United States: Responding To Data Breaches

Data breach risk impacts every business sector in the United States, particularly those industries collecting consumer information and healthcare organizations. According to the 2016 Ponemon Institute study, the average per capita cost of a data breach to a company in the United States was $221, with an average total organization cost of $7.01 million.1 The healthcare and financial services industries have the most costly data breaches, partly due to fines and an above-average rate of lost business.2 This article explores several steps private companies and healthcare organizations should take immediately following a data breach event.

Attacks can take the form of traditional hackers who penetrate network perimeters and gain access to secure systems, or can occur due to employee negligence or intentional misconduct. A growing threat comes from what is referred to as a phishing attack. The Federal Bureau of Investigation (FBI) recently issued a warning regarding this style of attack.3 In it, the FBI explains that "schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy."

Needless to say, lawmakers and industry leaders are working hard to prevent data breaches and impose consumer protections, yet, as of today, there are no comprehensive federal laws directed to the imposition of consumer notice requirements when consumer personal information is exposed (though there are several federal acts that are implicated, including the Federal Information Security Management Act; the Veterans Benefits, Health Care and Information Technology Act; the Privacy Act; the Gramm-Leach-Bliley Act; the Health Insurance Portability and Accountability Act; the Federal Trade Commission Act; the Telecommunications Act; and the Fair and Accurate Credit Transaction Act, to name a few). The Federal Trade Commission (FTC) also regulates industries through enforcement actions brought against companies that are alleged to have violated Section 5 of the FTC Act, which prohibits companies from acting unfairly or deceptively. The majority of states have enacted their own legislation governing a company's required response when a consumer data breach occurs.

In 2005, the state of New Jersey enacted legislation concerning the security of personal information retained by businesses.4 Pursuant to New Jersey law, a breach of security is defined to mean "unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or any other method or technology that renders the personal information unreadable or unusable."5 Personal information is defined to include, generally speaking, a name combined with a Social Security number, driver's license number (or state identification number), or an account number or credit/ debit card number in combination with any required codes that permit access to an individual's financial account.6 Even dissociated data that would, if linked with other data, constitute personal information is included in the definition if it is disclosed with the means to link the dissociated data together.7

New Jersey imposes specific requirements on companies after a breach of security occurs. "Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person."8 The disclosures should be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."9 Significantly, New Jersey law provides that disclosures of security breaches shall not be required if it can be established that misuse of the information is not reasonably possible.10 Additionally, businesses must notify the Division of State Police in the Department of Law and Public Safety for investigation or handling in advance of any disclosure to the impacted party.11

Based on the costs associated with a data breach event, several safeguards can be employed to avoid the necessity of making a public disclosure. Since, by definition, a breach of security only occurs when the personal information released to or accessed by an unauthorized party has not been secured by encryption, counsel should advise their clients to encrypt data containing personal information whenever possible. For example, the risk of a successful phishing attack would be greatly diminished if a company policy required all PDF documents to be encrypted when sent by email. In turn, the recipient could contact the sender to request the encryption key over the phone. Additionally, counsel could advise clients holding electronic data to segment data in different servers. For example, one server could house a database of customer names. A separate server could link the database in the first server to a second database of Social Security numbers and other personal information housed on the second server. If a server containing the database of customer names was compromised, there may be no data breach absent the additional breach of the second server and the link between the two databases.

Counsel should also advise clients to ascertain the scope and impact of a data breach event immediately after it occurs. Counsel should retain thirdparty data breach technical specialists to verify that the data breach event has ended, ascertain what files were impacted, determine whether any additional hacker tools remain on the compromised system and then assist a client in the development of technical, physical and procedural safeguards to lower the likelihood of success for a subsequent data breach.

Additional legal considerations should be taken into account if a data breach impacts a health plan, healthcare clearinghouse or healthcare provider (i.e., a covered entity) or a business associate of a covered entity. The Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively for purposes of this article, HIPAA) regulates the activities of covered entities and their business associates with regard to protected health information. In general, protected health information (PHI) is individually identifiable health information (information that relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to the individual) that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium.12

A breach is defined in the so-called breach notification rule of HIPAA as the acquisition, access, use or disclosure of unsecured PHI in a manner that is not permitted by HIPAA that compromises the security or privacy of the PHI.13 Similar to New Jersey's definition, a breach only occurs if the PHI is unsecured (i.e., the PHI is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology that has been specified in guidance issued by the secretary of the Department of Health and Human Services).14

So, there is no breach if the PHI that is accessed is secured in accordance with HIPAA and if the key to the encryption or other security measure has not also been accessed. Additionally, there are various exceptions to the definition of breach (e.g., breach does not include an unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of the covered entity if made in good faith and within the scope of the person's authority, and if it does not result in further use or disclosure in a manner not permitted by HIPAA).15

If a covered entity or business associate discovers that unsecured PHI may have been compromised, it should immediately consider whether one of the fairly limited number of exceptions to the definition of breach applies. It is important to note that if unsecured PHI has been released and none of the enumerated exceptions apply, a breach is presumed unless the covered entity or business entity can demonstrate there is a low probability the PHI has been compromised. This places the burden of proof on the affected covered entity or business associate, and requires an assessment of, at least: 1) the nature and extent of the PHI involved (Is it particularly sensitive? What types of identifiers were involved?); 2) the unauthorized person who used the PHI or to whom the PHI was disclosed (Was it to someone who is a healthcare provider and would not use or further disclose the information?); 3) whether the PHI was actually acquired or viewed (Did the person with access immediately delete the PHI without viewing it?), and 4) the extent to which the risk of the PHI has been mitigated.16

It should be noted that if there has been a ransomware attack, a breach is presumed if the PHI has been encrypted and is no longer available to the covered entity or business associate.17 In such an event, the attacker gains access to the entity's system and encrypts its data, holding it hostage until payment is received. A ransomware attack has a strong potential to disrupt a healthcare provider's ability to provide health services; it inflicts significant financial losses, can damage sensitive data beyond repair and undoubtedly will result in reputational harm. The best offense is a good defense, and there are a number of protective measures that have been recommended in recently issued guidance.18

If a breach has occurred, a covered entity or business associate must determine how to respond. The response will generally take various forms, all of which should be completed, including: 1) mitigation; 2) notification; and 3) education/prevention. The method of mitigation necessarily depends upon the nature of the breach. If malware has been detected, an entity should immediately act to isolate or quarantine the affected data and then work to remove the malware. If a breach was caused by misdirected correspondence, a covered entity should immediately notify the recipient and direct that the correspondence be returned or destroyed. The recipient may be asked to certify to its destruction and evince understanding that the PHI should not be further disclosed.

The breach notification rule requires that a covered entity notify each individual whose PHI is reasonably believed to have been breached without unreasonable delay and within no more than 60 days following discovery of the breach. Covered entities should ensure their business associates notify them of any potential breaches within a sufficient period of time (frequently, within no more than five days of the business associate's discovery of the potential breach) so the covered entity can meet its own HIPAA obligations.

The rule lists the required elements of these notifications, including a brief description of what happened; a description of the types of PHI involved; any steps individuals should take to protect themselves from potential harm (e.g., credit monitoring); a brief description of what the covered entity has done to investigate the breach, mitigate the harm and protect against further breaches; and contact procedures for individuals to ask questions.19 Additionally, notification must be given to the secretary of Health and Human Services or the secretary's delegate.20 If fewer than 500 individuals are affected, the covered entity may maintain a breach log and, no later than 60 days after the end of the calendar year, notify the secretary of all breaches that occurred.21 If there are 500 or more affected individuals, the notification must be contemporaneous with notification to the media, which is also mandated by the rule in such instances.22 Depending upon state law, the state police may be required to be notified. In the event of a ransomware attack, covered entities are urged to contact a local FBI or United States Secret Service field office immediately.23

A covered entity's response to a breach should include a consideration of (depending upon the circumstances surrounding the breach) whether employee disciplinary action or education is necessary under its policies and procedures and as a way to prevent future breaches. If the breach occurred because an employee accessed PHI out of curiosity, or posted PHI on social media, the covered entity may turn to its disciplinary policy, and may also require all employees take a refresher course on their HIPAA obligations. All staff should be trained on best practices and what they may and may not do with regard to PHI, and the consequences of failing to follow policies and procedures should be applied uniformly to all employees.

An ounce of prevention is worth a pound of cure, and no matter how good the cure, a business may not avoid penalty if its security is breached. Nonetheless, in this digital day and age, businesses must be prepared to respond to a data breach, and should consider the appropriate steps proactively so that if a breach occurs it is prepared. Implementation of policies and procedures that detail the steps that should be taken in the event of a security breach are both necessary and, in many industries, required by law.

This article originally appeared in the New Jersey Lawyer, December 2016.

Footnotes

1. Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis, 2 (June 2016), http://www-03.ibm.com/security/databreach/.

2. Id.

3. Federal Bureau of Investigation, FBI Warns of Dramatic Increase in Business E-Mail Scams (April 4, 2016), https://www.fbi.gov/contactus/ field-offices/phoenix/news/press-releases/ fbi-warns-of-dramatic-increase-in-business- e-mail-scams.

4. N.J.S.A. § 56:8-161, et seq.

5. N.J.S.A. § 56:8-161.

6. Id.

7. Id.

8. N.J.S.A. § 56:8-163(a).

9. Id.

10. Id.

11. N.J.S.A. § 56:8-163(c)(1).

12. 45 CFR § 160.103.

13. 45 CFR §164.402.

14. 45 CFR §164.403.

15. Id.

16. Id.

17. Department of Health and Human Services, Ransomware Fact Sheet, http://www.hhs.gov/sites/default/files/RansomwareFactSheet. pdf.

18. See, e.g., Letter from the Secretary of Health and Human Services to the Health Care Industry (June 20, 2016).

19. 45 CFR § 164.404.

20. Id.

21. Id.

22. Id.

23. U.S. Department of Homeland Security, U.S. Dept. of Justice & U.S. Dept. of Health and Human Svcs., Ransomware—What It Is and What to Do About It (June 2016), h t tps : //www. jus t ice.gov/c r iminal - ccips/file/872766/download.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Lewis Brisbois Bisgaard & Smith LLP
Lewis Brisbois Bisgaard & Smith LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Lewis Brisbois Bisgaard & Smith LLP
Lewis Brisbois Bisgaard & Smith LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions