There is no shortage of admonitions for business people to maintain ‘proper’ information security practice. However, much of this guidance stops there and is of little use for those seeking specific guidance as to steps which they should take. Even the more specific guidance which does exist, is often tied to then-existing technology and becomes obsolete in short order.
However, the California Attorney General’s office has recognized many of these shortcomings and provided us with a report and summary of recommendations which are the most specific which we have seen and which are not likely to become obsolete in the near term. The report discusses the special needs of those in the health care field as well as the more generalized needs of businesspeople in all fields. Click here to review California Data Breach Report (February 2016) and irrespective of your location, we urge you to print and read it.
As a legal matter, both the face of the report and general legal principles indicate that a failure to utilize at least good faith efforts to substantially implement the major provisions of the report which apply to your situation are likely to have an adverse impact upon your legal posture if and when you become involved in proceedings associated with a data breach. In today’s environment, such proceedings should be considered more likely than not.
While we do not have any direct knowledge of anticipated responses, our general experience indicates that cyber-liability and E&O insurers will apply some or all of this material in their underwriting process.
In addition to urging the strong encryption of health care data, particularly that stored or processed on portable media such as phones, laptops and USB drives, the report enumerated other major elements of good security practice. A high level summary is contained below. Whether you are an IT manager or a general manager overseeing IT functions, we encourage you to review this table and the linked material which elaborates on its terms, and address how your organization is applying and implementing its direction.
Our Privacy and Compliance partners are available to assist with this process.
The following table summarizes the Controls, grouped by the type of action they feature. The complete list of Controls is found in Appendix A.
Click here to view table.