered 19 were meant to be shipped to a secure off-site data center before being archived along with legacy radiology files and data in a new picture archiving and communication system (PACS). Somewhere along the way, however, the unencrypted tapes disappeared. Though they went missing in spring of 2012, the breach was not reported until September of the same year.

Of the epic healthcare security failure by Women & Infants Hospital (WIH) of Rhode Island, Coakley said: “Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities… This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again.”

Besides the first failure – a lack of encryption on the 19 backup tapes – Coakley’s office determined there was also other security missteps that led to the massive leak of PHI. The hospital had inadequate inventory and tracking systems and its lack of solid employee training in handling and securing private patient data resulted in a delay in its reporting of the breach.

On top of the hefty $150,000 fine, the settlement requires WIH of Rhode Island to undertake a few steps intended to prevent such a security breach from occurring in the future. They include:

  • Regular security auditing
  • Immediate action to correct any weaknesses or failures discovered during the audit process
  • Updating and maintaining chain of custody procedures
  • Inventory of any unencrypted devices containing PHI

It’s likely that the coming years will usher in a new era of no-nonsense enforcement of HIPAA security laws. Massachusetts has a history of being a stalwart defender of patient privacy with actions like this and several others. Healthcare institutions still being too casual with PHI should pay heed to the consequences faced by WIH of Rhode Island and investigate their own practices and procedures to ensure that patient security is a top priority.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The eDiscovery Dictionary: Common Jargon De-Fragged for Your Reading Pleasure

The eDiscovery Dictionary: Common Jargon De-Fragged for Your Reading Pleasure

The eDiscovery world is constantly changing, so even seasoned pros can use a brush-up on commonly used terms. As a quick primer, here are a few examples of the most misunderstood eDiscovery jargon to help lift your lexical load.

Source: freedigitalphotos.net/Surachai

  • Archival Data: Archival data is preserved for record keeping and maintained for long-term storage. It may be stored on DVDs, backup drives and other external removal media.
  • Bates Numbers: This system of sequential numbering is used to track documents, photographs and native-format production sets to identify pertinent information such as producing party or case name.
  • Chain of Custody: Used to verify authenticity of evidence, a chain of custody is the system of tracking and logging all parties who handle, access and transport any electronically stored information (ESI) from the time of initial collection to its presentation as evidence.
  • Custodian: Also called a “record custodian,” this is the individual in charge of the physical storage and security of all computer records. When used regarding a legal dispute, the term “custodian” may refer to multiple individuals who possessed, created, sent/received, stored, or accessed ESI relevant to the case.
  • Data Mapping: The technique used to capture (“map”) information about how ESI is stored. May be basic, including only names and locations, or complex, including software, format, backup information and more.
  • Deduplication (“De-duping”): This process compares multiple electronic records and removes duplicates to reduce bulk within a data set.
  • Duty to Preserve: Under state or federal law, the duty to preserve arises upon reasonable anticipation of litigation and requires the preservation of all ESI that may relate to a legal dispute.
  • Filtering: Using metadata and search metrics to isolate and remove ESI irrelevant to the current litigation.
  • FRCP: Federal Rules of Civil Procedure, the guidelines that define eDiscovery protocol and other aspects of litigation.
  • Index: Database field used to categorize, itemize and label each document or record relevant to the eDiscovery matter at hand.
  • Litigation Hold: A communiqué issued following notice of a formal duty to preserve, which instructs all parties that they must adequately preserve any potentially relevant evidence.
  • Metadata: Data that describes key features of ESI that may be found in different places or forms.
  • Native Format: A document’s original format as it was created in the original application (before conversion to different file type such as a PDF).
  • Optical Character Recognition (OCR): A digital process that converts text from paper documents to images easily read and manipulated by a computer.
  • Predictive Coding: Sometimes called Technology Assisted Review (“TAR”). Identifying and tagging documents for review using algorithms to assess the potential relevance of documents.
  • Preservation: Identifying, assessing and retaining documents and data for an ongoing legal dispute.
  • Production: Producing and delivering documents including ESI to another party for review in response to a discovery request.
  • Retention Period: The time period that a certain data set must be maintained.
  • Spoliation: The alteration or destruction of relevant evidence, or a failure to preserve evidence when litigation is imminent or ongoing.
  • Tagged Image File Format (TIFF): A static file format that prevents the alteration of data. This widely supported image format is often used to convert and preserve native documents; metadata is lost in TIFF format.
  • Virtual Private Network (VPN): A secure network that uses encryption and other methods to prevent access by unauthorized users and protect sensitive data.
For more information about eDiscovery, visit our Frequently Asked Questions page.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

Can Old Laws Handle New Technology?

Can Old Laws Handle New Technology?

With the increasing availability of apps that do everything from tracking caloric intake while dieting to monitoring sleep habits to optimize your morning wakeup, it was only a matter of time until fully wearable gadgetry caught on. Now, with the exploding popularity of innovations like Fitbit and other wearables, valid questions about where privacy, legality and health habits all intersect are an open discussion.

Source: freedigitalphotos.net

The Future of Wearables

The estimated revenue for the wearable device market is $1.6 billion; projections are this number will more than triple as early as 2016. If the success of the ever-expanding smartphone and tablet market (which last year topped $66 billion) is any indicator, then wearable devices are perfectly poised to be the next big thing.

Forward-thinking tech companies—like Apple with its heavily anticipated iWatch release, or Google, which has scheduled mass distribution of Google Glass for later this year—are planning for success for the wearables market. However, how do these same companies protect the highly personal information that such devices track, collect, and store?

Healthcare and Privacy Concerns

For every wildly enthusiastic endorsement of wearable tech, there are at least an equal number of detractors, especially regarding privacy concerns. Consumers can receive, transmit and share more data than ever, and almost instantaneously. Even when this occurs with the causal intention of interacting with friends or tracking your own health and exercise habits, the fact remains that any stored, transmitted, or shared data is potentially vulnerable to access by an unauthorized party.

The implications of this information being accessible even to a legitimate outside organization are widespread. Should an insurance company have access to blood sugar levels as recorded and transmitted by insulin pumps? Could an employer monitor exercise levels as part of their own insurance provision requirements? Is the consumer unaware of third party agreements in place, which allow access to this data?

Wearables and Legal Rights

As is typical with technology-related concerns, the legal world is struggling to keep up with wearable tech. Stretching old laws to apply to new tech is one solution, while in others the need is clear for new more applicable language. In the meantime, legal counsel and consumer are trying to find how to create a world where wearables and privacy rights can peacefully coexist.

This scenario is nothing new as far as the battle between development and litigation.  Back in 1890, the legal world was very concerned over introducing handheld cameras. How could anyone feel safe when a newspaper photographer could capture an image in a private space and publish that image the next day? The technology was invasive–an obvious intrusion into an individuals’ expected right to privacy.

Now, more than a century later the only thing that has changed is the name of that gadget. As with handheld cameras, the law can and will adapt to reflect the changing times.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

5 Tips for Gracefully Handling Your Data Breach

5 Tips for Gracefully Handling Your Data Breach

You can barely throw a rock on the Internet these days without hitting a piece of advice on the best way to prevent a data breach. Yet, any organization that falls victim to such an attack is likely to find little guidance about the next steps to take. What’s the most appropriate way to share the news about a security incident?

Source: freedigitalphotos/Stuart Miles

Know Your Audience

The key in finding the best approach to take is to first understand that the message may have to vary slightly depending on the recipients to address their pain points and concerns:

  • Consumers worry about their privacy. Will they need to switch banks? Cancel cards? Should they continue doing business with the affected company?
  • Regulatory bodies like the Federal Trade Commission will want to verify that the technical aspects—like fulfilling any statutory obligations—of the announcement meet certain standards.
  • Banks will want details about how the affected company will address the costs for issuing new cards to consumers.
  • The board and the shareholders are more concerned about company worth and viability, and how or if such an incident compromises an organization’s value.

Given this is just a cross-section of those who might be affected by a data breach; it is easy to see how any official message must be tailored according to the audience.

Tips for Taking the Plunge

Once it’s time to explain, remember that honesty is the best policy… with these tips:

  1. Find the right balance between planning when and how to discuss any cyberattack with those affected, whether that means shareholder or cardholder. Some companies have found success with making an initial limited disclosure, then releasing more details upon investigation completion, but don’t deliberately downplay the gravity of the situation either. Also, comply with all mandatory disclosure timelines.
  2. Remember that language is everything. A “cyberattack” suggests an unforeseen and unpredictable outside force, while a “data breach incident” subtly implies that the company is at fault. Choose every word carefully.
  3. Know your rights. Reporting information to the authorities may negate the protective status of attorney-client privilege. Although cooperation with law enforcement is a must, do so with the guidance and advice of counsel rather than disseminating information too quickly.
  4. Remember that excessive compensation isn’t a must. Although offering a type of loyalty reward, like free credit monitoring, as a gesture of thanks to affected customers is understandable (and often appropriate), going overboard with an offer that’s disproportionately generous can seem suspicious in an overly culpable kind of way. Always weigh the considerations of such offers against the possible costs.
  5. Don’t be afraid to involve forensics consultants as part of damage control. Digital evidence can uncover any indicators that could point to a preventable security compromise. Or, proof that could absolve an affected company completely.

Although any data breach incident—ahem, cyberattack—can feel like a PR nightmare, it doesn’t have to be. Going public with a data breach can be handled with professionalism and grace, as long as a solid strategy is set in place before any information is released about the incident.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.