Your long-time client Mrs. Jones pays you an unexpected visit. She's angry and barely holding back tears as she describes her ordeal.
"I was driving down Main Street with my two children when I was stopped for a burned-out tail light," she says. "Then the police arrested me and took me off to jail and my children to family and youth services — and it's all your fault!"
It turns out a thief stole Mrs. Jones' identity thanks to driver's license information she got from your veterinary hospital.
Many practice owners and managers don't understand the value of the information they hold about their clients and staff. All they know is, they need the information for business purposes. When I ask how they're protecting this data, they shrug. They think identity theft won't happen at their practices. This false sense of security is their worst enemy — and yours. It's time you knew for sure whether data at your practice is safe or not.
Evaluate your program
Start by taking an inventory of data you collect, maintain, and use for clients and staff members. Then ask some important questions:
> Do I need this information for day-to-day operations?
> Is this information at risk of getting into the wrong hands?
> Can someone use this information illegally?
> How do clients purchase products or services from my business (Web, phone or in person)?
This approach will assess your risk of an information breach.
How breaches come back to you
Bob is a new client. He's in the process of buying a new home when the lender puts the brakes on the deal. Bob's credit is a disaster. The bank says he's a high risk and denies the loan application. Bob misses out on purchasing the home of his dreams.
Now suppose multiple people have similar experiences. They suspect they're victims of identity theft and file police reports. Through computer forensics, the police determine these victims have one thing in common: They're all clients of your practice.
How will you handle this? Will you loan Bob the money he needs to buy his dream home? Of course not, but how do you think Bob feels? What will you do to keep Bob and other affected clients from leaving your practice?
When an information breach occurs, it's important to notify clients as soon as you become aware of the situation. In your letter, describe clearly what you know about the breach, including how it happened, what was taken, and, if you know, how the thieves have used the information. Include the actions you've taken to remedy the situation. Explain how to reach a designated staff member to answer questions regarding the breach. Consult with the police on what information to include so your notice does not hamper the investigation. Depending on the magnitude of the breach, it may be impossible to rectify the situation. That's why it's important to prevent breaches from happening in the first place.
Protect your clients
Your most valuable assets are your clients, and they trust that you'll protect their private information from theft or loss. Safeguard this information in the same way you protect a valuable piece of equipment. Take a moment to consider what even one client is worth to your practice. What if that one client has spent thousands of dollars in your practice every year? Do you want to hurt that person? Do you want to lose that client's business? It's your choice.
Breaches hurt employees, too
Dr. Susan, one of your associate veterinarians, is a victim of identity theft. Someone from your office faxed the payroll information you collected on her to the wrong telephone number. She now has to deal with the hassles of putting the pieces of her life back together. These demands are requiring her to take time off work to fix the multiple problems. This requires you, as the practice owner, to cover Susan's shifts in her absence. What is this going to cost you? How much time will it take to rectify her situation?
Information breaches have consequences; there's much more at stake than regulatory fines. What are you doing to prevent them from happening at your practice?
Create an Identity-Safe Zone
Your veterinary practice becomes an Identity-Safe Zone when clients and staff know and trust that you're doing everything in your power to protect them from the devastating harms of identity theft. Private information that flows in, through, and out of the practice must be protected at each and every step. Information protection varies depending on the format of the information.
For example, if your practice collects Social Security numbers on a computer's hard drive, this data must be protected through firewalls, data encryption and password management. On the other hand, if the Social Security number is collected through paper form, you can protect it by storing it in a locked cabinet, desk drawer or safe.
Then there are the administrative safeguards or the human side of protecting private information. Remember that your information privacy and security program may look great on paper, but it is only as strong as the staff members who implement it. A well-trained staff is the best defense against information breaches.
James Iafe, VMD, is a certified identity-theft risk-management specialist (CITRMS) and founding partner of PrivacyEdge LLC. You can call him at (724) 473-1176 or e-mail him at [email protected]