Chief information officers need to take steps to mitigate potential lawsuits from the Federal Trade Commission and other government agencies resulting from cybersecurity incidents, according to attorneys Richard Raysman and Francesca Morris.
More power has been put into the FTC's hands when it comes to policing corporate cybersecurity after a recent appeals court ruling allows the agency to move forward with a lawsuit against a hotel chain that allegedlys was responsible for three data breaches, FierceHealthIT previously reported.
To dissuade the FTC from taking such measures in similar instances, Raysman and Morris, writing for the Wall Street Journal, say that CIOs must be able to show the steps they took to protect private customer information. They also must show that they have up-to-date cybersecurity software in place, say the attorneys, who are partners at law firm Holland & Knight.
Hospitals especially will have to be careful not to come face to face with the FTC as breaches in the industry continue to rise, even while healthcare organizations work to increase their security efforts.
Three steps CIOs can take to stem or address an FTC complaint, according to Rasyman and Morris, include:
- Keep policies relevant: Most organizations have policies surrounding privacy and security, but these may be outdated and not reflect current standards. CIOs should make sure these are reviewed and updated often, the attorneys say.
- Implement NIST Cyber Security Framework: Having this in place is one way a CIO can show the FTC that the company took serious steps to keep data safe. The framework is "becoming a de facto standard of cybersecurity for U.S. regulators," Raysman and Morris say, and facilities that have it in place may be able to show the FTC that there's no grounds for a complaint.
- Retain a consultant: A third-party consultant, while another expense for a health system, may be worth it if the facility is hacked. The consultant can conduct annual security reviews and provide a report that shows the organization is implementing current security protections, the attorneys note.
CIOs also should prepare for the possibility of lawsuits aimed at them personally following a breach, says Matthew Karlyn, a partner at Foley & Lardner LLP. "We are absolutely going to see more CIOs taking the fall and ultimately being named in lawsuits," Karlyn told the WSJ in July.
To learn more:
- here's the WSJ article