Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Fighting for Jurisdiction Post-Breach
Attorney Deborah Gersh on How Regulatory Bodies Are Staking ClaimsIn today's environment, federal and state regulators come at breached companies from all angles, with requests for investigative information, breach response plans and fines. Attorney Deborah Gersh, co-chair of the healthcare practice at law firm Ropes & Gray LLP, says it's easy for organizations to become overwhelmed when numerous regulators demand answers simultaneously in the wake of a breach. By having well-defined breach response plans in place before an incident, however, organizations can streamline their procedures to ensure compliance without damaging their reputations.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
"There have been quite a few developments recently, and I think it has to do with the fact that certain agencies think that another agency may not be doing their job as effectively as possible, or that they feel that they have a particular interest in a particular case that is unique to them," Gersh says in this video interview with Information Security Media Group. "For example, with the [Federal Trade Commission], they view themselves as the champions of consumer protection and consumer rights, and it may very well be that if the FTC does not feel that another agency, such as the OCR, Office of Civil Rights, is taking on a particular action, then they will step in to do so. It also has to do with advocating for their particular consumers, and it also has to do with the fact that, I think, they're looking to expand their jurisdiction."
In this interview recorded at ISMG's recent New York Fraud and Breach Prevention Summit, Gersh also discusses:
- Common mistakes breached organizations make when regulators come knocking;
- Dealing with numerous regulatory bodies seeking actions against a single breached entity at one time;
- Steps attorneys can take to help clients address regulatory inquiries with consolidated approaches.
Gersh has more than 25 years of experience advising a wide range of healthcare companies and investors about sophisticated regulatory and enforcement matters, as well as acquisitions and sales of healthcare entities. Her clients include pharmaceutical manufacturers and medical device companies, managed-care companies, dental-service organizations and practice-management companies, as well as academic medical centers and community hospitals. Gersh counsels clients on a range of compliance matters, including design and implementation of corporate compliance programs and negotiation, and implementation of corporate integrity agreements.