This article was published in the Westlaw Journal Computer & Internet (Volume 33, Issue 7) on September 11, 2015. Reprinted here with permission. © 2015 Thomson Reuters.
In light of numerous recent data breaches, cybersecurity has emerged as an issue impacting organizations ranging from the local hardware store to the largest multi-national firms in the world. In short, no industry is immune to the threat of a data breach.
While some business sectors have begun to adapt to the changing technological environment, many organizations remain woefully underprepared. According to Verizon’s recent Data Breach Investigations Report, in 60 percent of cases, attackers were able to compromise an organization within minutes.1
So what can organizations do to prevent or otherwise prepare for a cybersecurity breach? It is imperative to understand where and how your organization stores data and the laws applicable to that data.
This article will focus on the legal framework. As an initial matter, it is important to understand that data security laws vary by industry and state and while there are numerous federal regulations addressing cybersecurity, there is no one uniform law on the subject.
State Privacy Laws
The broadest of the cybersecurity regulations are the state data breach notification laws. The state data breach laws are not industry specific and therefore apply to virtually all organizations.
In addition to 47 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have enacted statutes requiring notification of security breaches involving personal information. Notification is based on the location of the affected individuals, not the location of the breach. Thus, even one small incident could implicate the laws of numerous states. Moreover, organizations must act quickly as notice deadlines range from 10 days after discovery of the incident to “without unreasonable delay.”2
There is essentially a three-step analysis to determine whether a state law requires notification of a data breach. First, you must examine the law’s definition of a breach. Second, you must examine if “personal information” is involved. Third, in some states you must apply an analysis of unauthorized access and risk of harm.
Most state laws generally define a data breach as the unauthorized acquisition or access to personal information in an electronic or computerized format that compromises the data’s security, confidentiality or integrity.
Although data breach statutes vary from state to state, personal information generally includes:
An individual’s first name, or first initial, and last name plus one or more of the following data elements:
Many states exclude from this definition:
Most statutes also include a data-encryption safe harbor, which does not require notification if the compromised data was inaccessible because of encryption.
The final step in the data-breach notification analysis is to see whether the state statute simply requires a showing of unauthorized access or acquisition to trigger notification responsibilities or whether the statute also requires a showing of risk or harm from the unauthorized access or acquisition of the personal information.
Several states, as well as the District of Columbia and Puerto Rico, have data breach notification statutes that only require a showing of unauthorized access or acquisition: California, Georgia, Illinois, Minnesota, Nevada, North Dakota and Texas. Generally speaking, all other states incorporate some showing of harm from the unauthorized access or acquisition.
There are also numerous mostly industry-focused federal regulations governing cybersecurity.
For example, the Gramm-Leach-Bliley Act applies to financial institutions;3 the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act apply to the health care industry;4 and the Family Educational Rights and Privacy Act applies to educational institutions.5
The GLBA, among other things, requires “financial institutions” to develop, implement and maintain administrative, technical and physical safeguards to protect the security, integrity and confidentiality of “nonpublic personal information.”6
“Nonpublic personal information” generally is any information that is not publicly available and that:
The term “financial institution” is defined as any business that is significantly engaged in activities that are financial in nature, as well as companies that receive information that is “incidental” or “complementary” to such financial activity. Thus, the definition of financial institution is quite broad.
The GLBA guidelines, which address standards for developing and implementing safeguards to protect customer information, make clear that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer or customers as soon as possible.7
This notification guideline under the GLBA is similar to the state notification analysis that requires showing harm or a risk of harm before notification is required.
The Federal Trade Commission enforces the GLBA. While there is no private cause of action under the GLBA, officers and directors of the financial institution can be fined up to $10,000 for each violation, and criminal penalties include imprisonment for up to five years, a fine, or both. Since 2005, the FTC has brought almost 30 cases for violation of the GLBA.8
HIPAA and HITECH
The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, better known as HIPAA and HITECH, set forth privacy and security protections required for the health care industry.
The primary HIPAA/HITECH regulations include the “Standards for Privacy of Individually Identifiable Information,” known as the “Privacy Rule,” the “Security Standards for the Protection of Electronic Protected Health Information,” known as the “Security Rule,” and the “Breach Notification Rule.”9
The Privacy Rule addresses uses and disclosures of “protected health information,” or PHI, as well as individuals’ rights to access, amend and restrict their PHI and to receive an accounting of their PHI.
Under the Security Rule, covered entities and business associates are required to ensure the confidentiality, integrity and availability of all electronic PHI that the entity creates, receives, maintains or transmits, and to otherwise protect against reasonably anticipated potential breaches, as well as ensuring that their employees comply with the law.
The Breach Notification Rule requires covered entities to provide notification for breaches of unsecured or unencrypted PHI to the affected individuals, the U.S. Department of Health and Human Services, and major print or broadcast media for breaches affecting more than 500 residents of a state or jurisdiction.
HHS enforces HIPAA and HITECH through the Office of Civil Rights. HIPAA enforcement actions are usually initiated by a compliant. OCR then conducts an investigation. If the evidence indicates that the entity was not in compliance, OCR will attempt to resolve the case with the covered entity via voluntary compliance. If the entity does not take action to resolve the matter in a way that is satisfactory, OCR may impose a money penalty.
Additionally, following the passage of the HITECH Act, state attorneys general have authority to file civil actions for damages or injunctions in federal courts to enforce HIPAA, and OCR can conduct HIPAA audits.
Generally, there is no private right of action under HIPAA. However, there are examples of state courts ruling that HIPAA’s lack of a private right of action does not preclude common law or statutory claims for unauthorized disclosure of medical records. Additionally, state courts have considered HIPAA’s standards as the applicable standard of care governing handling of medical records.10
Family Educational Rights and Privacy Act
FERPA applies to any public or private elementary, secondary or post-secondary school and any state or local education agency that receives federal funds.11
FERPA limits access to a student’s education records.
The Family Policy Compliance Office implements FERPA’s requirements.
FERPA does not contain specific breach notification requirements. Rather, it protects the confidentiality of education records by requiring documentation of each disclosure. The federal regulations, nonetheless, encourage direct notification if, for example, the compromised data includes student Social Security numbers or other identifying information that could lead to identity theft.
Similarly, FERPA does not require that an institution notify the Family Policy Compliance Office in the event of a data breach; however, is nonetheless generally considered a best practice to do so.
FERPA does not provide a private cause of action for individuals to sue to enforce the federal funding provisions.
Instead, the Family Policy Compliance Office is responsible to investigate FERPA-related complaints, and federal funds may be withheld from any school or educational agency that fails to comply with the law’s regulations.
Other Federal Law Considerations
The GLBA, HIPPA/HITECH and FERPA are far from the only federal laws regulating cybersecurity.
However, they provide basic examples of federal cybersecurity regulations applicable to various organizations.
Other examples of federal regulations include the following:
There are also numerous employment-related statutes that include privacy protections such as the Americans with Disabilities Act, the Family and Medical Leave Act, the Fair Credit Reporting Act, and Title II of the Genetic Information Nondiscrimination Act of 2008.20
Addressing a Data Breach
What should an organization do to address a breach in light of state and federal privacy regulations?
As a threshold matter, the best time for addressing a data breach or cyberattack is before the breach occurs. By having robust policies and procedures in place, together with a response team and appropriate training, organizations will be armed for data breaches and cyberattacks that are now commonplace.
Among other things, organizations should review their insurance coverage. Many providers now offer cyberinsurance coverage and officers and directors may be covered by a directors and officers policy for decisions related to a data breach.
In the event of a cybersecurity breach, however, there is no one-size-fits-all approach. Nonetheless, taking the following actions will help to address most state and federal regulations:
It is not a question of whether your organization will suffer a cyberbreach, but when. Organizations that understand what information is collected and maintained, the purpose of collecting and maintaining such information, the individuals that have access to it, the security measures that protect the information, and the laws and regulations that apply to the information are far better prepared to reduce the risks associated with cyberbreaches and to more effectively take appropriate action when a breach occurs. As outlined above, the time to plan for a cyberbreach is before the breach occurs by developing policies and procedures, implementing and monitoring security systems, conducting breach roundtables to test preparedness and having a team in place ready to mobilize when that cyberbreach ultimately occurs.
1 See Verizon Enter. Solutions, 2015 Data Breach Investigations Report (2015), http://vz.to/1K2pCSp.
2 Generally, the outside limit under federal legislation, e.g., under HIPAA, is 60 days.
3 15 U.S.C. §§ 6801-09.
4 Pub. L. Nos. 104-191 & 111-5, § 13402.
5 20 U.S.C. § 1232g.
6 15 U.S.C. § 6801(a).
7 See 12 C.F.R. Pt. 364, App. A.
8 Fed. Trade Comm’n, Federal Trade Commission 2013 Privacy and Data Security Update, available at http://1.usa.gov/1O3YgNB.
9 See 45 C.F.R. Pts. 160, 162 & 164.
10 See Sharon R. Klein, Jan P. Levin, Rebekah A.Z. Monson and Angelo A. Stio III, "Connecticut Supreme Court Allows Plaintiffs to Circumvent HIPAA’s No Private Right of Action Clause," Pepper Hamilton LLP Client Alert (Nov. 25, 2014), available at http://bit.ly/1Q42rKD.
11 The statute’s regulations are available at 34 C.F.R. Pt. 99.
12 17 C.F.R. Pt. 248.
13 47 U.S.C. § 521.
14 18 U.S.C. § 2710.
15 44 U.S.C. § 3551.
16 18 U.S.C. § 2721.
17 7 U.S.C. § 231.
18 15 U.S.C. §§ 41-51.
19 15 U.S.C. § 7701 & 18 U.S.C. § 1030.
20 42 U.S.C. § 12101; 29 U.S.C. § 2601; 15 U.S.C. § 1681; & 42 U.S.C. § 2000ff.