This morning we woke up to yet another major security breach — a US hospital group said it was the victim of a cyber-attack resulting in the theft of 4.5 million people’s personal data. According to the Community Health Systems, the attack and breach happened in April and June of this year. Reportedly, the data included patient names, addresses, birth dates, telephone numbers and social security numbers. This time, the breach affected a hospital group which runs 206 hospitals in 29 states.
Putting aside the issue of the ongoing FBI investigation and that the data could (and most likely will) be used to steal people’s identity, this breach brings to the forefront, yet again, the issue of cyber liability of the company that managed the accounts.
We have been advising our clients regarding cyber liability risks for quite a number of years. Protection from cyber liability is especially critical for those companies that, in the course of their operations, whether over the internet or otherwise, collect data about their patients, clients or customers that includes personally identifiable data. However, any company that accepts credit cards or other electronic payments online is exposed. At the end of the day no customer is interested in hearing that the company used some unknown payment processing center, so the company selling goods or services will be at the forefront of the liability exposure.
A security breach, like the one with the Community Health Systems, or earlier this year with Target, could be a result of many factors – weak security, lack of control over vendors or, even a well-directed and malicious attack. For the victim company, the result is likely to be the same – massive exposure of its infrastructure, technical, and data capabilities; overnight destruction of its brand and trust from the customer base; and unpredictable legal exposure to liability over the loss of customer data. Any company that does not have well identified and developed risk strategy against such legal and business risks may be forced to fold the business altogether.
For that reason we work with our clients to address all facets of cyber liability risks – from reviewing and revising legal privacy and security protocols, to creating new protocols that will minimize the legal risks for our clients. We also work with our client companies to procure the optimal cyber liability coverage from insurance carriers. True risk management lies in prevention – ideally from any breaches altogether, but, at a minimum, from the legal exposure and dangerous repercussions of such a breach.