I have been asked a few times “What’s the most important policy or procedure for our business to have?” I generally reply that all of the policies and procedures are tied together and support one another. So from that outlook none is “Most important”.
I’ve thought a bit more about the question lately, especially with the new data breaches we have all seen in the news. Combine the publicity we have seen with the loss of stock value and legal costs incurred by those companies and I think you might come to the same conclusion I have.
In the event of a breach or data loss, the most important single document to have on hand for your business is : The press statement.
Some would say that it’s not a matter of IF but WHEN any given company or practice will have a breach or data loss. I tend to agree with that statement, especially given the INFOSEC budgets available to some of the larger firms that have incurred data loss. So let’s assume ABC Family Medicine has a network breach and 2500 patient records are exposed. To make things worse the hackers also deface the patient access portion of the ABC website.
Abc’s practice manager is busily working with their Information Technology provider to secure the practice systems, when the reporters begin to arrive. The interaction with the press and the information they receive could be just as important in the determination of how much damage both monetarily and to the practice reputation actually occurs.
A well written press statement needs to be a key portion of your incident response procedure. This statement should be short but empathetic. It should not confirm or deny loss of critical or protected information, but instead should state that a security incident did occur and that technical professionals (and Law Enforcement if appropriate) are investigating. It should re-enforce that patients should contact the practice directly for further information and that any affected patients will be notified if there has been a data loss.
When drafting a Press Statement, you should get your legal counsel to approve the final copy, and insure that they have a copy available. Additional copies should be available to all managers and business owners, however; only one person should be designated as the press contact, with a backup person in the event of an absence.
A few hours spent drafting your Press Statement now could save your business bad press in the future.