An entity that compiles, maintains, or leases computerized records containing personal information is subject to the data security breach notification laws. These notification laws serve to instruct entities that have suffered a breach in their data security on what kinds of personal information are protected under the law, what events are considered improper disclosures that trigger the notification duty, and the prescribed methods of notification. This post will provide a brief overview of relevant U.S. federal laws, U.S. state laws, as well as the US-EU Safe Harbor Program and Canada’s Personal Information Protection and Electronic Documents Act.
United States Federal Law
Financial institutions that are significantly engaged in offering financial products and services are covered by the Gramm-Leach-Bliley Act, referred to herein as the GLB Act. The term “financial institution” is defined broadly by the statute and includes banks, mortgage lenders and in certain circumstances may also include check-cashing businesses, payday lenders, non-bank lenders, personal property and real estate appraisers, professional tax preparers and courier services. The GLB Act supercedes any state law that is inconsistent with the provisions of the GLB Act, unless the relevant state law affords any consumer greater protection than the GLB Act. Therefore, it is advisable that businesses seek the counsel of an attorney familiar with both federal and state provisions.
The GLB Act also sets forth the minimum security standards financial institutions must have to protect the confidentiality of its consumer’s information. The GLB Act’s Security Rule has broader reach than the Act’s privacy provisions, applying to all financial institutions subject to the jurisdiction of the Federal Trade Commission, regardless of whether the consumer information was derived from financial services obtained for a personal or business purpose or whether the financial institution’s possession of the consumer information was obtained from a customer relationship. Specifically, the Security Rule requires financial institutions to implement administrative, technical and physical safeguards based on that financial institution’s risk of foreseeable threats. The financial institution’s foreseeable risk is based on a variety of factors, including employee training and management, the condition and integrity of the information systems utilized and methods of detecting, preventing and responding to attacks, intrusions or other system failures. The customized security plan for a financial institution requires periodic evaluation and adjustment.
For companies in the health care field, the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, provides a set of notification requirements as well as security standards for health plan providers, health care clearinghouses, health care providers and certain other covered entities. HIPAA was enacted in part to prevent the disclosure of “individually identifiable health information,” also referred to as “protected health information” or simply “PHI.” According to HIPAA, PHI is information that relates to the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. There are no restrictions on the use or disclosure of de-identified health information, which can be accomplished by the safe-harbor method or through the use of qualified statistician.
Similar to the regulation of financial entities under the GLB Act, HIPPA also includes a Security Rule that provides that covered entities must protect against reasonably anticipated threats to the security or integrity of PHI and against any reasonably anticipated uses or disclosures not permitted under its Privacy Rule. Further, and notably, covered entities must also have a policy in place that ensures third-parties that possess PHI on the covered entities’ behalf will comply with the same privacy and security standards. Similar to the financial institutions under the GLB Act, covered entities may select what security measures to implement, as long as such measures are reasonable and appropriate to HIPAA standards. The security standards include both required policies (for example, a covered entity must have a sanction policy for workforce members who fail to comply with the security policies and procedures of the covered entity ) and addressable policies which covered entities can evaluate for appropriateness and reasonableness for their company (for example, setting up procedures for monitoring workforce log-in attempts and reporting discrepancies ). Covered entities must appropriately take into consideration its size, its technical infrastructure, the cost of security measures, and probability and criticality of potential risk.
Third-parties that are in possession of PHI on the covered entities’ behalf are termed “business associates.” Business associates are individuals or organizations, which are not part of the covered entity’s workforce, that create, receive, maintain, or transmit PHI on the covered entity’s behalf. Covered entities are obliged to enter into written agreements with business associates that impose specified written safeguards on the PHI used or disclosed by the business associates.
The Health Information Technology for Economic and Clinical Health Act (HITECH) extended the breadth of many of HIPAA’s privacy and security measures for health care entities. For example, if there is a breach or suspected breach of PHI, covered entities are required to notify the affected individuals, the Secretary of the Dept. of Health and Human Services and if the breach involves 500 or more individuals within a state or jurisdiction, the state’s prominent media outlets. HITECH also extended the standards of HIPAA’s Privacy Rule and Security Rule to covered entities’ business associates as well as the imposition of civil and criminal penalties.
The Federal Trade Commission (“FTC”) also imposes the “Health Breach Notification Rule, which applies to certain foreign and domestic businesses who have access or use the PHI of U.S. citizens and residents. The Health Breach Notification Rule applies irrespective of whether the entity is subject to the jurisdiction of the FTC and excludes HIPAA-covered entities.
What constitutes a breach of PHI under the FTC’s Health Breach Notification Rule, the method of notification, as well as the content of the notice is similar to the provisions of HIPAA. Just like HIPAA, the Health Breach Notification Rules under the FTC requires covered vendors to notify each consumer whose unsecured personal health record was acquired by unauthorized persons as a result of a breach of security. Breached entities must also notify the FTC of the breach. Methods of notice include individual mailed notices and email if the consumer consented to such notice, and in situations of urgency, notice to prominent media outlets in a particular State if the personal health records of 500 or more residents of such State were involved in a suspected or actual breach of security. Further, third-party service providers must notify their vendor in cases of breach or suspected breach. The notice must be sent without reasonable delay and in no case later than 60 calendar days after the breach is known or should have been known.
As evident from the above synopsis, there is no singular comprehensive federal law governing data security breaches. To further complicate matters, in addition to the federal statutes, almost all states have their own unique set of breach notification laws. Attempts have been made in Congress to pass bills designed to provide greater uniformity among the states’ respective data notification laws, as of the date of this post, some of these attempts include:
Bill Number, Title, and Person Who Proposed It
Status, as of August 21, 2013
H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer)
This bill passed in the House on March 12, 2013 and goes to the Senate next for consideration.
S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown)
This bill was assigned to a Senate committee on March 21, 2013, which will consider it before possibly sending it onto the House or Senate as a whole.
H.R. 1121, Cyber Privacy Fortification Act of 2013 (Rep. Conyers, Jr.)
This bill was referred to the House subcommittee on Crime, Terrorism, Homeland Security, And Investigations on April 15, 2013.
S. 1193, Data Security and Breach Notification Act of 2013 (Sen. Toomey)
This bill was referred to the Senate Committee on Commerce, Science, and Transportation on June 20, 2013.
Unites States State Law
Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have a Breach Notification Law (BNL) that requires persons and organizations to notify individuals whose personal information has been breached. In addition to these jurisdictions, New York City has its own set of breach notification laws, applicable to any business subject to the jurisdiction of the city’s Department of Consumer Affairs that has personal information of any resident of New York City.
BNLs vary by jurisdiction although sharing several elements. In many jurisdictions, “personal information” is an individual’s first name or first initial and last name plus one or more of the following pieces of data: (i) Social Security Number; (ii) driver’s license number or state-issued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access the account. Some states have an expanded definition of personal information, such as in Maryland where an individual taxpayer identification number is protected personal information and in North Carolina where personal information includes mother’s maiden name, computer system password, electronic signature and unique biometric data such as fingerprint, voice print, retinal image or iris image.
In general under most BNLS, in order for there to be a “breach” the following elements must be met, with common variations in parentheses: (i) (Reasonable likelihood of) Unauthorized and Bad Faith; (ii) Acquisition of (iii) Unencrypted or Unredacted (iv) (Computerized) Personal Information (v) (Which is likely to cause harm). The absence of one or more of the elements of the applicable BNL will excuse the notification requirement in that state. Of special note, in many jurisdictions the mere knowledge of a potential breach will often trigger a duty to investigate.
For an easy to read chart of all BNLs prepared by the National Conference of State Legislatures, click here.
Breach notification laws tend to cast a wide net, applying to persons or entities that acquire, own, or license computerized data that includes personal information of that particular state’s residents, and in most states, regardless of whether that person or entity is registered to conduct business in that state. As such, not only are the owners or licensees of data have obligations under BNLs, but also individuals and entities who have access to personal data on the covered entities’ behalf.
Almost all states’ BNLs have a safe harbor provision, which provide that notification is not required if the personal data that is lost, stolen, or accessed by an unauthorized individual is encrypted, redacted or is otherwise secured by a method or technology that renders it unreadable or unusable. Encrypted data requires that the data be in a form that is unreadable or unusable without use of a confidential process or key. Redacted data is data that has been altered or truncated so that no more than five digits of a social security number or the last four digits of a driver’s license, state identification number or account number are accessible.
In the event of a breach or suspected breach, the party subject to the BNL will have to prove that the compromised data fits that particular state’s statutory definition or standard of encryption and/or redaction in order to invoke safe harbor protection.
The time frame in which breached entities must notify victims varies by jurisdiction, including “in the most expedient time possible and without unreasonable delay” to “no longer than 7 business days” to “no later than 45 days.” Further, depending on the statute, the notice can be written, electronic or even conveyed over a telephone conversation.
Most BNLs require covered entities to notify additional parties besides the victims of the breach. For instance, if the number of victims exceeds a certain number, usually 1,000 individuals, the breached entity may have to notify all consumer reporting agencies. Massachusetts, Maryland, Louisiana and a majority of other states and jurisdictions require in the event of a breach that covered entities notify some type of regulatory authority, such as the attorney general, the director of consumer affairs, or insurance commissioner.
Nevada and other states extend the notification duty to entities that maintain data owned by other entities. In this situation, notice must be given to the owner of the data, which in turn triggers the owner’s duty to notify victims.
Form of Notice
In many BNLs, notice requires individual written notice that includes a description of the incident in general terms, description of the type of personal information that was subject to the unauthorized access, and contact information of the covered entity for further questions. It is also common for BNLs to mandate that the notice inform the resident that he/she has a right to obtain reports from the police department and consumer reporting agencies, and provide instructions on how to request a security freeze. Often, notification by email may be permitted if the affected resident consented to receive electronic notice by the covered entity or if there is an existing business relationship with the affected resident that includes periodic electronic communications.
In addition “substitute notice” in the form of an email to affected residents or conspicuous posting on the covered entity’s website may be allowed where the cost of providing individual written notice may be costly or the affected class of individuals is numerous. For example, Massachusetts allows for substitute notice if the cost of providing notice would exceed $250,000, the number of affected Massachusetts residents exceeds 500,000 residents, or if the covered entity does not have sufficient contact information to provide notice.
Mobile App Developer Recommendations
In January 2013, California’s Attorney General Kamala D. Harris posted a set of privacy recommendations for App Developers, App Platform Providers and Advertising Networks operating in the mobile app sphere.
As many developers’ business models depend on data collection for attracting advertisers, it seems unlikely that these recommendations will be widespread adopted.
United States – European Union Safe Harbor Program
For businesses with relationships with EU companies or have customers in the EU, it should be noted that the European Union’s adequacy standard for privacy protection is defined differently than it is in the United States. The European Commission, the executive body of the EU, mandated that companies operating in the EU are not allowed to send personal data to countries outside the “European Economic Area” (EEA) unless there is a guarantee that it will receive adequate levels of protection. In an effort to streamline the process for US companies to comply with EU Directive 95/46/EC the U.S. Department of Commerce, in consultation with the EU, created the US-EU Safe Harbor Program.
The US-EU Safe Harbor Program is a certification process that US companies can opt-in by complying with the Seven Safe Harbor Privacy Principles. Eligible companies can self-certify or hire a third-party to perform the assessment. All companies must be re-certified every 12 months.
Besides the opportunity to work with EEA companies and clients, enrollment in the US-EU Safe Harbor Program provides that claims brought by EU citizens against U.S. companies will be heard in the U.S., subject to certain limitations. Further, the streamlined process encourages participation by small and medium organizations. A list of certified Safe Harbor organizations is available to the public.
Currently, the European Commission is talking to replace Directive 95/46/EC with a regulation, which as a regulation, cannot be amended or tailored by individual member states. As Vice President of the European Commission, EU Justice Commissioner Vivane Reding explains:
The EU already has a data protection law: a Directive which dates back to 1995. In the intervening 18 years, the Member States have reacted to new technologies differently. The result is an inconsistent patchwork of 27 different national laws. It entails huge legal costs for firms who simply want to do business across the EU. The European Commission is eliminating those costs by replacing the current Directive by one single clear set of rules for all businesses in the Union – resulting in savings for companies of around 2.3 billion EUR per year.
Canada’s Personal Information Protection and Electronic Documents Act
A U.S.-based organization that handles personal information of Canadians is subject to the country’s Personal Information Protection and Electronic Documents Act (PIPEDA). Passed in 2000, PIPEDA is Canada’s national privacy law applying to personal information collected, used and disclosed by private sector organizations involved in commercial activities. In its current form, PIPEDA does not require organizations to notify individuals whose personal information was involved in a breach. Nor does it require organizations to notify a regulatory authority. What PIPEDA does require of organizations is that they meet certain safeguarding standards through the use of physical, technological and organizational measures.
In February 2013, Bill C-475 was introduced in the House of Commons. In relevant part, organizations would have to “notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.” The Commissioner may then require the organization to notify affected individuals, however at any point an organization may voluntarily notify individuals. For those interested in the progress of the bill, they can visit the Parliament’s website here.
The widespread application of the data security breach notification laws cannot be understated. Not only are more businesses collecting personal information but technology has enabled businesses to collect more types of personal information and maintain them for longer periods of time. Somewhat surprisingly, some companies are unaware that they are collecting personal information from their users and employees. Information gathering is a necessary part of a growing business and providing better products and services. With this practice, however, all businesses must have in place appropriate privacy and security measures. Part of any periodic business evaluation should include a review of these privacy and security measures by legal counsel that is well versed in technology and has experience navigating and applying the various laws and regulations.