By Lucie Huger
It’s easy to understand why the retail and banking industry are highly motivated to protect themselves from a data breach, less so for service providers, like the construction industry. That is until you realize that Target’s data breach – the largest ever – is reported to have originated from the breach of an HVAC contractor’s access to Target’s data network. In an industry that absolutely relies on cultivating and sustaining trusted relationships, secure data management is essential. The construction consumer demands it.
To date, the California-based Privacy Rights Clearinghouse reports 189 data breaches made public this year spanning healthcare, retail, financial, government, education, and miscellaneous businesses, including service providers. The breaches involve the three most common causes: negligence, criminal (hackers or the theft of a device), and corporate espionage/malfeasance.
In response to consumer demands, 46 states now have data breach laws. Multiple states may come into play in a single breach. Consider the rupture of trust that would occur if a contractor performing work for a university learns of a data breach in its business, which unleashes malware into the university network. If the university’s student data is compromised, the school can face scrutiny from every state in which its students reside.
On the federal level, a weak link in the chain of data protection could expose contractors to penalties from the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA). Last year, HIPAA announced the tightening of enforcement of protected health information. A contractor providing a value-added promotional service to its hospital client by helping with a ribbon cutting for a newly built cancer wing must ensure its public relations firm doesn’t expose the names of cancer victims, who will be helped by the new facility. HIPAA requires every link in the chain of information be secure.
To protect valued relationships, contractors should carefully consider data breach vulnerabilities in their own operations and demand equal scrutiny from their building partners or vendors who could come into contact with protected information. This would include:
- Developing policies and educating employees on their role in data management. This includes establishing, publicizing, and encouraging internal reporting mechanisms of suspected breaches.
- Creating a data management team with clear responsibilities and a thorough understanding of the types of data collected, processed, and developed. The team should also understand legal responsibilities and regulatory requirements.
- Developing a risk assessment and mitigation plan. This includes reviewing vendor contracts to find weak links that could expose data. Even if a company shuns the exchange of data online, they can be held liable for data shared with vendors who do expose that data, however unintentionally, in a breach. If a vendor doesn’t have an electronic security policy that addresses employee background screening and data management, then your company should write one for them.
- Consider engaging a third party audit to review policies, compliance efforts, and technical infrastructure. This is often done after a breach. It’s best to find any holes before they are compromised.
Contractors may also consider “cyber” insurance policies, which can afford some protection against losses, but be aware that not all cyber policies cover the risks a company faces. Cyber policies should cover the costs associated with the data breach, including engaging legal counsel, hiring investigators, providing credit monitoring if needed, and enlisting public relations experts to facilitate communications with all parties served by the company.
If a data breach does occur, contractors obviously need to focus on discovering its source, mitigating the impact, and complying with appropriate state and federal regulations. But equally important is taking immediate action to be in a position to recover from the breach. That means engaging legal counsel to provide protection from potential civil litigation and the discovery process through the attorney-client privilege. This is especially important because third party reports from IT forensic, accounting, or crisis communications firms, as well as internal company communications, may be discoverable in civil litigation. If outside counsel is engaged, these communications may be protected under the attorney-client privilege.
Technology is a wonderful business tool that enables contractors to conduct business much more efficiently. But it carries evolving risks of inadvertent exposure of sensitive information that can destroy a hard-earned reputation. Don’t waste the trusted relationship you’ve build through neglect. Show your customers that you are serious about data management.
Lucie Huger is a member of the data breach practice group and an officer in the health care practice group of Greensfelder, Hemker & Gale, P.C.