Article by Article by Peter J. Guffin1
Originally published in the December 2011 issue of inFocus, PRISM's Quarterly Journal
Data security breach notification has become a significant compliance risk for most businesses today. A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations and class action lawsuits.
The Ponemon Institute, which conducts annual benchmark studies concerning the cost of data breach incidents of U.S. companies, estimates that a data security breach in the U.S. now costs an organization approximately $214 per compromised record or $7.2 million on average per incident, with notification expenses accounting for about 7% of the total cost.2 Interestingly, one of its top findings is that "more organizations favor rapid response to data breaches, and that is significantly costing them." Specifically, it found that:
Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these "quick responders" paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.
Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases. The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws.3
Complicating compliance is the maze of different (and sometimes conflicting) federal and state laws that can and often do apply to the same data security breach incident. The potential regulatory overlap is largely due to the fact that there is no single, comprehensive national data breach notification law in the U.S., making way for a "patchwork quilt" of various state laws, each imposing its own specific requirements. In addition, whereas U.S. federal data breach notification laws generally follow an industry sector approach, imposing notification obligations on persons subject to regulation in certain specific industries, such as healthcare and financial services, U.S. state data breach notification laws generally apply to all persons, regardless of industry sector or where the person or personal information is located. As a result, a single data security breach incident may result in enforcement action by different regulatory bodies in multiple jurisdictions, and sometimes even in the same U.S. state.
The story of Health Net of Connecticut ("Health Net") is instructive.
In May 2009, Health Net discovered that it had lost a computer hard drive containing the personal health information of approximately 500,000 Connecticut residents. In January 2010, the State of Connecticut commenced a lawsuit against Health Net alleging that it had failed timely to notify residents and state authorities about this data security breach incident. The suit alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA"), the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. Under the terms of a stipulated judgment entered into on July 6, 2010, Health Net agreed to pay $250,000 in penalties and implement a corrective action plan.4
In November 2010, the Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of that settlement agreement, Health Net agreed to pay $350,000 in penalties and to provide two years of credit monitoring protection to persons affected by the data breach.5
Shortly thereafter, on January 18, 2011, the State of Vermont settled an enforcement action against two affiliates of Health Net (Health Net, Inc. and Health Net of the Northeast, Inc.) arising out of the same data security breach incident, which had also affected approximately 525 Vermont residents. That suit alleged violations of HIPAA, Vermont's Security Breach Notice Act, and Vermont's Consumer Fraud Act. Under the terms of the consent decree, Health Net was assessed $55,000 in penalties and agreed to submit to a data security audit and to file reports with the State of Vermont for two years.6
As if all of the above fall-out were not enough, within days of the State of Vermont settlement, Health Net experienced yet another data security breach incident, this time affecting 1.9 million current and former members (including 845,000 Californians) stemming from loss of nine hard drives from its California data center. Health Net was made aware of the missing information on January 21, 2011, and it began notifying affected individuals on March 14, 2011. The California Department of Insurance has launched an investigation.7
This article summarizes the major federal and state data security breach notification requirements in the United States and discusses some of the key variations in these laws as well as the interplay among them.
II. U.S. State Breach Notification Laws
Forty six U.S. states have now adopted a breach notification law.8 The laws generally apply to all persons that own, license, store or maintain certain sensitive personally identifiable information ("PII") about a resident of the state, regardless of where the person or PII is located. In addition, in at least one state, Connecticut, the Insurance Commissioner has issued its own data beach notification rules applicable to insurance companies and other persons subject to its jurisdiction.
The specific requirements of the laws can vary substantially, but in very general terms, the laws mandate that if there is unauthorized acquisition, use or access to unencrypted PII that threatens the integrity or security of such PII creating a risk of identity theft, the person that "owns" such PII must notify affected state residents, state agencies, consumer protection agencies and, in some instances, statewide media. If a service provider maintains the PII on behalf of its customer (the data owner), the service provider generally must notify the data owner which, in turn, must make the required notices.
In practice, the variations in these laws can present significant challenges.
A. Scope of Covered PII
The definition of covered PII varies among the states. Many states, such as Illinois, focus on the key data fields of name plus Social Security numbers, bank account numbers and credit or debit card numbers. Some states, such as Alaska, also include passwords, PINs and other access codes for financial accounts as separate data fields. Other states, such as North Dakota, have laws that cover a broad range of other data fields, such as date of birth, electronic signature, mother's maiden name, employer identification number and the like. Still other states, such as Nebraska and North Carolina, have laws that cover "unique biometric data," including fingerprints, voice prints and retinal images, within the definition of PII. Collectively, across the patchwork of state laws, there are more than 30 different categories of PII that can trigger a breach notification obligation.
B. Trigger for Notification Obligation
There are also variations as to what circumstances trigger an obligation to notify. For example, some states, such as Colorado, do not require notice unless misuse of the data is likely; similarly, some states, such as Maine, require notice if the breach creates a substantial risk of identity theft or fraud. In other words, in these states a "risk of harm" threshold applies before notice is required. In contrast, other states, such as Massachusetts, presume "risk of harm" and mandate notification whenever a person knows or has a reason to know that the covered PII was acquired or used by an unauthorized person or used for an unauthorized purpose.
C. Recipients of Notice
Although virtually all states with breach notification laws require some form of notice to residents affected by a data breach, individual states vary with respect to whether additional notice must be given to other entities, such as consumer reporting agencies or state agencies. In some states, such as Arkansas, no such additional notice is required. However, in Minnesota, if a data breach requires notification of more than 500 persons, then additional notice of the breach must be given to all national consumer reporting agencies. The threshold is different in other states, such as Michigan and Nevada, where the laws require national consumer reporting agencies to be notified if a data breach requires notification of more than 1,000 residents. And, in Georgia, notification of more than 10,000 residents is the relevant threshold for triggering notice to national consumer reporting agencies. Suffice it to say, there are similar variations among the states regarding notification of states agencies and attorneys general.
D. Content of Notice
Variations also apply regarding mandatory content in the notice. For example, North Carolina mandates that the notice to the individual must describe the nature of the incident. In contrast, Massachusetts specifies that the notice to Massachusetts residents must not describe the nature of the incident or the number of residents affected. Such direct conflicts generally drive towards different notices to different state residents, although such divergent requirements pose obvious challenges in situations where notice is also provided via the organization's website, given that both North Carolina and Massachusetts residents will view the same website.
E. Timing of Notice
Perhaps the most acute challenges arise on the timing of the notice. Many states, such as Massachusetts, require that notice be provided as soon as practicable and "without unreasonable delay." Some states establish specific timelines for notification in certain cases. For example, California requires notice in five days for certain health records. In contrast, other states, such as Arizona, impose affirmative obligations to conduct a reasonable investigation regarding the incident before notifying the affected individuals. In practice, a reasonable investigation could actually require substantially more than five days to complete, particularly if the situation involves a hacking incident or other complex scenario. The organization thus may not be able to satisfy both Arizona and California law on timing, even though both laws may apply to the same incident. Many states allow for delay in notification if requested by appropriate law enforcement agencies.
Most state breach notification laws do not directly establish a private right of action. Alaska, California and Delaware are among the few states that do provide a private cause of action. In some states, violation of breach notification laws may constitute an unfair practice, for which persons may bring suit when injured by such violation. In Massachusetts, the Attorney General may bring an action under the Massachusetts unfair and deceptive practices statute for violations of the breach notification law. Similarly, consumers in Maryland may bring actions under that state's law governing unfair and deceptive trade practices.
III. U.S. Federal Data Breach Notification Laws
There presently is no comprehensive national data breach notification law in the U.S. U.S. lawmakers over the past couple of years have tried to pass a national data breach notification law, but so far have been unsuccessful.
Earlier this year, President Obama unveiled a comprehensive cybersecurity proposal that includes rules and regulations for U.S. businesses in the event of a data breach.9 The proposed data breach law would apply to businesses that collect sensitive personally identifiable information on at least 10,000 individuals within a 12-month period. In the event of a breach, notification to affected individuals must be made within 60 days and media notification would be required when the number of affected individuals exceeds 5,000 in any state. The 5,000 threshold also triggers notification to the Department of Homeland Security.
Significantly, the proposal includes a risk-based safe harbor. If an entity determines there is no reasonable risk of harm from the breach, there is no obligation to notify.
The national law would supersede any state data breach laws and also carve out businesses that are subject to the breach notification requirements under the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
President Obama's proposal not only calls for enforcement by the Federal Trade Commission, but also allows state attorneys general to bring civil actions and seek fines of up to $1,000 per day, per affected individual, up to a maximum of $1 million per violation.
While it is impossible to predict when national legislation will be enacted, it appears to be only a matter of time before a national data breach law is enacted.
Today in the U.S. there are two major, industry-sector bodies of federal data breach notification laws, one applicable to the healthcare industry and the other applicable to the financial industry. In the healthcare area, U.S. federal data breach notification requirements are found in the HITECH Act, which is an amendment to HIPAA.10
In the financial area, U.S. federal breach notification requirements are found in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ("Guidance") issued by bank regulatory agencies pursuant to the Gramm-Leach-Bliley Act ("GLBA").11 The Guidance is intended to clarify the responsibilities of financial institutions under Section 501(b) of the GLBA.
To be sure, there are non-industry specific bodies of federal law, such as the Federal Trade Commission Act ("FTC Act"), which also may be applicable. Section 5 of the FTC Act prohibits unfair, deceptive or misleading acts. The Federal Trade Commission's position is that it is an unfair act/practice if you fail to:
- Comply with applicable laws/regulations;
- Recognize obvious signs of identity theft; and/or
- protect information from recognized threats (e.g., SQL injection attacks).
The FTC has investigated data breach incidents and initiated actions against dozens of companies in the past 10 years, including Twitter, TJX, ValueClick, Life is Good, CardSystems Solutions, ChoicePoint, BJ's Wholesale Club, Rite-Aid and CVS Caremark.
In addition, the U.S. Securities and Exchange Commision's Division of Corporation Finance recently released guidance applicable to all publicly traded companies regarding disclosure obligations relating to cyber security risks and cyber incidents.12 According to the guidance:
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.
. . . To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary. If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.13
A. HIPAA and HITECH Act Under the HITECH Act, healthcare providers, medical insurers and other "covered entities," as well as their "business associates," have notification duties in the event of breaches of unsecured protected health information ("PHI").14
A breach is defined as the unauthorized access, use, acquisition or disclosure of PHI that compromises the security of PHI. Security is compromised if there is a substantial risk of financial, reputational, or other harm to the individual who is the subject of the PHI.
Under the HITECH Act, a breach is not:
- The unauthorized acquisition, access, use, or disclosure of de-identified PHI;
- The unauthorized acquisition, access, use, or disclosure of encrypted PHI, if the encryption meets certain prescribed standards;
- The unauthorized disclosure of PHI if the person would not reasonably be able to retain the information;
- The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or a business associate if it was done in good faith and within the course and scope of the individual's employment or professional relationship; or
- An inadvertent disclosure by an employee or individual acting under the authority of a covered entity or a business associate to a similarly situated individual if the PHI is not further acquired, accessed, used, or disclosed.
In the event of a breach, business associates must notify the covered entity, and covered entities must notify the affected individuals, the Department of Health and Human Services ("HHS"), and the media (if more than 500 persons in a state are affected). Notice must be provided "without unreasonable delay" and "in no case later than 60 days from discovery of the breach."
The content of the notice must include the following:
- A brief description of what happened, including the date of the breach;
- A description of the types of PHI that were involved in the breach;
- The steps individuals should take to protect themselves from harm;
- A brief description of the steps taken to investigate the breach, mitigate losses and protect against further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, web site, or postal address.
State laws are pre-empted to the extent they are contrary to the HITECH Act requirements. A state law is contrary if an entity could find it impossible to comply with both the state and HITECH Act requirements or if the state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the breach notification provisions. In most cases, a single notification can satisfy the state and HITECH notification requirements.
The HITECH Act put an increased emphasis on enforcement, including enhanced penalties. HHS has the authority to conduct compliance reviews of covered entities and business associates. Entities must cooperate with HHS, submit compliance reports as requested, and allow HHS access to facilities and records. In rare circumstances, individuals or entities may be held criminally liable for knowing violations of HIPAA. Imprisonment for up to 10 years is possible if the individual intended to sell or transfer individually identifiable health information for commercial gain or malicious harm.
There are four tiers of penalties, ranging from $100 for each violation (not to exceed $25,000 for the calendar year) to $50,000 for each violation (not to exceed $1,500,000 for the calendar year). In determining the amount of the penalty, HHS will consider the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
In addition to the HHS imposed penalties, if a state attorney general has reason to believe that a resident of the state has been threatened or adversely affected by an entity that violates the breach notification requirements, the attorney general may bring a civil suit against the entity. There is no private right of action under the HITECH Act.
The Guidance issued by bank regulators requires that the financial institution notify affected customers "as soon as possible," if the institution determines that misuse of "sensitive customer information" has occurred or is reasonably possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification may interfere with a criminal investigation and requests in writing that the institution delay notification. The notice may be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it.
"Sensitive Customer Information" means "a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components or customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number."15
Under the Guidance, the notice must contain the following content:
- Describe the incident in general terms and the type of customer information that was the subject of the unauthorized access or use;
- Describe what the institution has done to protect the customers' information from further unauthorized access;
- Provide a telephone number that customers can call for further information and assistance;
- Remind customers of the need to remain vigilant and to promptly report incidents of suspected identity theft to the institution; and
- Provide recommendations and other information (e.g., how to place a fraud alert in the customer's consumer reports and how to obtain a credit report), when appropriate, to protect against identity theft.
IV. Other Breach Notification Considerations
Data breach notification is a global compliance risk. Non-U.S. jurisdictions have begun to adopt breach notification requirements, and they often apply to a much broader range of data about individuals than the personal information regulated under laws in the United States. For example, under the Federal Data Protection Act,16 Germany has adopted breach notification requirements that apply to a wide array of personal data, including: (i) special categories of personal data (defined as any information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life); (ii) personal data specifically protected by professional secrecy duties (e.g., in the medical, insurance or legal industry); (iii) personal data concerning criminal acts, administrative offenses, or the suspicion of the same; and (iv) personal data in relation to bank or credit card accounts.
Beyond regulatory obligations, breach notification duties can arise pursuant to contractual obligations between relevant parties. For example, merchants that accept credit cards and their service providers have various notification duties pursuant to Payment Card Industry, or PCI, requirements. The required timing for these notifications can often be significantly shorter than those that apply under regulatory duties.
V. Conclusions and Lessons
According to the experts, a data breach is not a single incident but rather a series of incidents. From the moment of discovery to the point of containment, proper investigation of a date breach can often take a significant amount of time, in many cases weeks and in some cases months. Given the stakes — disruption of business operations, damage to brand reputation and customer relationships, and possibility of government investigations and class action lawsuits — it is critical that an organization perform a proper investigation and know what it is talking about before it notifies affected individuals. Premature notification is not a good strategy and often may cause more harm than good.
In the event of a data breach, it's essential to know what laws apply and what each law requires. Complicating compliance is the maze of U.S. federal and state laws and regulations applying to data security breaches, with the result that different (and sometimes conflicting) laws can and often do apply to the same data security incident depending on factors such as the industry sector involved and the residency of affected individuals. Compliance requirements under each of these laws in turn will be determined by the role of the business and the nature of the personal information involved.
1 The author is a partner at Pierce Atwood LLP, a leading regional law firm with offices in Boston, MA, Portland and Augusta, ME, Portsmouth, NH, Providence, RI, Washington, DC, and Stockholm, Sweden, and leads the firm's Privacy and Data Security Practice Group and is a member of its Intellectual Property and Technology Practice Group.
2 2010 U.S. Cost of a Data Breach, Ponemon Institute (March 2011) http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon
3 Id. at page 4.
8 The four exceptions are Alabama, Kentucky, New Mexico and South Dakota.
11 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 70 Fed. Reg. 15736, (March 29, 2005).
13 Id. at pages 3 and 5.
14 A similar set of notification requirements applies to vendors of personal health records pursuant to Federal Trade Commission regulations issued under the HITECH Act.
15 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 70 Fed. Reg. 15736, 15741 (March 29, 2005).
16 http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf%3F__blob%3DpublicationFile (updated through June 2010).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.