Wednesday, June 12, 2013

#1 Mistake in Managing a Privacy Breach

By Jean Eaton, B.Admin, CHIM, is the president of Information Managers Ltd. She is an experienced leader in clinic management, health information management, privacy consultant, trainer, and speaker.

Cell: 780.237.7605
Fax: 1-866-655-7780 (toll free)
[email protected]

#1 mistake in managing a privacy breach - ignore it! Canada Revenue Agency mails private records to wrong person Top 3 Mistakes in Managing a Privacy Breach. Click to Tweet

Have you ever received a phone call from your bank to tell you that your credit card information may have been stolen? This might frighten you and create doubt, inconvenience, time, and money to recover and manage the loss. If the bank catches the theft early and calls you to let you know about what they have done to stop it and prevent it from happening again, you are probably going to thank the bank for helping you look out for your best interest.

The same thing happens when you suspect that you have a privacy breach at work. You need to stop it, report it, inform the client, and let them know what you are doing now. It is never an easy phone call to make but most of the time the client appreciates your concern.

What is a privacy breach? A privacy breach is a loss, unauthorized access to or disclosure of personal information. Personal information may include your name, date of birth, address, account information, or even your email address. Often, any 3 of these might be enough to identify you. This information might include your employee human resources files, client files, accounting, even newsletter subscription lists!

There is an active market for personal identities. This is an incentive to steal or misuse personal identities. At work, most privacy breaches are usually 'oopses' or honest mistakes or a result of not carefully following procedures. But sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft occurs by employees and sometimes by outsiders.

If you think you have a privacy breach at work, you need to:

1. Recognize the breach
2. Inform your supervisor and Privacy Officer
3. The Privacy Officer will take immediate steps to contain the breach, and
4. Report breach - internally and to police, regulators, and other agencies as required, and
5. Notify the individuals whose information has been breached, and
6. Recommend appropriate communication, and
7. Investigate the cause of the breach and implement a plan to prevent it from happening again, and may
8. Conduct Security audit, Threat risk analysis, review and revise Policies and Procedures to prevent the breach from happening again.

The Office of the Information and Privacy Commissioner of Alberta's website has many resources for your use.

You can also attend an Information Managers Webinar! "3 Mistakes in Managing a Privacy Breach" June 20th, 2013.

No comments:

Post a Comment