20 Jul PRIVACY AND COMPLIANCE FOR MEDICAL AND LEGAL FIRMS
In 2014, we saw a significant increase in the regulatory and community expectations on how customer data and privacy would be handled by medical and legal organisations, among other sectors. New privacy laws were brought into effect with stiff penalties for organisations found to be treating customer data insecurely, and for many consumers, the Federal Government’s data retention strategy made it very clear just how much of their data was accessible online.
In other words, 2014 was the perfect storm of increased regulation and increased customer awareness, which has turned data management, protection & security into a bigger business risk than ever before. For medical and legal firms in Australia, this is an even bigger problem than they have previously experienced; the specific issues can be broken down into three kinds of threats to their business in terms of how they handle customer data.
1. Reputational damage – Should a data breach occur, the reputational damage that results can be a business-ending event for a small business. Large corporations have access to capital resources that help them weather the inevitable short- or medium-term sales losses that result from a reputational crisis. However, smaller companies that lose customers for a quarter or two due to mistrust over insecure practices can find themselves out of options (and out of business) well before sales and trust return.
2. Regulation – The regulators are now stricter than ever and the penalties are stiff. All but the smallest organisations can now be fined upwards of $1.7 million for failing to comply with Australia’s privacy laws, which is a big hit for the bottom line of small and medium-sized businesses.
3. The potential for corporate espionage – Medical and legal firms that are not secure enough with their customer data can easily be “snooped on” by rival organisations. With customer data being the most valuable advantage that most companies have, losing that data to a rival can seriously damage the ability of the firm to remain competitive.
Despite these three critical concerns, many small to medium firms ignore data security, incorrectly assuming that it would be too expensive to hire a consultant to conduct a full audit, let alone investing in the technology solutions that the auditor recommends to ensure compliance. Essentially, this denial is a head-in-the-sand strategy that is a ticking time bomb for small Australian medical and legal firms, but what is particularly tragic is that this vulnerable position is unnecessary. For a small firm, an audit of the IT infrastructure to ensure data security and compliance is not very expensive, and every year, we see more consultants specialising in delivering these types of services, specifically tailoring their services to these firms based on their budget restrictions. Equally, for most medical and legal firms affected, the audit will not recommend that they purchase a data leak prevention (DLP) technology suite costing thousands of dollars. In fact, through simple policies and changes in configuration, most of these types of firms can effectively minimise their technology risks with customer data.
The most basic strategies to prevent data leaks, such as setting policies for emails to quarantine specific types of email and catch outward data leaks before they occur, are inexpensive to implement and can help immensely. Employees of small and medium-sized firms will often email data lists to one another, but are unaware of how insecure that transfer can be. There is also the risk of a deliberate leak from a disgruntled employee. These risks need to be avoided in order to maintain compliance, but preventing them is less expensive than most companies assume.
Medical and legal firms can also look at how their organisation uses CRM and cloud services. Although Salesforce, Dropbox, and others similar services are useful, every company – including small and medium-sized firms – needs to enact strict policies to ensure that only the people that need access to customer data have that access, whether the data in question is hosted in the cloud or on a local network.
Other common sense aspects can also be utilised. For example, a company can enable a two-factor authentication for critical applications, in addition to locking down Microsoft Exchange so that email accounts not requiring external email capability do not have access to it. These inexpensive adjustments can be implemented by the affected firms’ internal tech teams, or their technology partners, and can prevent stress, reputation loss, and revenue drops in the future