…there is a real question as to whether this bug puts all OpenSSL users outside what’s called the “encryption safe harbor” in most of the state data breach notification laws and HIPAA.
As if regularly ensuring that firewalls and anti-virus protection are up to date and patched according to schedule wasn’t enough, now companies have to deal with a hack into the most widely-used encryption software, OpenSSL. The bug has been called “Heartbleed” because it redirects the “heart beat” that the secure link establishes between an internet site user and the site owner to pass sensitive information. It could be a bank, an e-commerce provider, a healthcare provider – you get the picture…
The looming questions here are: how much data (and what data) has been redirected, are individuals exposed, and, if so, has the affected entity experienced a “data breach” for purposes of data breach notification laws.
If the answer to that last question is “yes,” then there is a real question as to whether this bug puts all OpenSSL users outside what’s called the “encryption safe harbor” in most of the state data breach notification laws and HIPAA. If an entity experiences a “security breach” (as defined in the various laws), that breach may not be reportable if the compromised data was encrypted and that encryption keys were not compromised.
The vulnerability caused by the Heartbleed bug actually circumvents the purpose of OpenSSL: encryption. Therefore, the conclusion would appear to be that any data breach during the time of OpenSSL vulnerability (approximately two years) would be reportable because the data was not, in fact, encrypted.
Failure to immediately attend to patches and advising users to change passwords (after the fix has been applied, not before), can expose companies to potential liability. Most privacy policies make some statements about the security of the site, including a statement that the site uses “SSL” to secure information. If a company does not take action, they face potential private action, regulatory action for unfair and deceptive business practices (see the FTC latest settlements with Fandango and Credit Karma), and other actions. Health care covered entities could face HIPAA violations (or may already have HIPAA violations) by virtue of the bug.
[Cynthia Larose is chair of the Mintz Levin’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP). Among other things, Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions.
JD Supra's new First Glance series asks experts for their early response to breaking news stories. Stay tuned for additional updates in the series. Looking for insights? Send suggestions to firstname.lastname@example.org.]