Posted on March 19, 2010 by Christopher Wolf

Short Guide to Responding to Data Security Breaches

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

Contain the breach. As soon as the business becomes aware of a data breach it should take all necessary steps to limit further data loss and should investigate the incident. It should also determine whether to involve law enforcement and should limit traffic into the affected area until security officials or law enforcement investigate.

Convene a response team. Businesses should have a standing security breach response team that includes representatives from the office of the general counsel, information technology security, human resources, internal audit, and public communications. When a breach occurs, the response team should convene without delay. Team composition may vary, according to the type and location of the breach.

Analyze the breach. The business should record all information relevant to the breach; learn and evaluate the cause and effect of the incident; determine whether other systems are at serious risk of future breach; and consider engaging specialized consultants to capture relevant information and perform forensic analysis.

Determine timing requirements. Time is of the essence. Law of many states prescribes time limits for notification of persons data on whom was breached. Expedition is not just sensible; often it is legally mandated.

Collect information promptly. Information that should be gathered promptly includes the date, time, duration, and location of the breach; how the breach was discovered, by whom, and any known details about it; and information on compromised data, including a list of affected individuals by category, data fields, the number of records affected, and which if any data were encrypted.

What next steps should the business take?

Analyze legal implications of the breach. Legal analysis should include analysis of relevant business contracts for notification and other obligations; breach-notification requirements; and pertinent indemnification agreements. The states and countries potentially involved in the breach should be identified with reference to the location of persons and systems affected by the breach. Federal, state, and international statutes and regulations potentially triggered or violated by the breach, and their notification requirements, should be identified.

Contact law enforcement. Where appropriate, contact local or federal law enforcement agencies.

Contact insurance carrier. Review insurance pertinent to the breach; notify the insurance carrier in accordance with policy requirements.

What internal and external breach-related communications should the business make?

A wave of telephone calls, e-mails, and other inquiries should be expected when a breach is reported. Before occurrence of a breach, the business should have a plan for handling such inquiries. Actions to consider include selecting a mode of communication with the public (toll-free 1-800 numbers and/or e-mail address); selecting a mode of communication with interested parties; training and hiring staff for inquiry response, or outsourcing such activities; preparing a script; notifying credit-reporting agencies prior to providing notification to a large group of affected persons (or as required by applicable law); documenting inquiry responses; and preparing Frequently Asked Questions (“FAQs”) for potential online posting.

What should be in the business’s notification plan?

The business should develop a notification plan for affected persons, based on legal requirements and its contractual obligations. The content of notice to affected persons will be dictated by regulation or contract, and public relations considerations should be taken into account. Remember that notices to attorneys general or consumer protection authorities are required in some jurisdictions. Similarly, how notice is delivered (e.g. by mail, or e-mail if the recipient agreed in advance to such notification method) requires a legal determination. Generally, notice should include this information:

  • Description of what happened;
  • Type of protected data involved;
  • Actions the business has taken to protect data from further unauthorized access;
  • What the business will do to assist affected persons;
  • What affected persons can do to assist themselves;
  • Contact information for the business to respond to inquiries (a toll-free 1-800 number should be provided); and
  • Contact information for local and federal government authorities.

The business may elect to offer remediation services to assist affected persons after a breach, including credit monitoring services, identify-theft insurance, identity-theft information packets, and/or compensation for identity theft. A number of companies have elected to offer remediation services, although usually such services are not legally required.

What other post-breach actions are indicated?

Prepare for litigation. If litigation is threatened, preservation of relevant documents and information is vital.

Re-assess technology systems, physical and administrative security. The business should conduct an analysis of the breach to determine causes and should review access controls and procedures to ensure that weaknesses have been addressed and resolved.

Perform an assessment. Assess the business's operations to determine necessary revisions to data collection, retention, storage, and processing policies and procedures, so that further breaches are less likely to occur.

Evaluate the business’ response. After the business has responded to the breach, it should evaluate its response and implement changes to improve its effectiveness in preventing and responding to breaches.

Summary

  • Have a written post-breach response plan ready and tested before a breach happens.
  • Ensure that business officials know what role they will have when a breach happens.
  • Have a communications plan regarding breaches.
  • Know what regulations, statutes, and contracts cover post-breach obligations.
  • When a breach happens, act promptly to prevent further exposure of data.
  • Promptly find out what happened and preserve the evidence.
  • Involve technology and legal experts as needed.
  • Have draft notices that are ready to be customized with reference to the facts.
  • Contact law enforcement, credit resorting agencies, and the business's insurance carrier as  appropriate.
  • Keep regulators informed, both when required by law and when merely sensible.
  • Provide timely notice; legal deadlines are strict.
  • Help affected individuals; their goodwill can forestall legal difficulties.
  • Update the breach response plan periodically.

       
Tags: , , , ,
Posted on December 9, 2009 by Bret Cohen

House Passes Comprehensive Data Security Legislation

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

  • Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
    • the creation of a security policy;
    • the identification of a security officer or other individual as the point of contact for the organization's security program;
    • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
    • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
    • the creation of a process for the secure disposal of obsolete data.
  • Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
  • Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

Tags: , , , , , ,
Posted on November 12, 2009 by Bret Cohen

Senate Committee Approves Data Security Bills Creating Federal Data Security Program, Breach Notification Requirements: Criminal and Civil Penalties Give Proposed Law Real Teeth

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

Among other provisions, the bill would:

  • create a federal crime for intentionally and willfully "concealing" a breach of PII that one has an obligation to report;
  • ask the U.S. Sentencing Commission to reevaluate criminal penalties associated with the theft or unauthorized access of PII
  • subject data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and notifying individuals when a third party takes adverse action against them based on the PII furnished; and
  • require federal contractors to meet certain data security requirements.

Notably, the House Energy and Commerce committee passed a bill containing a number of similar provisions, H.R. 2221, including those pertaining to the security program, breach notification, and data brokers. The second Senate bill, S. 139 introduced by Sen. Dianne Feinstein (D-Calif.), would create a federal data breach notification requirement largely mirroring that of S. 1490 that would also preempt state data breach requirements. S. 1490 passed 14-5; S. 139 passed 14-2.

The civil penalties associated with a failure to comply with these bills would be substantial. Failure to institute a comprehensive security program would result in a fine of up to $5,000 per violation per day (double for willful violations) with a cap of $500,000 per violation, and failure to timely notify required parties of a reportable breach could lead to a penalty of up to $1,000 per day per individual whose PII was breached (doubled for willful violations), with a cap of $1,000,000 per violation. Violations of the data broker provisions could elicit penalties of $1,000 per violation per day, with a cap of $250,000 that would double with willful violations. In addition to the federal government (in some cases, the FTC was explicitly named), state Attorneys General would be granted the authority to enforce these laws on behalf of their affected residents.

Chances of this bill coming to vote before the full Senate in the near term are slim, especially with health care and appropriations at the forefront of the legislative agenda and relatively few days left in the current session. Nevertheless, this is not the first data security legislation introduced in Congress, and given the thought and detail put into crafting these bills, the committee endorsement, the number of co-sponsors, and increasing prevalence of identity theft and other relevant issues, such a law has a better-than-ever chance of coming into force at some point.
Tags: , , , , ,
Posted on November 3, 2009 by Christopher Wolf

Live Blogging from Madrid Privacy Confabs: EU-Wide Data Breach Notification Requirement a Real Possibility

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

 

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

 

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

 

Tags: , , , ,
Posted on October 19, 2009 by Christopher Wolf

New Class of Data Security Breach Plaintiffs Possible If Maine Supreme Court Rules That Economic Harm Not Required

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

Tags: , , , , ,