United States: Responding To Data Breaches

Data breach risk impacts every business sector in the United States, particularly those industries collecting consumer information and healthcare organizations. According to the 2016 Ponemon Institute study, the average per capita cost of a data breach to a company in the United States was $221, with an average total organization cost of $7.01 million.1 The healthcare and financial services industries have the most costly data breaches, partly due to fines and an above-average rate of lost business.2 This article explores several steps private companies and healthcare organizations should take immediately following a data breach event.

Attacks can take the form of traditional hackers who penetrate network perimeters and gain access to secure systems, or can occur due to employee negligence or intentional misconduct. A growing threat comes from what is referred to as a phishing attack. The Federal Bureau of Investigation (FBI) recently issued a warning regarding this style of attack.3 In it, the FBI explains that "schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy."

Needless to say, lawmakers and industry leaders are working hard to prevent data breaches and impose consumer protections, yet, as of today, there are no comprehensive federal laws directed to the imposition of consumer notice requirements when consumer personal information is exposed (though there are several federal acts that are implicated, including the Federal Information Security Management Act; the Veterans Benefits, Health Care and Information Technology Act; the Privacy Act; the Gramm-Leach-Bliley Act; the Health Insurance Portability and Accountability Act; the Federal Trade Commission Act; the Telecommunications Act; and the Fair and Accurate Credit Transaction Act, to name a few). The Federal Trade Commission (FTC) also regulates industries through enforcement actions brought against companies that are alleged to have violated Section 5 of the FTC Act, which prohibits companies from acting unfairly or deceptively. The majority of states have enacted their own legislation governing a company's required response when a consumer data breach occurs.

In 2005, the state of New Jersey enacted legislation concerning the security of personal information retained by businesses.4 Pursuant to New Jersey law, a breach of security is defined to mean "unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or any other method or technology that renders the personal information unreadable or unusable."5 Personal information is defined to include, generally speaking, a name combined with a Social Security number, driver's license number (or state identification number), or an account number or credit/ debit card number in combination with any required codes that permit access to an individual's financial account.6 Even dissociated data that would, if linked with other data, constitute personal information is included in the definition if it is disclosed with the means to link the dissociated data together.7

New Jersey imposes specific requirements on companies after a breach of security occurs. "Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person."8 The disclosures should be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."9 Significantly, New Jersey law provides that disclosures of security breaches shall not be required if it can be established that misuse of the information is not reasonably possible.10 Additionally, businesses must notify the Division of State Police in the Department of Law and Public Safety for investigation or handling in advance of any disclosure to the impacted party.11

Based on the costs associated with a data breach event, several safeguards can be employed to avoid the necessity of making a public disclosure. Since, by definition, a breach of security only occurs when the personal information released to or accessed by an unauthorized party has not been secured by encryption, counsel should advise their clients to encrypt data containing personal information whenever possible. For example, the risk of a successful phishing attack would be greatly diminished if a company policy required all PDF documents to be encrypted when sent by email. In turn, the recipient could contact the sender to request the encryption key over the phone. Additionally, counsel could advise clients holding electronic data to segment data in different servers. For example, one server could house a database of customer names. A separate server could link the database in the first server to a second database of Social Security numbers and other personal information housed on the second server. If a server containing the database of customer names was compromised, there may be no data breach absent the additional breach of the second server and the link between the two databases.

Counsel should also advise clients to ascertain the scope and impact of a data breach event immediately after it occurs. Counsel should retain thirdparty data breach technical specialists to verify that the data breach event has ended, ascertain what files were impacted, determine whether any additional hacker tools remain on the compromised system and then assist a client in the development of technical, physical and procedural safeguards to lower the likelihood of success for a subsequent data breach.

Additional legal considerations should be taken into account if a data breach impacts a health plan, healthcare clearinghouse or healthcare provider (i.e., a covered entity) or a business associate of a covered entity. The Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively for purposes of this article, HIPAA) regulates the activities of covered entities and their business associates with regard to protected health information. In general, protected health information (PHI) is individually identifiable health information (information that relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to the individual) that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium.12

A breach is defined in the so-called breach notification rule of HIPAA as the acquisition, access, use or disclosure of unsecured PHI in a manner that is not permitted by HIPAA that compromises the security or privacy of the PHI.13 Similar to New Jersey's definition, a breach only occurs if the PHI is unsecured (i.e., the PHI is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology that has been specified in guidance issued by the secretary of the Department of Health and Human Services).14

So, there is no breach if the PHI that is accessed is secured in accordance with HIPAA and if the key to the encryption or other security measure has not also been accessed. Additionally, there are various exceptions to the definition of breach (e.g., breach does not include an unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of the covered entity if made in good faith and within the scope of the person's authority, and if it does not result in further use or disclosure in a manner not permitted by HIPAA).15

If a covered entity or business associate discovers that unsecured PHI may have been compromised, it should immediately consider whether one of the fairly limited number of exceptions to the definition of breach applies. It is important to note that if unsecured PHI has been released and none of the enumerated exceptions apply, a breach is presumed unless the covered entity or business entity can demonstrate there is a low probability the PHI has been compromised. This places the burden of proof on the affected covered entity or business associate, and requires an assessment of, at least: 1) the nature and extent of the PHI involved (Is it particularly sensitive? What types of identifiers were involved?); 2) the unauthorized person who used the PHI or to whom the PHI was disclosed (Was it to someone who is a healthcare provider and would not use or further disclose the information?); 3) whether the PHI was actually acquired or viewed (Did the person with access immediately delete the PHI without viewing it?), and 4) the extent to which the risk of the PHI has been mitigated.16

It should be noted that if there has been a ransomware attack, a breach is presumed if the PHI has been encrypted and is no longer available to the covered entity or business associate.17 In such an event, the attacker gains access to the entity's system and encrypts its data, holding it hostage until payment is received. A ransomware attack has a strong potential to disrupt a healthcare provider's ability to provide health services; it inflicts significant financial losses, can damage sensitive data beyond repair and undoubtedly will result in reputational harm. The best offense is a good defense, and there are a number of protective measures that have been recommended in recently issued guidance.18

If a breach has occurred, a covered entity or business associate must determine how to respond. The response will generally take various forms, all of which should be completed, including: 1) mitigation; 2) notification; and 3) education/prevention. The method of mitigation necessarily depends upon the nature of the breach. If malware has been detected, an entity should immediately act to isolate or quarantine the affected data and then work to remove the malware. If a breach was caused by misdirected correspondence, a covered entity should immediately notify the recipient and direct that the correspondence be returned or destroyed. The recipient may be asked to certify to its destruction and evince understanding that the PHI should not be further disclosed.

The breach notification rule requires that a covered entity notify each individual whose PHI is reasonably believed to have been breached without unreasonable delay and within no more than 60 days following discovery of the breach. Covered entities should ensure their business associates notify them of any potential breaches within a sufficient period of time (frequently, within no more than five days of the business associate's discovery of the potential breach) so the covered entity can meet its own HIPAA obligations.

The rule lists the required elements of these notifications, including a brief description of what happened; a description of the types of PHI involved; any steps individuals should take to protect themselves from potential harm (e.g., credit monitoring); a brief description of what the covered entity has done to investigate the breach, mitigate the harm and protect against further breaches; and contact procedures for individuals to ask questions.19 Additionally, notification must be given to the secretary of Health and Human Services or the secretary's delegate.20 If fewer than 500 individuals are affected, the covered entity may maintain a breach log and, no later than 60 days after the end of the calendar year, notify the secretary of all breaches that occurred.21 If there are 500 or more affected individuals, the notification must be contemporaneous with notification to the media, which is also mandated by the rule in such instances.22 Depending upon state law, the state police may be required to be notified. In the event of a ransomware attack, covered entities are urged to contact a local FBI or United States Secret Service field office immediately.23

A covered entity's response to a breach should include a consideration of (depending upon the circumstances surrounding the breach) whether employee disciplinary action or education is necessary under its policies and procedures and as a way to prevent future breaches. If the breach occurred because an employee accessed PHI out of curiosity, or posted PHI on social media, the covered entity may turn to its disciplinary policy, and may also require all employees take a refresher course on their HIPAA obligations. All staff should be trained on best practices and what they may and may not do with regard to PHI, and the consequences of failing to follow policies and procedures should be applied uniformly to all employees.

An ounce of prevention is worth a pound of cure, and no matter how good the cure, a business may not avoid penalty if its security is breached. Nonetheless, in this digital day and age, businesses must be prepared to respond to a data breach, and should consider the appropriate steps proactively so that if a breach occurs it is prepared. Implementation of policies and procedures that detail the steps that should be taken in the event of a security breach are both necessary and, in many industries, required by law.

This article originally appeared in the New Jersey Lawyer, December 2016.

Footnotes

1. Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis, 2 (June 2016), http://www-03.ibm.com/security/databreach/.

2. Id.

3. Federal Bureau of Investigation, FBI Warns of Dramatic Increase in Business E-Mail Scams (April 4, 2016), https://www.fbi.gov/contactus/ field-offices/phoenix/news/press-releases/ fbi-warns-of-dramatic-increase-in-business- e-mail-scams.

4. N.J.S.A. § 56:8-161, et seq.

5. N.J.S.A. § 56:8-161.

6. Id.

7. Id.

8. N.J.S.A. § 56:8-163(a).

9. Id.

10. Id.

11. N.J.S.A. § 56:8-163(c)(1).

12. 45 CFR § 160.103.

13. 45 CFR §164.402.

14. 45 CFR §164.403.

15. Id.

16. Id.

17. Department of Health and Human Services, Ransomware Fact Sheet, http://www.hhs.gov/sites/default/files/RansomwareFactSheet. pdf.

18. See, e.g., Letter from the Secretary of Health and Human Services to the Health Care Industry (June 20, 2016).

19. 45 CFR § 164.404.

20. Id.

21. Id.

22. Id.

23. U.S. Department of Homeland Security, U.S. Dept. of Justice & U.S. Dept. of Health and Human Svcs., Ransomware—What It Is and What to Do About It (June 2016), h t tps : //www. jus t ice.gov/c r iminal - ccips/file/872766/download.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.