Friday, February 20, 2009


This is the fourth post in a series of five. A program such as a risk-averse compliance program has dual purposes.

First, a business wants to protect its clients and employees from identity theft. It's the responsible thing to do. The program I outlined in my previous column will greatly reduce the incidents of data loss. While nothing is foolproof a holistic approach is far more effective than a patchwork of compliance steps. For example, the Northern California “district” of the Kaiser hospital group had a large breach of personal information very recently. Kaiser takes its’ HIPAA responsibilities seriously. Part of that responsibility is to protect the privacy of the patient files in the Kaiser system. This breach however, was of employee HR file information, and is not covered under the HIPAA compliance requirements. Had the employer included the entire administrative team, payroll, HR, accounting, etc. into a company-wide data security culture they might have prevented that breach.

The other reason to initiate a personal information security program is to lessen exposure to risk and mitigate the company liability.
That is why documentation is so important. When an organization experiences a breach either forensic investigators from the Secret Service, or agents representing the FTC or law enforcement will want to see what the business has done to protect the information prior to the incident. Just as proof of insurance affects the outcome of a traffic accident, proof of an identity theft program will affect the outcome of a breach case. A carefully documented program is key. You need to document that you have enacted the policy, that everyone on staff has been exposed to the policy and has agreed to uphold the policy. Documentation naming the person(s) responsible for administering the program needs to be in the file along with notification to all contractors and service providers that the plan is in place and the business expects a similar policy to be in place with all contractors.

In the next post I will tie all of this together and show how Pre-Paid Legal Services Inc has developed a program that connects the dots and covers each aspect of what I’ve described in the last few posts. I’m proud to say that no other service exists that provides the uniquely comprehensive and "holistic" approach as the Pre-Paid program.

No comments: