New Hampshire Security Incident Demonstrates Importance of Documenting Any Decision to Forego Security Breach Notification

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The New Hampshire Attorney General and the federal Center for Medicare and Medicaid Services are investigating Wentworth-Douglass Hospital’s decision not to notify patients or the Attorney General of a security incident that occurred more than two years ago. The security incident, which lasted from May 2006 until July 2007, involved a former hospital employee who became disgruntled after being transferred from the pathology lab. The former employee gained unauthorized access to pathology reports on nearly 2,000 occasions and changed reports involving more than 1,100 patients. The hospital investigated the incident and determined that neither New Hampshire’s notice law nor HIPAA required notification.

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon
Tags: , , , , , ,

What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?

Posted on August 21, 2007 by Philip Gordon

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

  •  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
  • Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
  • Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
  • Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
  • Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.
Tags: , , , , , , , ,