With more than 55 million Americans identified as edata breach victims, 2005 may go down in history as the "Year of the Breach," said health industry privacy attorney Renee Martin at the Thirteenth Annual HIPAA Summit in Washington, D.C., Sept. 26.

The repercussions for FDA-regulated companies are serious, she said. In addition to running afoul of stiff federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) and 21 CFR Part 11, data breaches can lead to nasty and expensive class action suits, tort claims and contractual damages situations, Martin said.

But some companies don't realize that while HIPAA does not force companies to publicly disclose edata breaches, state laws in more than 20 states do. And those state laws trump HIPAA. The specter of public disclosure can mean that an edata breach also becomes a public relations nightmare that can slam a company's reputation, she said.

Unfortunately, "most businesses have not addressed adequately how to respond" to a data breach, she said. Many do not have a preventative action plan in place. Instead, they circle the wagons, begin pointing fingers and wallow in uncertainty after a data breach is detected, she said.

While having a plan in place before a breach is highly recommended, she offered tips and best practices on what to do in the event of a breach.

During the investigative phase, companies should focus first on the basics: how it happened and who was involved, she said. That means drilling down into the breach event. "Precision and specificity is critical," Martin said. Fixing the breach and preventing it from occurring again rely on "your ability to say with certainty what happened."

In many cases, formal or informal statements from witnesses may also be necessary, she said.

Just the Facts

In addition, get the facts up front on how much time you have to complete the investigation. Rules vary by state. For starters, determine whether relevant state or federal statutes apply only to edata or are broader in coverage.

Next, determine what data and what system was accessed, she advised. That means figuring out whether the stolen or breached data has already been misappropriated or could be in the future.

If you are a covered entity under HIPAA, understand the scope of any notice you must make outside your company, Martin advised. For example, in some cases notice must be delayed while law enforcement officials investigate the breach, she added.

A further challenge for companies is getting a handle on "unstructured data," said analyst Kevin Beaver in a white paper sponsored by Scentric.

"Many business executives don't understand what's really at risk and haven't bought into" the importance of protecting sensitive edata, he said. And many executives don't have any idea just how much sensitive data is stored in an unstructured fashion, Beaver said.

"I'm finding sensitive personal and business-related data stored in unprotected files in practically every nook and cranny across almost every network I look at," Beaver said.

He is an independent information security consultant and author of "The Practical Guide to HIPAA Privacy and Security Compliance," among other books. He said he finds unsecured data whether he browses the networks anonymously, logs in as a standard user or connects as an administrator-equivalent (see sidebar below).

Securing unstructured information is especially important, and difficult, in an ebased-system, Beaver said. -- Michael Causey

Network Managers Don't Know Where Sensitive eData is Stored

IT security specialist and author Kevin Beaver recently warned companies to "get serious" about identifying and protecting unsecured sensitive edata on their networks. He said he is regularly finding such edata in files that are:

Stored insecurely on Windows desktops, in temporary directories and in local folders; Missing proper access controls; Skipped over during backing-ups; and Not being properly archived.

In addition to the sheer volume of edata, he said a common problem is that users aren't trained in how to properly create and store that sensitive edata. Another problem is network and storage administrators installing new servers and storage systems without any central planning.