Why is eDiscovery a Mystery to Attorneys? Pt. 2

Why is eDiscovery a Mystery to Attorneys? Pt. 2

Back in March of 2015, we wrote about why eDiscovery, one of the legal profession’s most powerful tools, is also among the most poorly understood by attorneys.

Almost a year later, not much has changed. Here’s part 2 of why eDiscovery is still a mystery to attorneys.

It’s critical for organizations to easily access documents, emails, and even text messages. If those forms of information are deleted without being properly preserved, they could be lost forever. This poses an issue when a company must provide these records to aid regulatory compliance, a legal case or an employee dispute.Why is eDiscovery a Mystery to Attorneys?

There have been countless examples of how an archiving system has affected a company, both negatively and positively. Easily accessing archived documents, emails and messages takes the guesswork out of certain situations and will ultimately protect your company if used correctly. Greg Arnette, founder and CTO of Sonian, a pioneer in cloud-powered archiving, has identified nine situations in which having records accessible, or not having records accessible, has largely affected companies and employees.

Lack of Understanding that ESI (electronically stored information) is More Than Any Other Office Document

YouTube videos, Facebook and Twitter posts have been used as evidence. Voice mail, calendar and journal entries, and instant messages also fit the bill. As Kentucky attorneys Michael Losavio and Jennifer Hans points out, ESI can be stored just about anywhere – including such places as hard drives, RAM, cell phones, PDAs, flash or thumb drives, and even MP3 players.

Fear or Inadequate Knowledge of ESI (Remember ESI can make or break your case)

It’s a lesson California-based outdoor furniture supplier Creative Pipe had to learn the hard way. After the company allowed opposing counsel to use an untested keyword search tool that unearthed 165 documents of privileged data during the discovery process, the court determined Creative Pipe had waived privilege on those documents because it had not taken care to protect them. Creative Pipe’s opponent could use any of those documents as evidence against Creative Pipe.

Non Pro-Activeness to Approach ESI in the Right Manner

The best approach to ESI is a proactive approach. Attorneys must understand that ESI will avoid errors like those made by Creative Pipe and others who have been in the news the past few years, it is not wise to put ESI archiving/eDiscovery policies on the back burner. Figure out where all of your ESI is, and how or whether it can be quickly accessed, then address how any new ESI that comes into the system will be managed. Waiting until you have an actual eDiscovery request or regulatory audit notice in hand before deciding what to do is just seeking for trouble.

Lack of Best Practice

Best practice is crucial. Developing best practices is the key to navigating the complexities of global eDiscovery matters.

Lack of Procuring Right Technology and Tools

The right technology can make all the difference. Like any software or service, eDiscovery solutions come in a variety of shapes and sizes. Whether it’s an appliance, a hosted solution, or a custom, site-specific implementation, you must shop around to find the one that best which meets our needs.

Neither IT nor Legal Should Tackle eDiscovery alone.

Neither IT nor legal should tackle eDiscovery alone. That’s why it’s important to teach the departments of Attorneys how to work together to accomplish eDiscovery goals. Some companies are looking to a new breed of IT professional, who reports up through the general counsel’s office to lead the efforts. Others take a team approach, with representatives from each group providing input at the planning and implementation stages.

This post was contributed by Jai Santosh, HR Team Lead.

iBridge Newsletter

 

Your Data and the Law: Unanswered Questions

Your Data and the Law: Unanswered Questions

In the U.S., the pace of technological advance outstrips the ability of the justice system to keep up. Courts are at a loss to fit new technologies into existing legal frameworks and theories. Judges are slow to extend traditional statutory and Constitutional protections to new industries and practices. Until the judiciary catches up, individuals should be careful with how they manage their personal electronic information.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

One technological issue that the courts only recently have addressed is that of electronically stored information (ESI)—the documents, photos, emails, posts, tweets and computer files of all kinds that now pervade most of modern American life. Numerous legal questions have seen conflicting legal rulings (or no legal rulings) and therefore remain unresolved. For example:

  • Who owns your data? If you store data in the cloud, does it still belong to you, or to the cloud-storage custodian you have entrusted it to? If it is lost, or corrupted, or stolen, who is responsible, and what are the fair and equitable remedies?
  • Who owns data about you, and what are their responsibilities regarding that data? As the Edward Snowden leaks revealed, federal government agencies have met no resistance from phone companies when asking for data regarding peoples’ calling histories. Even if you do not technically own that data, should you have a right to be informed when the data they are requesting is about you?
  • What—and how much—data can reasonably be seized and searched by law enforcement with a search warrant?

Cases that address these questions (and others) are making their way through the court system and will become settled law. It will take time for law enforcement, prosecutors, defenders and judges to understand the intricacies of these questions and the underlying technologies, and how the existing laws and regulations address them. In the meantime, there are things you should think about regarding your own data:

  • Convenience vs. risk: Although it might make life easier to have documents, photos and other files stored in the cloud, ask yourself: What if the cloud storage company goes out of business, or has a catastrophic technical failure that renders your files temporarily or permanently inaccessible?
  • Protection from snooping: What is the cloud storage company’s policy regarding government requests to access your data? What are the limits to that access? Unless the courts decide otherwise, law enforcement has the right, with a warrant, to access all of your data, including items that are unrelated to the investigation. Even if you have nothing to hide, could the files you store be manipulated, put together and interpreted in a way that makes you (or someone else) look like a criminal?
  • What about your devices? The U.S. Supreme Court ruled unanimously that law enforcement cannot seize or search your cell phone without a warrant. If they obtain a warrant, however, there is nothing to stop them from examining details that have nothing to do with the investigation. It is also unclear how the ruling applies to other types of devices, such as your increasingly computerized and connected automobile.

None of this should discourage anyone from taking advantage of the technological advances making lives easier, more efficient, more informed and more connected. But until the law catches up with the technology, it would be wise to put thought into where you put your data.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security numbers (SSNs) are a great way to identify people; almost every U.S. citizen, even babies, has one, and each is unique. However, collecting, storing and using them outside of approved contexts not only can put you on the wrong side of state and federal laws, it can also make you a target for hackers.

In the beginning of the U.S. Social Security program, the now-familiar XXX-XX-XXXX number was used to track workers’ contributions and benefits, and nothing else. Over the years, governments at all levels, schools, hospitals, lenders and myriad other organizations found it was convenient to use these numbers to uniquely identify people, for many purposes. There was a time when SSNs were used for tax IDs, student IDs, employee IDs, insurance IDs, and much more. Many even had them printed on bank checks without thinking twice.

Then the Internet happened.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Almost overnight, the convenience that made SSNs so broadly used became a liability. Someone with your SSN and not much else could open credit accounts in your name, assume your identity and ruin you financially. Because they were everywhere, SSNs were easy for fraudsters to get. And the Internet, coupled with lax data security practices, made it easy to obtain, distribute, and misuse them.

Governments and businesses got wise and started putting restrictions on the collection and use of SSNs and rules on how they were to be protected. The federal government and over 40 states now have laws that prescribe how, and for what purposes, SSNs may be collected, stored and used by businesses and governments. The laws vary from state to state, but boil down to prohibiting businesses from asking for SSNs except for employment, taxation, background checks and medical treatment. Some states further require businesses that can collect SSNs to meet certain security standards for storing them. Many states also restrict the use of SSNs on printed or electronic documents.

If your business—or a business you deal with—collects SSNs, you should be asking why. If to identify people, the liability you are opening yourself up to outweighs the convenience. Find another way to identify people; most computer systems are good at this.

If you have a legitimate need to collect and store SSNs (and check the laws on what constitutes “legitimate,” not only for your state, but for other states you do business in, plus the federal laws), you had better make sure they are protected. The rules published by the Payment Card Industry (PCI) group for protecting credit card numbers provide good guidance for protecting SSNs and other forms of personally identifiable information as well. Some states also require SSN-collecting businesses to have written policies in place to inform customers how and why their SSNs are being collected and used; you may need an attorney to help draft these policies.

The consequences of falling afoul of these laws can be severe, plus the civil and reputational liabilities incurred if a data breach occurs. Reduce your risk by examining your SSN collection and use practices and get rid of any that are not legitimately needed.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

To EHR Infinity and… Beyond?

To EHR Infinity and… Beyond?

The Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provided hospitals and physicians with financial incentives to implement certified EHR technology and achieve “meaningful use.” To meet the requirements for financial incentives, healthcare providers must prove that they are meaningfully using the EHRs to record patient information, exchange care records, and meet other previously established thresholds for measurement.

Just last summer, the U.S. Department of Health and Human Services shared new data compiled by the Office of the National Coordinator for Health IT that showed “significant increases in the use of electronic health records.” So now what?

source: freedigitalphotos.com

The Post-EHR Era?

Now that the vast majority of private practice physicians are using at least a basic EHR platform, and nearly half are using advanced functionality EHRs, is it safe to say that providers have met or surpassed the minimal requirements for meaningful use? If so, what happens now?

It’s exciting to see such broad and successful adoption of EHRs, but some prominent healthcare players are indicating that this is just the beginning. Adoption is a key first step, but to capture the full capabilities of EHRs and address major ongoing security concerns, it is important to acknowledge that the technology currently in place is but the first in a long series of steps. Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, was recently quoted as saying: “EHRs are bi-planes, not yet jet aircraft.”

What’s Next?

Putting EHRs in place was a monumental challenge, and the U.S. healthcare system seems to have risen to it rather successfully. But now that the basic infrastructure is there, it is time to take some crucial next steps:

  • Addressing serious security concerns
  • Improving compatibility, especially for rural or smaller critical access hospital systems
  • Increasing patient access to EHRs to compile a more accurate lifetime health timeline completely portable for the globalized world
  • Taking a broader IT approach to EHRs, including improving storage options to help organize and protect private patient data and imagery

With such major work still to be done, could it be that providers’ ongoing struggles to reach the thresholds required for establishing “meaningful use” have held back the process? It’s no secret that navigating through federal bureaucracy to establish certification is not exactly a walk in the park.

The Future

The future may hold an entirely different healthcare system in which the current iteration of EHRs plays only a small part. Imagine linking wearable health technology such as FitBits and even incorporating health monitoring information in an EHR “live stream” that may alert physicians to potential health troubles before the patient is even aware. Now that the meaningful use framework has been well established, the outlook is exciting for the future of EHRs and other healthcare technology – as long as major issues like security can be “meaningfully” addressed.

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Is New Focus Needed for EMRs?

Is New Focus Needed for EMRs?

The 2009 economic stimulus package, designed to help the US recover from a record financial downturn, included several smaller, targeted programs supporting projects in a variety of fields. In healthcare, federal grants for converting from paper medical records to electronic medical records (EMRs) provided clinic and office-based physicians with significant monetary incentives to accelerate their transition to a 21st century healthcare records system. While the shift to digital is a smart and necessary move for a planet struggling to stave off climate change by reducing waste, it doesn’t come without complications.

Source: freedigitalphotos.net/stockimages

EMRs and Incompatibility

One large issue with EMRs is that, like iPhones and Androids, their proprietary software makes them unable to “talk” to EMRs created on a competitor’s system. If a hospital system uses EMR software from Acme Corporation, but your records are from a hospital in a neighboring state that signed a contract with Beta Industries, you may be in trouble when you show up at the Acme Corporation hospital without identifying information.

Part of the goal of the Affordable Care Act (“Obamacare”) was to make healthcare more portable, preventing job changes or unexpected unemployment from costing Americans their healthcare insurance. What the ACA doesn’t make more portable, however, is EMRs.

At this point in the EMR revolution, it’s time for the US to have a serious conversation about data portability. Hospital administrators should be very selective when choosing an EMR vendor and verify that data is formatted in a way that is compatible with other popular systems:

  • EMR data should be easily exportable; ease of data export should be a built-in feature of any software solution.
  • Data must be formatted in a non-proprietary fashion recognized by other popular software.
  • Be sure that data and databases are organized in a logical fashion. A standard import/export language and the ability to transfer data in a standard table or Excel file format will be of great value should a healthcare organization must update or change EMR systems.

EMRs and Security: A Complex Proposition

Data breaches continue to stack up. As security experts come up with more creative ways to secure patients’ healthcare data, hackers, and digital miscreants are rising to each new challenge and finding novel ways to access and capture private health data. Harsh penalties have not been enough to slay the security beast and retroactive actions like offering identity theft insurance to affected patients isn’t enough.

Going digital shouldn’t mean danger. At this critical turning point in U.S. healthcare policy, as much or more attention should be focused on securing patient information and EMRs as is focused on insuring the uninsured and controlling rising costs.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Reconciling the Risks of eDiscovery with the Convenience of BYOD

Reconciling the Risks of eDiscovery with the Convenience of BYOD

Just about everyone has a smartphone these days, and that’s in addition to the tablet, laptop and possibly desktop computer they likely own as well. Yet, while all of these gadgets are primarily used away from the office, personal mobile devices are frequently used for work-related tasks just the same. This opens up a lot of questions about the intersection of eDiscovery and BYOD. Is there a line that needs to be drawn?

Why Worry about eDiscovery?

Source: Freedigitalphotos.net/Stockimages

Electronic discovery is one of those things that the majority of companies (and their employees) don’t think much about until it happens to them. Yet, waiting until eDiscovery is knocking at the door to address the question of BYOD is much too late.

The scope of eDiscovery is often laid out ahead of time, and typically includes devices or files that are company property. These guidelines don’t include employees’ personal property or any cloud-based storage systems they may be using to access work tasks from home or while on the go, but with most employees answering quick emails while sitting at a restaurant or downloading work files outside of the office these days, it’s clear that parent companies need a more controllable answer.

Company-Issued vs. BYOD

The sticky question of work vs. personal mobile devices and whether work data should be accessed remotely has led many companies to implement company-issued cell phones, tablets or laptops. This solution allows employees the invaluable flexibility of BYOD while still allowing management some level of control over how the devices are being used—and keeping them well within the scope of eDiscovery efforts.

Company-issued devices also ensure that specific security protocols are being followed according to internal employment policies. While many employees agree to such rules as a condition of accessing work data off-site, actually following those rules doesn’t often occur in real life—and doing so really isn’t enforceable. The bottom line here is the same as it has always been: the human instinct is to get the job done in the fastest, most efficient way possible. The question of whether that’s through a personal device or one that’s been issued by the company is secondary at best.

The Future of BYOD

Beyond security concerns, there’s a financial element in thinking about BYOD. Personal devices are purchased by the employee directly, while company-issued devices are purchased by the employer. Yet, when the employee is using an employer-provided iPhone already and then using his or her paycheck (also technically provided by the employer) to buy an iPhone for personal use, the employer is indirectly paying for that equipment… essentially, buying their employees’ phones twice.

As a result, more organizations are requiring employees to use their personal electronics for company purposes. The argument is that smartphones, tablets and such are rapidly becoming essential tools that workers need in order to fulfill their daily tasks—therefore, requiring employees to purchase those tools just makes sense.

Is mandatory BYOD the wave of the future? It’s quite likely, especially when this type of arrangement would allow companies the necessary leeway they need to protect their legal interests, if needed. While company-issued devices used to seem like the ideal answer to the eDiscovery question, mandatory BYOD may offer the best of both worlds: mitigating the risks associated with pursuing eDiscovery efforts relative to personal property, and at the same saving on the high overhead of purchasing new gadgetry for each employee.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

20 HIPAA Breach Response Tips From Experts

20 HIPAA Breach Response Tips From Experts

Medical identity theft is undeniably one of the biggest challenges facing the healthcare industry today. The guidelines laid out by HIPAA provide an excellent frame of reference to help better protect patient data. When you are faced with a breach, however, what’s the best response? Here’s a look at 20 tips from the experts.

Source: freedigitalphotos.net/Stuart Miles

1. Locate Breach

The very first thing to do if you suspect a breach is to find it. No other steps can be taken without knowing exactly what you’re up against.

2. Containment

After identifying the breach, the next step is containment. The goal here is the IT equivalent of stopping the bleeding, whether that means disabling compromised accounts or blocking access to infected machines.

3. Damage Control

Damage control begins as soon as the immediate threat is under control. Determine what was accessed, and investigate other potential vulnerabilities to gauge the extent of any collateral damage.

4. Restore Services

Your organization must continue functioning effectively, and this means getting critical systems up and running again as quickly as possible. Once you’re sure that you’ve accurately identified and contained the source of the breach, restore essential services.

5. Internal Notification

Next, develop an internal report that notifies everyone from the ground up about what just happened. This is important for managing the rumor mill, but also contributes to the U.S. Department of Health and Human Services documentation requirements.

6. Be Honest

Don’t bother trying to combine sugarcoating and information dissemination. Just be honest and explain the facts behind the breach.

7. Change Passwords

Change all passwords and authorizations right away. It’s hard to tell how much information a hacker had time to grab, so err on the side of caution.

8. Preserve Evidence

As you’re doing things like changing passwords and containing the breach, be sure to save evidence of both the breach itself and the corrective measures you’re taking for future reference.

9. Gather Documentation

The OCR will require extensive documentation, including but not limited to: a copy of your most recent risk assessment, records of corrective action taken to correct the breach, proof of plans to prevent future recurrence, and much more.

10. Report Immediately

Although you technically have 60 days to report the breach to HHS and the press, it’s better to go public sooner rather than later. This shows that you’re taking the issue seriously, which in turn bolsters confidence in your organization.

11. Inform HHS

Tell HHS about your breach. Remember, any incident that affects more than 500 patients should be reported directly to the Office of Civil Rights.

12. Contact Your Patients

All companies are required to inform potentially affected individuals that a breach has occurred. Again, this should be taken care of as quickly as is reasonable, for the same reasons mentioned above.

13. Tell the Media

As the saying goes, he who breaks the story controls the manner of its release. Acknowledging the breach openly with the media is much better PR than trying to cover anything up.

14. Remediate

Everyone makes mistakes, but those who make an effort to rectify those mistakes rebuild trust in their organization that much faster. Do the right thing by offering help where help is needed.

15. Offer Resources

As part of the remediation process, provide resources to patients who are concerned about their privacy. For example, you can create a dedicated 1-800 number help line for affected parties to easily get answers to the questions they have, or offer free credit monitoring for one month.

16. Discipline

If your data breach resulted from a clear internal violation of your existing policies, the responsible party has to suffer the appropriate consequences. Take the necessary steps to discipline where called for.

17. Review Policies

Any data breach is a good indicator that it’s time to review your processes and policies to prevent similar incidents in the future.

18. Uptrain

Further investigation of the breach could reveal that remedial training is required to ensure that all employees are in compliance with current data guidelines.

19. Promote Awareness

Most healthcare organizations have a great number of various policies and procedures that employees are expected to follow, and it’s possible that data security concerns could get lost in the shuffle. Encourage awareness of the importance of HIPAA compliance, and make it clear that ignorance is not an acceptable excuse for noncompliance.

20. Prevent

While all of these steps are important for handling a data breach with professionalism and grace, the truth is that prevention is still the best policy when it comes to keeping information secure. Going the extra mile now to limit the potential of dealing with fallout later on is well worth the extra effort.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Emailing Sensitive Information Without Encrypting: Playing With Fire?

Emailing Sensitive Information Without Encrypting: Playing With Fire?

Attorneys use email to transmit valuable confidential client information hour after hour, day after day. Yet many lawyers do not encrypt email. Are they asking for trouble?

Consider the following:

Is native email reasonably secure?

Many would argue no. It is common knowledge that email is intercepted and accessed by third parties on a regular basis.

What about a lawyer’s ethical duty to take reasonable precautions to prevent a client’s confidential email from ending up in the hands of a third party?

It may be true that (currently at least) a lawyer does not have an absolute duty to encrypt email. However, it is also true that some circumstances do require encryption.

For example, California Formal Opinion No. 2010-179, pertaining to confidential communications, states that “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”

So, when does sensitive information rise to the level of “highly” sensitive information? Good question. Do you want to guess where that line is and hope you guessed correctly?

And when does the use of encryption rise to the level of “onerous”? Another good question as modern encryption tools are inexpensive and easy-to-use – quite a difference from the old days.

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

What does the future hold?

Hacking into confidential information is a common everyday event, and will only continue to increase in frequency. This truth, coupled with the fact that today’s encryption tools are simple and inexpensive, means that the line will continue to shift such that more and more — if not all — email will be required to be encrypted.

Why not use encrypted email?

Perhaps the question ought to be turned on its head. Rather than: Why should I use encryption? You might ask yourself: Why wouldn’t I use encryption? Some tools even carry with them side benefits such as a guaranteed recall feature – valuable in the event of inadvertent disclosure through a mistakenly-sent email.

Lawyers routinely send confidential information via email. Given the risks associated with transmitting such confidential information without encrypting, and given how encryption tools have become inexpensive and easy-to-use, it may be difficult to justify not using encryption.

Text Message Preservation Issues Causing You a Headache? Take Another Aspirin and Start Thinking About Instant Message Preservation Issues.

Text Message Preservation Issues Causing You a Headache? Take Another Aspirin and Start Thinking About Instant Message Preservation Issues.

The use of instant messaging for business purposes continues to increase. Does your company allow employees to engage in business communications via instant messaging? If so, have the implications been fully considered?

One such implication is the company’s duty to preserve ESI (Electronically Stored Information) when litigation is threatened or commenced. Courts have held that this duty applies to instant messages just as it does to email and text messages. See, e.g., UPMC v. City of Pittsburgh, Civil Action No. 13-563 (WD PA October 25, 2013).

Bottom line, and with apologies to Gertrude Stein, ESI is ESI is ESI.

And courts can certainly sanction parties failing to preserve instant messages. See, e.g.,Southeastern Mechanical Services, Inc. v. Brody, 657 F Supp 1293 (MD FLA 2009).

Image via freedigitalphotos.net/sippakorn

Image via freedigitalphotos.net/sippakorn

Another implication is the tendency of some employees to say things by instant message they wouldn’t say otherwise. They often do not understand that a less-than-well-thought-out instant message might end up as Exhibit A in some break-the-company lawsuit.

Instant messaging is only getting more prevalent. Rather than reacting after the harm has been done, a wise company will think ahead and mitigate risk by taking measures such as adoption of policies covering the issue, careful management, and employee education.

Next: Send any sensitive information via email? Have email encryption? No? Uh-oh.