Legislation aimed at curbing the national epidemic of identity theft requires all businesses that collect personal information
about customers and employees – including names, credit-card numbers, birth dates, home addresses and Social Security numbers
– to take reasonable steps to safeguard that data.
Laws that require some form of information security and privacy education include the Fair and Accurate Credit Transactions
Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Gramm, Leach, Bliley Safeguard
Veterinary practice owners not in compliance with these regulations may be exposing themselves to significant fines, legal
liability, reputation risk and, in some cases, jail time.
According to Betsy Broder of the Federal Trade Commission (FTC) in Stolen Lives (ABA Journal, March 2006), businesses need to have a plan in writing describing how customer data is to be secured and an officer
on staff responsible for implementing the plan.
Many large firms, she says, entrust data security to a chief technical officer or chief privacy officer. While FTC officials
understand that most small businesses cannot employ a full-time privacy specialist, small firms still must prove they have
a security plan in place.
"We're not looking for a perfect system," Broder writes, "but we need to see that you've taken reasonable steps to protect
your customers' information."
Veterinary practices that rely on staff members to keep personal data secure should implement a program of mandatory training
on privacy issues, such as proper handling of check and credit-card transactions. Some staff members may need specialized
Being proactive might save time and money in the future.
Case in point: The national retailer PETCO Animal Supplies Inc. experienced a data attack in June 2003. The attackers were
able to read clear-text credit-card numbers in the firm's database. The FTC required PETCO to establish, implement and maintain
a comprehensive information-security program to guard customer data, then obtain an assessment from an independent third party
that its program and training are reasonable, and to do this biennially for 20 years at company expense.
As a private practice owner, you collect confidential information on employees for tax and payroll purposes and sometimes
for medical benefits.
How are you and your staff securing this information?
You cannot expect your staff to guard employee and customer data if you do not communicate with them on how to do so. The
more staff members are aware of the need for privacy, the better they will handle sensitive information, reducing the likelihood
of mistakes or actions that can put you and your business at risk.
Employee education should be ongoing, delivered in multiple ways and tailored to different groups within your organization
but the reality is that many practices do not invest nearly enough time, effort, personnel or resources toward privacy issues.
Some do not budget for it at all.
If you take the time to create an effective program and budget for it realistically, the investment will be small compared
with the impact of incidents, penalties and judgments that could otherwise occur.
Benefits of establishing an effective privacy-education program include:
- Reducing numbers of privacy and security incidents.
- Making personnel aware of the risks involved in handling private information and having them work in a more secure manner.
- Retaining clients who can see the practice is protecting their personal information.
- Meeting legal and regulatory requirements for awareness and training.
The bottom line: An effective information-security program not only meets legal requirements – it's simply good business practice
that will reduce or eliminate costly incidents and fraud.
The next two articles will outline specific information-security policies that you can use in your practice.
James Iafe, VMD, is a Certified Identity Theft Risk Management Specialist (CITRMS). He practices at North Boros Veterinary
Hospital in the suburbs of Pittsburgh.