“IN A CLOUD ENVIRONMENT, UNDER U.S LAW……, IT IS THE DATA OWNER THAT FACES LIABILITY FOR LOSSES RESULTING FROM A DATA BREACH”
With growing and increasingly severe intrusions such as those that recently occurred involving Target, Chase, Anthem and others, Congress, regulators and state governments are looking at how to protect PII from unauthorized access (Personally Identifiable Information). There is no current central federal mandate that covers data breaches affecting PII. However, all states require business’s to notify customers and in some cases regulators if a data breach occurs impacting residents.
Think you’re safe because you use a cloud based PIMs?
In a cloud environment, under U.S. law, and standard contact terms, it is the data owner that faces liablity for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). Why?
Standard vendor agreement contracts exclude consequential damages and cap direct damages. In most cases, all damages flowing from a data breach of the data holder will be considered consequential damages and barred by a standard provision disclaiming all liability for consequential damages.
If the breach involves a cyberattack in a traditional veterinary practice setting with an onsite server the practice owner is obviously potentially liable.
However, how liable can a veterinary practice be in the event of a data breach? State and federal data privacy laws in the U.S. do not impose civil liabilities carte blanche in the event of a cyber intrusion. Liability is imposed generally if the following conditions exist:
An entity failed to implement safeguards required by statute or reasonable security measures
An entity failed to remedy or mitigate the damage once the breach occurred
Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.
The Real Costs of a Cyber Attack
The costs & liability of a data breach to a veterinary hospital may include all or some of the following:
Individual & class action lawsuits by customers, settlement payments, legal expenses. Liability can include, depending on the case, civil monetary compensation for any economic losses incurred by the victim. It can also include reimbursement to victims for out-of-pocket expenses to restore the integrity of the compromised personal information. Emotional distress of victims may also come into play.
Government investigations and potential penalties
Outside response teams and audits being required
Digital investigation and forensic services
Remodeling of IT infrastructure
Implementing new or enhanced identity theft protection services
Identity theft insurance impacts
The best defense is a good offense
Having an effective breach management processes is key to mitigating a serious intrusion and reassuring clients:
Incident preparation and risk management, including incident response planning. Veterinary Practices should implement infrastructure for preventing, detecting, and responding to cyber security incidents. This includes not only AI based endpoint protection, firewall software and hardware implementations, but threat analysis, incident training, response protocols & standards.
The Good News
It doesn’t have to be expensive or complicated to take reasonable measures to protect your data. Here are a couple reasonable measures you can take to start to protect your data.
1) Realize you have data that is valuable
2) Download and follow the steps in our “5 Simple Steps to Protect Your Practice” eBook.
3) Get our Incidence Response Plan Workbook to build your own IRP
If you need any help protecting your practice contact us to schedule your IT Wellness Exam.
Peace Love & Plants,
Clint Latham J.D.