It's simply good business practice that will reduce or eliminate costly incidents.
Legislation aimed at curbing the national epidemic of identity theft requires all businesses that collect personal information about customers and employees – including names, credit-card numbers, birth dates, home addresses and Social Security numbers – to take reasonable steps to safeguard that data.
Laws that require some form of information security and privacy education include the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Gramm, Leach, Bliley Safeguard Rule (GLB).
Veterinary practice owners not in compliance with these regulations may be exposing themselves to significant fines, legal liability, reputation risk and, in some cases, jail time.
According to Betsy Broder of the Federal Trade Commission (FTC) in Stolen Lives (ABA Journal, March 2006), businesses need to have a plan in writing describing how customer data is to be secured and an officer on staff responsible for implementing the plan.
Many large firms, she says, entrust data security to a chief technical officer or chief privacy officer. While FTC officials understand that most small businesses cannot employ a full-time privacy specialist, small firms still must prove they have a security plan in place.
"We're not looking for a perfect system," Broder writes, "but we need to see that you've taken reasonable steps to protect your customers' information."
Veterinary practices that rely on staff members to keep personal data secure should implement a program of mandatory training on privacy issues, such as proper handling of check and credit-card transactions. Some staff members may need specialized training.
Being proactive might save time and money in the future.
Case in point: The national retailer PETCO Animal Supplies Inc. experienced a data attack in June 2003. The attackers were able to read clear-text credit-card numbers in the firm's database. The FTC required PETCO to establish, implement and maintain a comprehensive information-security program to guard customer data, then obtain an assessment from an independent third party that its program and training are reasonable, and to do this biennially for 20 years at company expense.
As a private practice owner, you collect confidential information on employees for tax and payroll purposes and sometimes for medical benefits.
How are you and your staff securing this information?
You cannot expect your staff to guard employee and customer data if you do not communicate with them on how to do so. The more staff members are aware of the need for privacy, the better they will handle sensitive information, reducing the likelihood of mistakes or actions that can put you and your business at risk.
Employee education should be ongoing, delivered in multiple ways and tailored to different groups within your organization but the reality is that many practices do not invest nearly enough time, effort, personnel or resources toward privacy issues. Some do not budget for it at all.
If you take the time to create an effective program and budget for it realistically, the investment will be small compared with the impact of incidents, penalties and judgments that could otherwise occur.
Benefits of establishing an effective privacy-education program include:
The bottom line: An effective information-security program not only meets legal requirements – it's simply good business practice that will reduce or eliminate costly incidents and fraud.
The next two articles will outline specific information-security policies that you can use in your practice.
James Iafe, VMD, is a Certified Identity Theft Risk Management Specialist (CITRMS). He practices at North Boros Veterinary Hospital in the suburbs of Pittsburgh.