What breach disclosure requirements mean for your organization
(Last updated on May 6, 2019)
Following a data breach incident, organizations following compliance standards, such as HIPAA, need to follow certain data breach notification requirements. This post will summarize some of these requirements, as well as regional-specific disclosure responsibilities. For the purposes of this post, a data breach, is an incident “where personal data has been subject to unauthorised access, collection, use or disclosure,” regardless of whether it was deliberate, or unintentional.
While there is no federal data breach notification statute, 48 states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, have implemented their own statutes that speak to notification obligations. While the underlying components remain the same across states, there are some variations, including what information encompasses personal information, and what constitutes a breach that triggers notification. This chart provides a great summary of basic state requirements.
In addition to the above, organizations in regulated industries, such as healthcare and banking, are bound to industry-specific requirements. For banking and financial institutions, the Federal Trade Commission, the agency enforcing regulations for entities under the Gramm-Leach-Bliley Act (GLBA), interpreting section 501 (b) of the GLBA, has issued a guide on how to respond to data breaches. The guide provides recommendations for securing operations, which includes assembling a team of experts, fixing vulnerabilities by segmenting your network, reaching out to service providers, and having a communication plan. The notification guidance includes law enforcement, other affected businesses, as well as affected individuals.
Governing the health care industry, as well as their business associates and vendors, you’ll find the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In the event of a breach, HIPAA (45 CFR §§ 164.400-414), and HITECH (section 13407), require notice to the affected individuals, U.S Department of Health and Human Services (HHS), and in cases affecting more than 500 residents of a State or jurisdiction, the media. A list of breaches of “unsecured protected health information”, affecting 500 or more individuals, will be posted on the Office for Civil Right (OCR) portal. In this context, “unsecured protected health information” is defined as protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary of HHS in guidance.
Canada is transitioning from a voluntary approach, where it was up to the company to decide whether to share the incident with the public, to a mandatory one. New laws passed in 2015 as a part of Digital Privacy Act, Bill S-4, will require all businesses to report to the Office of the Privacy Commissioner of Canada, any cyber security breach incident once they’ve been made aware of its occurrence. Organizations are also obligated to notify any potentially affected individuals. The commissioner will then decide whether the breach needs to be revealed to the public. Failure to comply will naturally result in penalties of up to $100,000 per violation.
As of 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will enforce a breach notification requirement for all EU based companies. Companies outside of the EU that offer goods and services to, or monitor the behaviour of, EU data subjects, are also bound by the new legislation. The requirement falls under Article 33 (Notification of a personal data breach to the supervisory authority), and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. When a breach is discovered the data processor must notify the data controller (the difference between a data processor and data controller is explained here). The onus is on the data controller to notify the national data protection regulator, but no later than 72 hours after having become aware of the incident. That means before the 72 hours is up, the company must find out what happened, and who was affected, all the while trying to contain the problem. In cases where the data breach could result in high risk to a person’s “rights and freedom”, i.e., in physical, material or moral damage, data controllers are required to communicate the breach to the individual. With no further guidance as to what constitutes high risk, the onus is on the individual organization to assess the impact, and demonstrate the risk rating. Failure to comply with any of the above will result in a fine of up to €20 million or, up to 4% of annual worldwide turnover, whichever is greater.
What about the Brexit?
An anticipated question post-Brexit is whether the UK will need to abide by the GDPR rules. UK-based organizations are not completely off the hook as the timing of their departure will still subject them to GDPR regulations for the better part of a year. In fact, businesses are urged to continue with GDPR compliance projects, especially global businesses that will still need to satisfy the thresholds of the GDPR. As for as the long-term plan, there is indication that the UK will still have “GDPR-like” rules. This will provide legal certainty for businesses, as a different threshold for the UK will only complicate cross-border data protection.
While the specifics of the disclosure requirements vary by region and industry, they all require organizations to have a response strategy. It’s all hands on deck, and some will need the help of a forensic expert to manage the incident. Once the immediate danger is clear, take the opening to improve existing processes. Lessons learned can be used to update your security policy, and incident response plan.