Short Guide to Responding to Data Security Breaches

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

Continue Reading...

FCC Releases National Broadband Plan, Promotes Consumer Control Over Personal Information

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

 

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

 

many users are increasingly concerned about their lack of control over sensitive personal data.

 

The FCC then remarks:  

 

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

  • Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;
  • Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;
  • Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and
  • Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

HITECH Act Rulemaking and Implementation Update

OCR posted the following announcement on its website suggesting that information regarding specific compliance and enforcement dates will be included in the rulemaking.  The Department did not provide any information on when to expect a proposed privacy regulation.

*****

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

Article 29 Working Party Provides Guidance On Data Controller/Processor Concepts

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

  • In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.
  • The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.
  • In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.
  • A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

 

Internet Freedom and Data Privacy

On 22 February, the European Data Protection Supervisor (EDPS) released an unsolicited opinion on EU negotiations of an Anti-Counterfeiting Trade Agreement (ACTA). The EDPS expresses some strong opinions on the use of the “three strikes law” and other measures to control copyright violations by Internet users that might be in the ACTA. The EDPS is not subtle – he declares that “[s]uch practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones.” The opinion describes how a “three strikes” or similar approach might be set up, as well as the applicable EU data protection and privacy legal framework (in paragraphs 23 to 26). It then issues harsh conclusions (paragraphs 81 to what should be 88 but is mis-numbered as 80). The EDPS “strongly encourages” the Commission to set up a public and transparent dialogue on ACTA (which so far has been secret). He insists that the Commission strike a correct balance between “demands for the protection of intellectual property rights and the right to privacy and data protection,” which should be taken into account at the beginning of the negotiations. In his view:

85. …three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

In the last paragraph of the conclusion the EDPS insists on being consulted on the measures to be implemented. EDPS opinions have no legal binding status but can be influential indicators of how data privacy laws might be interpreted.

Enterprises Should Beware the Pitfalls of Compliance with the Massachusetts Information Security Regulations

 

The Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”), include a broad range of administrative, physical, and technical obligations.  Nevertheless, there are certain common business processes that may pose unique and substantial compliance challenges.  Accordingly, organizations subject to these regulations should give very careful consideration to their practices in the following high risk areas. 

 

Email

 

First, the obligation to encrypt all sensitive personal information transmitted over public networks will have a substantial impact on the use of email to collect and transmit such data.  While there is generally accepted technology available to encrypt email and/or or files attached to emails, implementing such tools and properly training the workforce to use them may require significant expense.  (It should also be noted that this would apply to webpage forms that populate and transmit emails, as well as the use of Instant Messaging, Text Messaging, or similar technologies to transmit personal information.)

 

Organizations that exchange personal information directly with consumers may find the transition particularly difficult.  Many consumers may be ill-equipped to deal with encrypted messages and attachments.  Moreover, the encryption/decryption process may create negative user experiences that undermine customer goodwill.  While decrypting messages and attachments may be quite straightforward for the technology savvy consumer, it is likely to be confusing or frustrating for many others.  Similar complications may arise when dealing with small to mid-sized third party service providers that have limited technological sophistication.

 

In light of the foregoing, many organizations may consider alternative communications protocols, such as shifting email-dependent business processes to web browser-based processes that can be secured in a more efficient and centralized manner. Web pages served over secure HTTP or secure FTP could replace most present-day email communications involving personal information. 

 

Portable Devices

 

The Massachusetts Standards require the encryption of sensitive personal information stored on portable devices.  By the Massachusetts government’s own admission, there are no generally accepted encryption tools for use on many commonly-used portable devices, such as smartphones and PDAs.  As a result, enterprises subject to the Massachusetts Standards should carefully consider when it is necessary and appropriate, if ever, to store sensitive personal information on portable devices.  Alternatives, such as truncation of sensitive data (e.g., SSNs and financial account numbers) and use of secure online protocols (e.g., secure HTTP or secure FTP) for transmitting data to third parties, should be thoroughly contemplated.  In those instances when such storage is both necessary and appropriate, procedures, including workforce training, should be developed to ensure that the data remains secure during storage.

 

There is a certain level of overlap with the email concerns discussed above because a likely source of personal information on smartphones is the email messages that may accessed through the devices.  Since encryption of these messages may not be practicable, organizations may have further incentive to suspend the exchange of personal information via email in favor of browser-based protocols.  

 

Third Party Relationships

 

The Massachusetts Standards require enterprises to “select and retain” third party service providers that will provide safeguards consistent with the other requirements of the regulations, as well as contractually obligate third party service providers to maintain such safeguards.  The “select and retain” provision is fairly vague, affording the Massachusetts government (and courts) the opportunity to interpret it in ways that could introduce substantial obligations.  This provision appears to impose obligations to engage in pre-contract evaluation and post-execution monitoring of the security practices of third parties. 

 

Prior iterations of the Massachusetts Standards included an explicit requirement to obtain written certification of compliance from third party service providers.  Since that language has been removed, the regulations no longer provide concrete guidance on what steps should be taken to “select and retain” appropriate third party service providers.  The resulting ambiguity is a problem for both data owners and their prospective service providers.  Service providers are reluctant to reveal detailed information about their security policies and procedures because such information may be misused at significant cost to the service provider.  On the other hand, data owners are limited in their ability to rely upon imprecise representations of robust security measures from service providers because such representations appear to be self-serving. 

 

Accordingly, it is important for enterprises in both positions (as data owners and/or service providers) to thoroughly analyze the most effective and appropriate way to ensure that their contractual relationships satisfy the Massachusetts Standards.  Among the potential alternatives is the retention of reputable independent auditors to analyze service provider security practices and generate compliance reports for distribution to business partners (as is common for third parties that provide services subject to the Sarbanes Oxley Act). 

Massachusetts Regulations May Herald New Era for Information Security

 A new era of information security law may well start as the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”) go into effect today, March 1, 2010.  All institutions collecting sensitive personal information (e.g., a name combined with a Social Security Number, state-issued identification number, or financial account number) from Massachusetts residents should pay careful attention to the requirements and enforcement of these regulations.  However, the implications beyond those entities that operate in Massachusetts may be longstanding as well.

 

Information Security Law Trend: From Generalities to Specificity

 

While information security statutes and regulations are fairly new developments in United States law, the previous trend reflected a bifurcated approach by federal and state authorities.  On the one hand, were somewhat ambiguous reasonableness standards imposed by states such as California and Texas.  On the other hand, were detailed regulations imposed upon industry sectors commonly involved in the handling of sensitive personal information, such as the HIPAA Security Rule, GLB Safeguards Rule, and FCRA/FACTA Disposal Rule. 

 

As press reports of significant breaches of sensitive personal information continued to mount, state lawmakers have taken an increasingly aggressive approach to regulation. Starting with the rather quiet passage of the Oregon Identity Theft Protection Act and more widely noted passage of the Minnesota Plastic Card Security Act, both in 2007, several states have attempted to adopt detailed information security obligations applicable to all entities that handle sensitive personal information.  Accordingly, Nevada has recently revised its data protection statute, which includes an obligation that businesses that handle credit card transactions must comply with the Payment Card Industry Data Security Standard (similar to the Minnesota Plastic Card Security Act).  Meanwhile, detailed information security regulations remain under development in New Jersey.

 

A New Revolution Starts in Massachusetts

 

The Massachusetts Standards stand as a unique development in this lineage because they are notably more comprehensive than the reasonable security statutes implemented in many states and expressly disclaim any exemptions based upon compliance with other regulatory schemes (whether self regulatory such as PCI DSS or federal such as HIPAA and GLB).  In fact, the Massachusetts Standards include a number of technical requirements that are not spelled out in similar detail in the federal sector-specific regulations.  For example, the Massachusetts Standards expressly require the implementation of network firewalls and regularly scheduled patching of operating systems, obligations that are not expressed in either the HIPAA Security Rule or the GLB Safeguards Rule. 

 

While the Commonwealth’s enforcement agenda remains to be seen, particularly with respect to out-of-state organizations, the regulations are likely to have a distinct impact on many entities. The wide scope of the regulations themselves (covering many administrative, physical, and technical security areas) and the entities arguably subject to the regulations (any entity, regardless of size, that collects sensitive personal information from Massachusetts residents), will compel a significant number of organizations to consider their compliance alternatives.

 

Although the Massachusetts Standards are designed to scale to the unique circumstances of each entity subject to the obligations (a point reemphasized in revisions issued on August 17, 2009), it is yet to be seen how the enforcement authorities will apply this scalability in practice.  Some of the provisions introduced in an attempt to increase the flexibility of the regulations have inadvertently led to new ambiguities.  For instance, the technical security requirements are only necessary to the degree that they are “technically feasible.”  However, the definition of “technically feasible” (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides limited practical guidance.  Regardless of their ultimate decisions, entities will be assuming a certain level of risk with any compliance decision until the Massachusetts authorities establish further guidance, either through supplemental documents or enforcement actions.

All that being said, many elements of the Massachusetts Standards are more evolutionary than revolutionary, but their impact may remain substantial.  For example, the Massachusetts Office of Consumer Affairs and Business Regulation has stated in its official Frequently Asked Questions that all backup media must be encrypted prospectively.  While encryption has been a solution of choice for legislators and regulators for sometime now, it has historically been encouraged as a form of safe harbor for data breach notification requirements (in state law and recently issued federal health data breach notification regulations).  However, the Massachusetts Standards join the Nevada encryption law in mandating the encryption of sensitive personal information both during transmission and during storage on portable devices and media.  The financial and opportunity costs of such wide ranging obligations to encrypt data may prove substantial and enterprises should be planning accordingly.

 

FTC Sends Warning Shot to Organizations Allowing Peer-to-Peer Software on their Networks

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

List of Reported Breaches Affecting 500 or More Individuals is Now Available on HHS' Website

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

  • the entity’s name
  • state
  • approximate number of affected individuals
  • date of breach
  • type of breach (e.g. theft, misdirected e-mail)
  • location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

Enforcement of HHS and FTC Breach Notification Rules Begin Today

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers.