With an extensive list of data privacy laws and regulations and an increasing number of ransomware attacks reported in the news, there are certain steps healthcare entrepreneurs need to take in order to comply with the law and protect their consumer data. MATTER partner Michael Waters, privacy and cybersecurity attorney at Polsinelli, shares a few tips on complying with data privacy laws and preparing for and responding to data incidents.
Data privacy and cybersecurity are closely related. Cybersecurity is actually a component of data privacy: data privacy relates to the acquisition, storage, handling, sharing and use of data, and cybersecurity refers to the protection of that data from hackers or other unauthorized access.
For many developers, data privacy and cyber security are often not core components of the product being developed and therefore may be an afterthought since they may seem like a waste of time or slow the speed to the market.
However, it’s really important to focus on data privacy and cybersecurity early in the developmental process for a few reasons:
Some countries have comprehensive data privacy laws, meaning there’s essentially one law that you have to know, understand and comply with. Unfortunately, we don’t have that in the United States. We have federal laws, and some are industry-specific, such as HIPAA in the healthcare industry.
On the federal side, we also have laws that focus on protecting certain individuals’ information such as laws that are designed to protect the personal information of children. And then each state has various data privacy laws. Some of them are very comprehensive, such as CCPA in California, and some are specific to certain types of data, such as BIPA in Illinois which focuses on biometric information.
Because there are so many laws, it’s critical for businesses to think about whose information they may be collecting through their product or their service, where those people are located and how that information is being used and shared. If you’re at a point in development where you don’t have those answers and don’t know which laws apply, you can at least give some thought to general privacy principles that are common in many laws.
For example, there’s a decent chance you may need to let people know what data of theirs you possess, and you need to protect that data. You may need to give them a copy of that data, and they may even ask you to destroy their data — and you might have an obligation to do so.
Many business customers are subject to the same laws previously mentioned, and some of those laws require organizations to ensure that third parties protect the information they share with them.
For example, in healthcare, hospital systems and providers are subject to HIPAA. Part of HIPAA requires that if they receive patient information and share it with a third party, they need to make sure that third party is also complying with HIPAA and protecting that data. And as a result, those healthcare providers are going to want assurances that your organization is complying with HIPAA.
Your contract with them is going to basically attest that you’re complying with HIPAA. Knowing this in advance will put you in a much better position to be ready to respond to those requests for information.
It depends on the scope of the data breach — where impacted people are located, who is impacted and who owns the data. Generally speaking, if you have a data incident that results in someone accessing or acquiring people’s personal information without authorization, you may need to let them know. You also may need to let industry regulators, state attorneys general or other enforcement agencies know. If the incident is large enough, you could be subject to class action lawsuits or other litigation as well as investigations of the incident.
In healthcare, any incident that impacts 500 or more patients is subject to investigation by the Department of Health and Human Services. When they investigate, they will not only ask questions about the incident, but they will use the incident as an opportunity to audit your HIPAA compliance, asking for certain HIPAA policies and procedures, evidence you’ve trained your employees on HIPAA and the technical security controls you had in place. You want to be in a position to answer those questions.
Many breach notification laws are focused on providing notice to people when their personal information has been accessed or acquired. In some ransomware incidents, data is just encrypted — nobody’s accessed it or acquired it. In the public, we hear that somebody’s network is out or they’re experiencing IT issues. What we don’t hear is that they’re dealing with a ransomware attack.
They’re happening all the time — we’re just one law firm, and we probably see three-to-five ransomware attacks every week from our clients. It’s happening that often. Knowing it’s that frequent, organizations should do a few things:
You may have heard of the concept of privacy by design or security by design. Rather than waiting until the product is fully formed, bake data privacy and cyber security into the design process. Knowing that data privacy laws exist, that business partners are going to demand that you’re focused on data privacy and cybersecurity and that data breaches are so prevalent, you want to start focusing on privacy and security early in the process. Don’t wait until you have a fully finished product before you start thinking of those things.
Interested in hearing from more Polsinelli lawyers? Learn how to protect your IP with Patent and Intellectual Property Attorney Morgan Kirley.
Polsinelli is an Am Law 100 firm with more than 950 attorneys in 23 offices nationwide. Recognized as one of the top firms for excellent client service and client relationships, Polsinelli is committed on meeting our clients’ expectations of what a law firm should be. Our attorneys provide value through practical legal counsel infused with business insight with a focus on health care, real estate, finance, technology, private equity, and corporate transactions. Polsinelli LLP in California, Polsinelli PC (Inc) in Florida.