About a year and a half ago I wrote a post titled Data Breach – Who’s Gonna Get it? where I made the point that, much like with Ford’s “bean counting” with the Pinto deaths back in the ’70s, companies that were aware of the risk of data breach but did not act responsibly were going to get it. The message, that is. While my post anticipated receiving that message from a jury, the point is no different when it comes to having a message sent by the Office of Civil Rights or some other governmental agency. When something bad happens, as it inevitably does, people instinctively want to know whether it was truly an unfortunate circumstance or whether it was because of willful neglect. That is, were they trying to “do right” or did they just not care? If it is the former, they will usually cut you some slack, if the later, you’re going to hang!

This point was confirmed in a recent interview with the Director of the Office of Civil Rights, Leon Rodriguez, who indicated that the OCR will take into consideration how a company responds to a data breach in deciding whether to assess monetary fines.

Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, but adds that entities that respond decisively and responsibly to data breaches most likely won’t be the subject of monetary enforcement.

If you want to read more, check out the full article with Rodriguez’s interview: OCR looking for ‘high level of sensitivity’ in data breaches | Government Health IT.

Don’t let your company be “that company” — now is the time to be proactive in putting policies and procedures in place to help prevent a data breach or, should one occur, be prepared to respond in a responsible way so that your company doesn’t “get the message.” Give me a call or send me an email, I’ll be happy to talk with you about these issues and any others.

-Shawn Tuma (469.635.1335 / stuma@brittontuma.com)