Updates to Massachusetts Breach Notification Law – Much More Than Mandatory Credit Monitoring

Observers of the recent changes in the Massachusetts data breach notification law likely will focus on the addition of the obligation to provide 18 months of credit monitoring following a breach involving Social Security numbers (42 months, if the breached entity is a consumer reporting agency). This certainly is a significant change, making Massachusetts only the fourth state to have enacted a similar mandate (See also, California, Connecticut, and Delaware). However, other changes are perhaps much more significant for an organization that has a breach triggering the updated Massachusetts law, which becomes effective April 11, 2019.

Data security and breach notification legislative developments are off to a running start in 2019. On January 1, 2019, Vermont began regulating data brokers and South Carolina’s adoption of the National Association of Insurance Commissioners’ (NAIC’s) Insurance Data Security Model Law became effective adding significant breach notification and information security requirements for entities licensed by state insurance regulators, including insurers and agents. The North Carolina Attorney General announced a proposal to make significant changes to that state’s notification law, among them requiring notification for ransomware attacks. The trend continues in Massachusetts, where last week Gov. Charlie Baker signed legislation substantially updating the state’s breach notification law.

Here is an overview of some of key changes:

Organizations that experience a breach must report to the Attorney General and the Office of Consumer Affairs and Business Regulation whether they have a written information security program (WISP). Nearly ten years ago, Massachusetts enacted one of the most comprehensive set of data security regulations affecting certain organizations in the state. (Read more about that and get a compliance checklist here.) Organizations that have not adopted a WISP will have to inform the government that they have not done so, which likely will lead to a follow up inquiry concerning compliance and potentially significant penalties. But that is not all, they also will have to report information such as the type of personal information involved in the incident (e.g., social security number, driver’s license number), steps the organization has taken or plans to take relating to the incident, including updating the WISP, and a certification that they have offered compliant credit monitoring services, if applicable.

Parent companies may have to answer for breaches by subsidiaries. Organizations that must report a breach under the new law and that are owned by another person or corporation, must inform affected residents of the name of the parent or affiliated corporation. This provision is sure to create some confusion. For example, there is no level of ownership that is needed to be listed in the notice to affected residents. Additionally, because a breached entity might be owned by a few different entities, it is unclear if all of those entities would have to be listed. Clearly, this provision may create some unfavorable publicity for organizations whose subsidiaries experience a breach. As such, it might spur them to be more actively involved with the date security compliance and breach response efforts of their subsidiary and affiliated entities. Parents and affiliated companies may also want to revisit their cyber insurance policies to assess coverage for losses that may arise out of a subsidiary’s breach. For the breached subsidiary, this provision may result in them involving their parent companies sooner and more extensively in the breach response process.

Once an organization knows about a breach affecting a Massachusetts resident, it must notify the resident as soon as practicable and without unreasonable delay, and cannot wait to determine the total number of residents affected by the incident. Security incident investigations sometimes take time and it is not uncommon during those investigations for the number affected persons to grow as the investigation continues. With this change, businesses need to notify continually, and not wait for the investigation to conclude before sending notification. Additionally, because state agency notifications must include the number of affected persons, business will need to keep these agencies apprised of the growing number of residents affected.

The Office of Consumer Affairs and Business Regulation will be reporting about your breach on its website. When an organization reports a breach to the Office of Consumer Affairs and Business Regulation (OCABR), under the new law OCABR must post on its website copies of the sample notice sent to affected residents within 1 business day of receipt and continually update the site with information learned from the investigation. OCABR also will be helping affected residents file public records requests to obtain the notices that organizations that experienced the breach have filed with the Attorney General and OCABR.

A number of the updates to the Massachusetts data breach notification law are not the typical changes we see made in many other states – e.g., expanding the definition of personal information, establishing a set number of days by which notice must be provided. Some of the changes seem intent on drawing attention to organizations that had a breach and their related companies (posting of OCABR website, helping affected residents get more information about the breach, requiring the name of parent companies be listed in the notice, etc.) and pushing for greater enforcement of data security safeguards (requiring reporting on whether a WISP is maintained). Organizations will need to revisit their overall incident response plans, as well as confirm their compliance with the state’s data security mandate, now nine years old.

North Carolina AG Seeks Breach Notification for Ransomware, Other Enhancements to Data Breach Law

According to SC Magazine, an escalating number of victims of data breaches in 2017 have led Attorney General Josh Stein and state Rep. Jason Saine to propose updates to the state’s existing data breach notification law – “Act to Strengthen Identity Theft Protections.”

The Act would make a number of changes to the existing law, including:

  • Expand the definition of “security breach” to include “ransomware” attacks. Ransomware attacks generally result in the encryption of an organization’s system files, preventing the owner from accessing the files unless the owner buys (usually through some form of cryptocurrency) a valid encryption code from the attackers, which may never be delivered. In many cases, the malware deployed by the attackers does not enable them to access or acquire the organization’s information. However, sponsors of the law change would like the victim organization to notify both the affected consumers and the Attorney General’s office, empowering the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.
  • Mandate reasonable safeguards. The Act would require businesses that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. It does not appear that the new law would provide specific requirements for safeguarding personal information. States such as Massachusetts and Colorado have provided more specific requirements for the safeguards covered entities must put in place.
  • Update definition of personal information. The Act would update the definition of personal information to include medical information and insurance account numbers.
  • Shorter (15-day) notification period. The Act would require notification to the affected consumer(s) and the Attorney General’s office within 15 days. The hope is this would give consumers more time to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.
  • Free credit freezes and credit reports. The Act would permit consumers to place and lift a credit freeze on their credit report at any time, for free. They also would be able to access three free credit reports from each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis. Notably, if consumer reporting agencies experience a security breach, they will have to provide five years of free credit monitoring to affected consumers.
  • Penalty clarification. The Act would provide that businesses that suffer a breach and that failed to maintain reasonable security procedures will have committed a violation of the state’s Unfair and Deceptive Trade Practices Act and each person affected by the breach would constitute a separate and distinct violation of the law triggering a penalty.

If the Act is passed into law, North Carolina would join a number of other states that have and continue to update and strengthen their state laws requiring notification following a breach, and that have added obligations requiring reasonable safeguards to protect personal information. All organizations should be reviewing these developments and take appropriate steps to safeguard personal information they maintain about individuals, as well evaluating and enhancing their breach response readiness.


The U.S. Supreme Court Will Rule on FCC Interpretation of the TCPA

Late last year, the U.S. Supreme Court granted certiorari in PDR Network, LLC v. Carlton & Harris Chiropractic (No. 17-1705), addressing the issue of whether the Hobbs Act requires the district court to accept the Federal Communication Commission’s (FCC’s) legal interpretation of the Telephone Consumer Protection Act (TCPA). In 1991, Congress passed the TCPA to restrict telephone solicitations and use of automated telephone equipment, charging the FCC with interpretation and rulemaking authority over the Act. In 2005, the TCPA was amended to include the Junk Fax Prevention Act (JFPA) that restricted the use of the fax machines to deliver unsolicited advertising. Shortly after, the FCC issued 2006 FCC Rule, which inter alia, provided guidance on the 2005JFPA amendment.   At issue before the Court, is the FCC’s interpretation of the definition of “unsolicited advertisements” in the context of the JFPA, found in the 2006 FCC Rule.

The Fourth Circuit, in PDR Network, held that the district court erred in refusing to defer to the FCC’s interpretation of the definition of “unsolicited advertisement” under the TCPA. Specifically, the district court ruled that a fax advertisement for free services did not qualify as an “unsolicited advertisement” under the law, despite the 2006 FCC Rule which stated that “even at no cost”, a fax message promoting good and services qualified as an unsolicited advertisement”.

Although PDR Network centers on a dispute over “junk faxes”, its implications extend far beyond. The Court will address a broad range of issues dealing with the scope of deference under the Hobbs Act and its interplay with the Chevron doctrine. The Hobbs Act provides exclusive jurisdiction to the Court of Appeals, in challenges to final orders issued by six federal agencies, including the FCC. To complicate matters, the Chevron doctrine, an administrative law principle derived from the Supreme Court case, compels federal courts, regardless of level, to adhere to agency interpretation of a statute it administers unless the court finds Congress’s language in the statute “clear and unambiguous”. Thus, a dilemma arises when a district court is adjudicating a case involving a final ordered issued by one of the six federal agencies regulated by the Hobbs Act. Does the Hobbs Act strip the district court of its ability to apply the Chevron deference?

Ultimately, the Court will conclude whether the district court is automatically bound by federal agency interpretation under the Hobbs Act, or has some leeway to ignore such interpretation, as allotted under Chevron when it deems statutory language “clear and unambiguous”. The Court’s ruling is timely, as the FCC is scheduled to issue rules regarding several significant TCPA issues in the coming year.

On a practical level, if the Court rules in favor of greater district court discretion, TCPA litigation will likely become much more unpredictable and costly. With regulatory, legislative, and judicial developments imminent, 2019 is shaping up to be an interesting year for the TCPA. We will continue to update as TCPA developments unfold. Stay tuned for our upcoming TCPA post on the circuit split over what constitutes an “Automatic Dialing Telephone System” (ATDS).

The SEC Signals Heightened Attention to Cybersecurity and Public Disclosure Requirements

Through its actions and publications, the Security and Exchange Commission (SEC) has shown an increased focus on cybersecurity and the public disclosure of cybersecurity risks and incidents. In early 2018, the SEC issued a statement and an interpretative guide to assist companies with understanding and carrying out the agency’s disclosure obligations concerning cybersecurity risks and incidents. In the accompanying statement, the SEC explained “the scope and severity of risks that cyber threats present have increased dramatically, and constant vigilance is required to protect against intrusions.”

This SEC guidance follows a guide released by the SEC Division of Corporation Finance in 2011. The interpretative guide outlines the SEC’s view on cybersecurity disclosures as required under federal law. It also touches on the importance of public companies maintaining cybersecurity policies and procedures and discusses prohibited insider trader activities related to cybersecurity breaches.

The interpretive guide essentially puts public companies on notice regarding disclosure requirements for material cybersecurity risks and incidents. It explains that some reports required under the Securities Act and Exchange Act may prompt disclosure of cybersecurity risks facing a company as they relate to financial, legal, or reputational consequences. Importantly, the guide cautions that disclosures should be “timely” and warns that ongoing investigations, by themselves, do not provide a basis for avoiding the disclosure of a material cybersecurity incident.

Signaling an emphasis on enforcement actions, SEC chairman Jay Clayton warned “issuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”

True to its words, after releasing the interpretative guide, the SEC brought multiple enforcement actions over cybersecurity disclosures. See SEC Enforcement Actions. Many of these actions have resulted in settlements with fines ranging in the millions, coupled with agreements by companies to improve their cybersecurity policies and procedures. The SEC appears to be focused on companies that, in the agency’s view, have made misleading statements or omissions pertaining to a cybersecurity breach and failed to properly assess whether the breach should have been incorporated into its public disclosures.

Moreover, in its strategic plan for 2018-2022, the SEC highlighted an expanded focus on cybersecurity and data protection to address the agency’s belief that “cybersecurity threats to the complex system that helps the markets function are constant and growing in scale and sophistication.” As one of the goals outlined, the SEC stated its intention to examine strategies to address cybersecurity risks facing capital markets.

These collective efforts likely foreshadow greater SEC involvement in cybersecurity and disclosure requirements. Going forward, companies must be sure that they have a cybersecurity policy and plan in place and must quickly evaluate if a cybersecurity incident requires public disclosure.

A Trio of OCR HIPAA Breach Resolutions: Is Your Organization HIPAA Compliant?

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.

On November 26th, the OCR announced a settlement with Allergy Associations of Hartford, P.C. (Allergy Associations), a health practice specializing in allergies, due to alleged HIPAA violations resulting from a doctor’s disclosure of patient information to a reporter. A doctor from Allergy Associations was questioned by a local television station regarding a dispute with a patient, and disclosed the patients’ protected health information (PHI), the investigation found. The OCR concluded that such disclosure was a “reckless disregard for the patient’s privacy rights”. Allergy Associations agreed to a monetary settlement of $125,000 and corrective action plan that includes two years of monitoring HIPAA compliance.

» A well thought out media relations plan together with regular security and awareness training, even for doctors, would go a long way toward reducing these risks.

Again on December 4th, the OCR announced that it had reached a settlement with the physician group, Advanced Care Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor. According to OCR’s announcement, ACH engaged an unnamed individual to provide medical billing services without first entering into a business associate agreement (BAA). While it appeared the individual worked for Doctor’s First Choice Billing (“First Choice”), First Choice had no such record of this individual or his activities. ACH later became aware that the patient’s PHI was visible on First Choice’s website, with nearly 9,000 patients’ PHI potentially vulnerable. In the settlement ACH did not admit liability, but agreed to adopt a robust corrective action plan including the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

» This is not the first time the OCR has reached settlements with covered entities over not having business associate agreements in place. Covered entities should consider a more formal vendor assessment and management. That is, certainly make sure there is a BAA in place, but also assess the business associate’s policies, procedures, and practices.

And finally, on December 11th, the OCR announced a settlement with Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, for potential HIPAA privacy and security violations. The settlement is in response to a complaint that a former employee of PSMC continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI), after termination of his employment relationship. OCR’s investigation revealed that PSMC did not have a business associate agreement in place with its web-based scheduling calendar vendor, or with the former employee. PSMC agreed to implement a two-year corrective action plan which includes updates to its security management and business associate agreement, policies and procedures, and workforce training. In addition, PSMC agreed to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

»This is a lesson for all businesses – when employees leave the organization (or are moved from a position that permits access to certain protected information), immediate changes should be made to their access – this includes physical and electronic access.

This series of recent settlements serves as a reminder of the seriousness in which the OCR treats HIPAA violations. In October, in honor of National Cybersecurity Awareness Month, the OCR together with the Office of the National Coordinator for Health Information Technology jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. This is an excellent tool to help organizations conduct an enterprise-wide risk analysis. Alternatively, our HIPAA Ready product provides a scaled approach for midsized and smaller healthcare practices and business associates. In the end, healthcare organizations and their business associates need to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations.

The Data Care Act of 2018

A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

  • Social Security number,
  • Driver’s license number,
  • Passport or military identification number
  • Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
  • Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
  • Account information such as user name and password or email address and password
  • First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and its only a matter of time before one of them finally sticks. We will continue to report on the Data Care Act of 2018 and other similar initiatives as developments unfold.

ONC and OCR Update HIPAA Security Risk Assessment Tool for National Cyber Security Awareness Month

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches,” stated ONC and OCR in their joint news release on the updated SRA Tool. True. Healthcare and non-healthcare organizations are increasingly seeing a similar risk assessment requirement under a growing body of state law, such as in California, Colorado, Massachusetts, New York, and Oregon.

Recognizing that conducting this enterprise-wide risk analysis can be a challenging task, the ONC and OCR developed a downloadable SRA Tool in 2014 to help covered entities and business associates identify risks and vulnerabilities to e-PHI. According to ONC and OCR, the October 2018 update to the SRA Tool improves usability and expands its application to a broader range of health data security risks. Still, the SRA Tool may not be the right fit for small and midsized covered entities and business associates. In fact the HIPAA Security Rule contemplates that covered entities and business associates may use any security measures that reasonably and appropriately implement the standards and implementation specifications. In doing so, they may take into account certain factors about their organization: (i) size, complexity, and capabilities, (ii) technical infrastructure, hardware, and software security capabilities, (iii) costs of security measures, and (iv) probability and criticality of potential risks to electronic protected health information.

Use of the SRA Tool is not required by the HIPAA Security Rule, and its use alone does not mean that an organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations. However, it may help organizations in their efforts to comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments. Notably, while the SRA Tool may provide a basic outline for the risk assessment process, it does not provide substantive legal guidance as to how a covered entity or business associate is to navigate between the various standards that are either “required” or simply “addressable.” While completing a risk assessment is a requirement under HIPAA, organizations should seek guidance from legal counsel as to how to complete such an assessment and how to develop and implement appropriate safeguards based on the results of the assessment. Failing to do so could create significant liability for your organization.

Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the OCR. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.

California Consumer Privacy Act Amendment Signed Into Law

On September 23, 2018, Governor Jerry Brown signed into law SB-1121 amending certain provisions of the California Consumer Privacy Act of 2018 (CCPA) which was enacted in June of this year. As we reported previously, CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of any 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB-1121’s amendments include:

  • A clarification to the definition of personal information: The data elements listed in the definition are personal information, not automatically, but to the extent that they identify, relate to, describe, are capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
  • An expansion of exempt information to include protected health information collected by a business associate governed by HIPAA/HITECH.
  • A clarification that personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, or the Driver’s Privacy Protection Act of 1994 is exempt regardless of whether the CCPA conflicts with these laws.
  • An exemption for information collected as part of a clinical trial subject to the Common Rule.
  • A clarification that information collected pursuant to the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act of 1994 will not be exempt from a consumer’s cause of action relating to certain data breaches.
  • A clarification that a private cause of action exists only for data breaches and only if prior to initiating any action for statutory damages, a consumer provides a business 30 days written notice and opportunity to cure any violation. Notice is not required in an action solely for pecuniary damages.
  • Removal of a requirement for a consumer to provide notice of a private cause of action to the Attorney General.
  • Incorporation of a provision that businesses, service providers, or persons who violate the CCPA and fail to cure such violation within 30 days of written notice shall be liable – in an action brought by the state Attorney General – for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
  • An extension of the time for the Attorney General to adopt regulations from January 1, 2020 to July 1, 2020.
  • A provision that the Attorney General shall not bring an enforcement action under CCPA until 6 months after publication of the final implementation regulations or July 1, 2020, whichever is sooner.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published as consumers and industry groups advocate for additional changes.

Following on the heels of the European General Data Protection Regulation (“GDPR”) (See Does the GDPR Apply to Your U.S. Based Company?), the CCPA is a reminder that data privacy protection initiatives are spreading across the U.S. and globe. Brazil, India, Indonesia, and the Cayman Islands recently enacted, upgraded, or drafted comprehensive data protection laws. In May, Vermont passed a law requiring data brokers to implement a written information security program, disclose to individuals what data is being collected, and permit individuals to opt-out of the collection. In April, the Chicago City Council introduced the Personal Data Collection and Protection Ordinance, requiring opt-in consent from Chicago residents to use, disclose or sell their personal information. This fall, San Francisco is scheduled to vote on its “Privacy First Policy”, an ordinance requiring that businesses disclose their data collection policies to consumers as a predicate for obtaining city and county permits or contracts. On the federal level, several legislative proposals are being considered to heighten consumer privacy protection, including the Consumer Privacy Protection Act, and the Data Security and Breach Notification Act.

Given this legislative climate, it is important for organizations to continue developing a set of best practices to ensure the privacy and security of the personal information they collect, use, or store. Key to this process is creating a data inventory to identify what personal information is collected, how it is used, where it is stored, and when it is destroyed. Once this “data mapping” is complete, attention should be directed to drafting and implementing a written information security program (WISP). WISPs detail the administrative, technical and organizational policies and procedures an organization follows to safeguard the privacy and security of its data. These initial steps will help any organization identify and streamline its data processing activities, reduce its exposure in the event of a data breach, and prepare itself for the effective date of CCPA and future data protection legislation.

Hurricane Florence – Another Reminder to Develop a Disaster Recovery Plan

As with prior hurricanes, Florence is a reminder to all organizations of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is protecting its employees/customers, and then its physical property. However, we shouldn’t forget that a natural disaster can also destroy information and technology assets critical to its success and continuity. Key steps to prepare and respond to a natural disaster can help minimize the blow. There are many aspects to comprehensive disaster recovery planning.

Below are some recommended best practices for an effective disaster recovery plan:

  1. Build the Right Team. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step – assessing the risks. The IT department, whether internal or through a third-party vendor, must be well versed in disaster response.
  2. Conduct a Risk Assessment. Before an organization can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role in the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the organization’s operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.
  3. Employee/Customer Safety. Information and technology assets are critically important, but not at the expense of human life. Employees should be provided with guidelines on how to ensure their safety and that of customers, and be reminded that personal safety comes first.
  4. Develop a Plan. Having involved key personnel and assessed the risks, the organization is in a position to develop an enterprise-wide disaster recovery plan. The disaster recovery plan should be in writing and include the following:
    • Keep it short. If your plan is too long, it will be difficult to absorb particularly in a difficult situation.
    • Backup regularly and keep backups off site, in a safe location. Frequent and regular backups are critical to ensuring the preservation of important organization data, as well as the data it may maintain for others. A safe location also is critical. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or the cloud will be essential to business continuity. The same is true for voice and electronic communications systems. Having critical business data replicated and stored off-site is a good “insurance policy” for any organization.
    • Data Encryption. Encryption of sensitive and/or critical business data will prevent unauthorized users from gaining access and limit exposure.
    • Don’t neglect laptops/mobile devices. Recovery plans tend to focus on the data center, however approximately two thirds of corporate data exists outside the data center. Moreover, laptops/mobile devices are far less resilient, for example, than data center servers.
    • Employee Training. No one likes fire drills, but they serve a valuable purpose. Make your employees aware of the risks and steps they must take in case of a disaster.
    • Test for recovery. Perform random recovery tests periodically. Audit the test, and confirm that all your data is recovered.
  5. Practice the Plan. When disaster strikes, the organization’s disaster recovery team will have to move quickly. Preparedness, therefore, is key. To be prepared, organizations should practice their plans to ensure personnel are ready to go.
  6. Update the Plan. As your organization changes, grows, and adds locations and new people, the disaster recovery plan also may need to change. A regular review of the plan is critical.

So, as you clean up from Florence or think about how your organization might be similarly vulnerable, assess whether your disaster recovery plan meets your needs. If not, make appropriate changes. If you think your business could have benefited from such a plan, there is no time like the present to develop one.