Technology is a huge advantage for the fitness industry today, but it also has brought with it serious exposures as well. A data breach can destroy a fitness business by damaging its reputation and relationship with its members, clients and employees. Small and mid-sized business owners need to be aware that they are just as vulnerable to data breaches and hacking as large businesses. The personal information of members, clients and employees can be lost, stolen or destroyed by computer hackers, thieves and even dishonest employees. Sensitive data can be improperly exposed through accidental or inadvertent release.
With recent publicity about large data breaches of prominent organizations, concerns about cyber liability have grown to a point in which most state legislatures have passed laws requiring business owners to notify affected persons. In most states, a business must be able to notify all parties whose personal information may have been released or exposed, communicate the scope of the potential data breach to them, and provide access to credit monitoring assistance and identity restoration to them. In addition, the business owners may face legal defense and settlement costs if claims are brought against them because of the breach.
The first step to addressing the exposure is to understand what a data breach is. To do so, it is necessary to define the "personal information" that would compose a data breach. Personal information that can uniquely identify an individual is called Personal Identifying Information (PII) and includes an individual's first name or first initial and last name, in combination with any one of the following data:
- Social Security number;
- driver's license number;
- bank account number;
- credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual's account;
- home address or email address; and
- medical or health information.
A data breach makes PII available to unauthorized individuals inside or outside of the organization.
All fitness businesses collect PII on members and employees, as well as many prospects and guests. Please note that Health Insurance Portability and Accountability Act (HIPAA) compliance relates to an organization's need to comply with the privacy rules set out by the Health Insurance Portability and Accountability Act. This is not usually triggered unless a business receives direct insurance reimbursement for services. All fitness facilities have liability for data breach, but only those receiving insurance reimbursement will have the requirement to meet HIPPA guidelines for privacy as well.
The data breaches making media headlines right now are systems-related and have to do with computer hackers gaining unauthorized access to PII data electronically. It is important to remember that physical data breaches still occur as well and include misplaced backup files, paper files being lost or misplaced or a stolen laptop. Both types of data breach can result in an expensive variety of damages for a fitness business including:
- interruption of ongoing operations;
- destruction of hardware and software;
- release of sensitive business information; or
- the exposure of the PII of members, clients, employees, vendors or partners.
Beyond the legal requirements imposed by state laws and the costs associated with meeting them, how a business owner responds to a data breach can mean the difference between preserving members verses losing them. When confronted with a data breach, many business owners make short-sighted or panicked mistakes that can significantly increase their cost of responding and put their reputation at risk as well. It is imperative to develop a data breach action plan before an incident occurs that will assist the business to address the situation one step at a time if it does occur. Unfortunately, in our present technology-driven environment, it is not a matter of "if" a data breach will occur but "when" for many fitness businesses.
A thorough data breach action plan should start with preventive measures including training staff to properly handle PII data and maintaining appropriate protection software on all systems that store the data. Methods of containment to limit the scope of the data breach should be outlined in the data breach action plan. It will then address effective means of response, including immediate communication to those individuals affected and provide appropriate solutions for them, as well as restoring the safety of the systems going forward. The goal of the plan is to not only restore the systems so that data is once again safe, but to restore the reputation of the business by effectively addressing the well-being of the individuals affected. A well-communicated, timely and compassionate response will go a long way toward retaining the membership's confidence.