When a safe harbor isn’t safe enough
In many data security circles, the word “encryption” will bring a glow of peaceful serenity. Encrypting data is one of the best ways to protect it from prying eyes and is recommended by almost all experts and required by many laws and regulations. But it is not always enough. A recent incident illustrates how human error can foil even the best data security methods.
Rainbow Hospice and Palliative Care in Illinois had duly encrypted its laptops in accordance with everyone’s best practices recommendations and many jurisdictions’ legal requirements. The laptop at issue contained personal medical and financial information about nearly 1,000 patients. Encryption was activated whenever the computer was shut off or its top closed, and two passwords were required for access to the confidential data. So far, so good.
The laptop’s user was using the computer in a busy area. She turned away briefly, and the laptop was stolen while she was attending to something else.
Under the current rules promulgated pursuant to the HITECH Act, the breach of encrypted data need not be reported to the authorities nor notice given to the victims since encryption is a “safe harbor.” But the laptop was on and its top open, so encryption was not activated. The confidential patient information was therefore accessible to the computer thief.
Because there could be no assurance about the continued protection of the confidential information, Rainbow Hospice reported the breach to the Department of Health and Human Services Office for Civil Rights, news media outlets and the victims of the breach. As only about 1000 patients were affected, the direct costs to Rainbow Hospice of the breach were probably not prohibitive. If, however, the identity of the victims were not readily ascertainable — a common problem when it cannot be precisely determined exactly what data had been transferred or had already resided on the stolen laptop or other media — the forensic costs could easily reach into the tens or even hundreds of thousands of dollars. The cost of public relations to minimize the damage to Rainbow Hospice’s reputation, as well as the embarrassment caused by the negligent compromise of sensitive personal information, would also likely be considerable.
No one should make too much of what is hopefully a highly unusual scenario, but the situation does vividly illustrate how the “human element” can frustrate the best-designed data protection plans. Employee awareness training, and frequent reminders about diligence, are key components of any successful data protection program. As pithily stated by Cynthia Larose of Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C., “Encryption is good. Training is better.”
Ultimately, this matter demonstrates yet again that the risk of incurring substantial costs from a data breach cannot be “managed away.” For any organization holding a lot of confidential information, the inescapable presence of even a small risk with a potentially large financial consequence strongly suggests that insurance should be considered as part of the risk management plan.
Connect with John Doernberg on LinkedIn.