CEO SUMMARY: Lab managers should take steps to protect patient data and proprietary information. This includes customer lists, payer contracts, customer-specific pricing, sales force compensation information, lab testing intellectual property, and protected health information. Technology now makes it easy for a departing employee to collect company data by moving it to a USB drive or even an iPod.
EVERY DAY, SOMEWHERE IN THE UNITED STATES, a departing employee at a clinical laboratory—before their last day on the job—furtively gathers confidential company information, including the customer list, to take with them to their next job, which is typically a position with a competing lab company.
“This can be devastating for a lab, or any company, on many levels,” stated James Giszczak, Co-Chair of the Unfair Competition and Trade Secret practice team at McDonald Hopkins LLC, a national law firm with headquarters in Cleveland, Ohio. “The departing employee is often a long-serving and trusted employee who has given notice late in the afternoon, at the end of the week.”
“By giving short notice on a Friday afternoon, the departing employee has intentionally left little time for the lab owner and human resource managers to secure company property and restrict the departing employee’s access to confidential company information, client lists, and other valuable company assets,” noted Giszczak.
“Typically, when a company has not taken the steps we recommend to protect their valuable business assets, we will get a call on a Friday evening, around 5 p.m. or 6 p.m. (or even in the middle of the night) from a panicked owner, a human resource manager, or a manager. They’ve just discovered that an employee has given his or her resignation,” he continued. “It is now common for an employee to give notice by e-mail or voice mail.
Taking Company Records
“Once alerted to this resignation, the laboratory owner then audits the employee’s accounts and the information the departing employee was known to have,” commented Giszczak. “The laboratory owner discovers that the employee may have downloaded the entire database on the way out the door.”
“Having not been proactive, the lab owner is now scrambling to protect the lab’s assets,” Giszczak added. “We immediately investigate and take all action necessary to protect the company, including going to court at a moment’s notice.
“This is the moment of truth,” he said. “Our ability to protect the company will dramatically depend on the planning, or lack thereof, for this contingency. Not surprisingly, it is critical that the lab owner have every available weapon in his/her arsenal when they need it.”
Ounce Of Prevention
“Unfortunately, by the time the owner calls me, the resigning employee most likely has already used a flash drive, iPod, or similar device to misappropriate the lab’s proprietary information and customer lists to take with them,” stated Giszczak. “If the lab was even moderately proactive, having considered this scenario and taken protective measures, the damage to the lab can often be minimized. If not, the damage could be immeasurable.”
Giszczak made these comments during a recent audio conference titled “Strategies to Protect the Key Assets of Clinical Laboratories and Pathology Groups,” conducted last month by THE DARK REPORT. The focus was on protecting the most valuable business assets of a laboratory company or pathology group practice.
“When a laboratory or pathology group fails to properly protect its confidential business information, client lists, and other types of proprietary data,” noted Giszczak, “it not only faces substantial loss of business if the departing employee uses that information to benefit a direct competitor, but it may also have significant exposure resulting from recent legislative changes and judicial decisions.”
New Regulatory Risks
“There are many new regulatory risks about which lab owners must be aware,” noted Giszczak. “Assume that someone takes information from your lab and triggers the notification requirement under the federal HITECH ACT or a state data breach statute. This may require your lab to: 1) bear the costs associated with the notification to the affected individuals; 2) bear the costs of providing credit monitoring to those individuals; and 3) bear the costs of dealing with all of the ancillary issues that accompany compliance with state and federal laws.”
“What many pathologists and laboratory managers don’t realize is that the financial exposure from this type of data loss can be staggering,” he continued. “For example, the average cost of a security breach is roughly $4.6 million in loss of intellectual property. Another $600,000 is typically paid in associated costs by the lab or company that loses such data.”
The recent recession represents another source of risk to laboratory owners, lab administrators, and HR managers that is overlooked when taking steps to secure the lab’s confidential business information. “The economic downturn is a factor that laboratory owners and human resource managers must also take into consideration if they want to fully protect their most important business assets,” commented Giszczak.
“Over the course of this recession, many of our clients and prospective clients needed to trim some of their workforce,” he explained. “When these employees are terminated, they often continue to be a major threat for the laboratory.
Access To Company Data
“Pathologists and lab managers are often unaware that some ex-employees continue to have access to company data even after they were terminated,” explained Giszczak. “When information technology decision makers were recently surveyed, 42% of respondents identified laid-off employees as the biggest IT security threat that was caused by the recession.”
Giszczak next discussed some of the simple steps that clinical laboratories and pathology groups could take to protect their confidential and proprietary information, and other valuable business assets. “First, it is important to be proactive. Your lab should act now to conduct an appropriate review and put the right protections, policies and procedures in place—before they are needed.
“Begin by conducting a review of your laboratory’s business assets and the data it collects and stores,” Giszczak noted. “These assets include data on the relationships that labs have with their referral sources for lab testing and other business activities. Don’t forget that what should be included in this category will be the names and information about customers and prospects, payer contracts, sales force compensation information, customer-specific pricing, and testing intellectual property used by your laboratory.”
“Other information kept by your laboratory has great value and should also be protected,” he added. “That includes the lab’s employee base, including its sales representatives, office managers, and the pathologists associated with the laboratory organization. All of these people are significant assets. Quite frankly, they are the main assets of the organization and are too often overlooked.”
“In our legal practice, we like to talk directly with the key managers working at each of our laboratory clients,” added Giszczak. “These managers know the specific information they keep that is essential and valuable to the success of the laboratory organization. These information sources are critical assets and need to be identified and protected.”
“Assess what preventive measures are already in place and explore what addi- tional measures can and should be taken to protect these assets,” Giszczak said. “Typically, a laboratory has agreements already in place, such as employment con- tracts with employees. These agreements will provide some protection to the laboratory, if drafted appropriately so that they are valid.”
“These agreements should be reviewed to make certain that they contain the necessary provisions such as non-competition and non-solicitation provisions,” he advised. “It is also critical to make certain that these provisions are valid in the state in which they would be enforced: not all states treat these provisions the same.
“You must be certain that the agreement is enforceable in the applicable state where the employee resides,” noted Giszczak. “Similarly, the laboratory should have confidentiality agreements with every employee.
“This is especially important for any healthcare organization,” he explained. “A laboratory handles sensitive patient information. It can be at risk if it doesn’t have appropriate agreements with each employee as to how such patient information must be protected.”
New Laws Increase Risk
“What makes these agreements particularly important now are the recent federal privacy laws that define ‘protected health information’ (PHI),” Giszczak said. “Because of this recent federal legislation, your laboratory’s agreements need to specifically address these new requirements and describe the appropriate steps expected of the employee to protect that information.”
“In the event of a data breach, these agreements may help minimize the damage, demonstrating that your lab has taken some steps to responsibly handle PHI. Keep in mind, this is only one piece of the protection puzzle.”
“Also, it is important not to overlook the other documents executed by your laboratory staff,” he stated. “Review the security measures taken in your laboratory organization. Pay particular attention as to who can access sensitive information. Most likely, you can minimize those that have access to paper files or computer data bases. This too reduces the likelihood of theft and is yet another indicator that you are taking steps to protect not only your confidential information, but also PHI.”
Prevention Is Simple
“It is generally simple and inexpensive to put measures in place to protect this valuable information,” noted Giszczak. “These same measures will have a dramatic effect on your lab’s ability to responsibly protect its most valuable business assets.”
“Every laboratory should also prepare appropriate checklists and have them in place,” he advised. “They don’t need to be elaborate, just a reference tool to make certain that all of the bases are covered when the fateful call comes in at 5 p.m. on Friday.
“Furthermore, each time an employee is terminated or resigns,” continued Giszczak, “the responsible lab manager and/or human resource liaison will now have a roadmap to consistently collect all company property and take all the actons necessary to shut off that departing employee’s access to all company computers, records, and other property.”
“It is important that this be done in a timely fashion,” Giszczak added. “No clinical laboratory or pathology group wants a terminated employee to go home and continue to access its laboratory information systems. This is a particularly sensitive area for laboratories because of the types of confidential patient and physician information that is handled by the lab on a daily basis.”
“Second, work with an attorney who is experienced in this area of law,” he stated. “Our team has counseled clients in all 50 States and has litigated these matters in 38 States. In doing so, we have become familiar with all of the nuances in the various laws of these states.
State Laws Are All Different
“Such direct legal experience is critical, since—in addition to applicable federal laws—each state has its own statutes and relevant court decisions that can dramatically impact your likelihood of success,” emphasized Giszczak. “Therefore, if your lab’s attorney is not well-versed on these topics, your lab may not be fully protected—but you won’t learn that until there is a problem and a judge rules against your laboratory and in favor of the ex-employee.”
“The third step is to respond quickly when a threat is detected,” commented Giszczak. “If you delay, not only are you giving the ex-employee an opportunity to do more damage, but the Court will not find your arguments that this is truly an emergency very credible. You must implement your action plan as soon as you know your lab’s assets are at risk or when it is necessary to respond to threats to your laboratory’s market share.
Prevention Is Simple
“It’s inevitable in every organization that employees will come and go,” he said. “Some of your lab’s best staff will leave because people will always try to further themselves. And it’s inevitable that, as those people go, some of your lab’s assets will go with them.”
“This is why it is important for your laboratory’s leadership to do some advance planning,” advised Giszczak. “Take time to anticipate these situations and to respond accordingly. A good example is that situation I mentioned earlier, when there is a voice mail resignation on Friday afternoon by a key employee. “If that were to happen, how will your lab management team respond?” he asked.
“It is not a matter of if this call will come! It’s just a matter of when! This is why your laboratory should take the opportunity to develop an effective plan that puts your managers in the position to react appropriately whenever your lab’s most valuable business assets are at risk of loss.”
Giszczak’s insights and recommendations about the need for laboratories to properly protect sensitive information and business assets is a timely reminder for pathologists and laboratory administrators. Changing times make it imperative to regularly assess risk and institute appropriate safeguards, especially now that even a low-level employee with an iPod can download large data bases belonging to the lab.
Data Security Expert Explains How Technology Facilitates Information Theft from Laboratories
AN EMPLOYEE SEEKING TO STEAL the names of a lab’s referring physicians can do so with relative ease today, said attorney James Giszczak, the Co-Chair of the Unfair Competition and Trade Secret practice team at McDonald Hopkins LLC, a national law firm. “Simply by downloading all of the data to a USB drive, the departing employee can walk out with the laboratory’s most valuable proprietary data in his or her pocket,” he said.
“Most laboratory owners underestimate the risk this poses to the value of their laboratory company,” explained Giszczak. “Today, it is easy for anyone to purchase a 100-gigabyte USB drive at a price of about $100. This USB drive can hold an entire data base of customer information that belongs to a very large organization.”
“That means any departing employee willing to buy such a 100 Gigabyte USB drive could download all the client account information of a laboratory, then walk out the door and take that client information over to a laboratory competitor.”
“Recently, the device of choice that employees use to steal company information is the iPod,” Giszczak continued. “These employees plug their iPods into their company’s IT system, then download the information they want.
“Lab managers often overlook the fact that an iPod is a storage device,” noted Giszczak. “Most people use it for legitimate purposes—music and videos—but it is increasingly common to see employees use their iPods to steal proprietary information from their employer.”
Protecting Lab Assets Starts With Easy Steps
SIMPLE AND EASY STEPS are all that is needed for a clinical laboratory or pathology group practice to protect its most valuable business assets. That’s the advice of James J. Giszczak, Co-Chair, Unfair Competition and Trade Secret Practice Team at the law firm of McDonald Hopkins, LLC. Giszczak outlined these actions:
Reasonable Steps to Guard the Confidentiality of a Lab’s Information
- Routine verification of confidentiality procedures.
- Routine employee reminders of confidentiality policy.
- Prohibiting removal of confidential information from company premises.
- Restricting copying of confidential information (numbering copies, etc.).
- Conducting exit interviews.
- Pursuit of departing employees with access to confidential information.