How to deal with the new federal and state notification requirements.
If your business has yet to fall victim to a data breach or ransomware event, fasten your seatbelt. Chances are you won’t stay immune. Cyber and ransomware attacks increased three-fold in 2016. In fact, data privacy attacks no longer occur every two minutes – they now happen every 40 seconds.1
As business privacy breaches soar, state and federal agencies alike are cracking down, holding organizations responsible for their lack of thorough safeguards, an oversight they know can quickly lead to compromised data. Just last year, both state and federal enforcement arms tightened their data privacy notification laws, resulting in additional reporting requirements and penalties for all.
HIPPA Transfers the Burden of Proof onto Organizations
Likely the most significant change last year was an amendment to the Health Insurance Portability and Accountability Act (HIPAA), that transferred the burden of proof in a cyber breach onto the organization itself. Previously, if a healthcare covered entity or its business associate had a cyber or ransomware attack, federal agencies had to prove the data was affected for notification requirements or penalties to be brought upon the organization. Now that burden of proof lies with the organization.
As part of the new regulation, HIPPA covered entities and their business associates are required to initiate a forensic investigation. This can create a domino effect with the potential for further investigation and audit by the Office of Civil Rights (OCR), responsible for enforcing breach regulations on behalf of the U.S. Department of Health and Human Services, administer of HIPAA.
Arguably the most prominent and aggressive federal agency governing data breaches today, the OCR is responsible for auditing healthcare organizations after the breach to uncover lax policies when it comes to safeguarding healthcare data and HIPAA Phase II proactive audits.
A HIPAA Phase II audit singles out 350 HIPAA covered entities and 50 business associates at a time, varying in size, geography, etc., to assess their HIPAA data privacy compliance. OCR fines for HIPAA non-compliance average over $200/record for the first 5,000 records, and less for additional records. A robust cyber policy will typically cover HIPAA notification fines as well as all the necessary forensic investigation, an experienced privacy attorney and more.
Am I HIPAA Covered Entity?
Any business or business associate that stores or carries out an organization’s healthcare activities is equally responsible for HIPAA compliance. This includes self-funded businesses, as they store employee health information as a function of serving as their own insurance carrier. For example, a self-insured manufacturer that administers insurance and claims process for their employees, is liable to comply with HIPAA’s breach regulations.
However, simply storing employee health information doesn’t deem you a HIPAA covered entity. For example, if a manufacturer who has employee healthcare information, but isn’t self-insured and doesn’t do business with healthcare companies, has a data breach, the organization is liable to comply with state data breach law, but isn’t regulated under HIPAA.
Federal Commissions Regulate Breaches in Absence of Federal Data Security Law
It’s important to note that other federal agencies govern data privacy and network security for non-healthcare related incidents as well. These include the Federal Trade Commission (FTC), which upholds anti-trust laws for financial institutions, and the Federal Communications Commission (FCC), which regulates interstate communications, including internet service providers (ISPs) and media companies. While not as visible as HIPAA, these organizations both regularly publish security requirements and best practices as well as stipulate and enforce common notification requirements in cases where they have jurisdiction.
Outside of HIPAA, the FTC and the FCC regulatory enforcement, there’s no national breach notification and data security law. And there likely never will be. In July 2015, 47 states attorneys general joined in a single opinion, sending a letter to Congress, urging the U.S. legislature not to pass a national data breach law, for fear that it would infringe on current state laws. Non-healthcare entities should keep their eyes on their State’s requirements.
State Laws Add More Data to Notification Requirements
As many as a dozen and a half states amended their data breach notification requirements last year to expand their definition of personally identifiable information (PII) that requires notification.
Many added “medical records,” including “health biometric data,” as well as “emails, user names and passwords” to existing data breach notification laws that already included social security numbers, addresses, driver’s license numbers and the like. Most states also carry a threshold for PII notification to their attorney general’s office. For example, in Oregon, PII data must exceed 250 records before the state’s attorney general requires notification (see chart).
Last year, states like California and Illinois limited or retracted their encryption safe harbor rule, now requiring organizations to notify individuals, where there is a reasonable belief that the encryption key could have been acquired as well. New York became the fourth state to require financial services companies to abide by a 72-hour notice obligation for breached PII.
Additionally, “non-law law” governs some state notification policies. This is the murky area of state regulations in which many states have written laws and assumed laws layered on top. For example, Connecticut officially changed their law last year to require businesses to offer one year of credit monitoring to breached individuals, but the state wants and expects you to provide two years of monitoring. Similarly, Indiana’s data breach law requires notification within a “reasonable time,” or 60 days, but they really expect organizations to notify within 30 days. Only a skilled data breach privacy attorney would understand this extra layer that organizations will be held accountable for complying with.
Meeting Multiple State Notification Requirements in Each Breach
Lack of a single, federal data breach law can create a real challenge for organizations that do business across state lines. It means you must comply with the notification requirements for the state where each breached individual resides, which could mean complying with as many as 47 different state notification requirements. An expert data breach privacy attorney who is fluent in breach notification is critical to both not spinning your wheels, and to meeting all necessary state notification requirements and “non-law laws.”
State notification fines for non-compliance, for example, could be upwards of $90/data record for the first 10,000 records, less for additional records. For a second breach offence, this rate goes up 25%.
Right Size Your Cyber Policy
Just as there’s no single rule when it comes to data breaches, federal or state notification requirements, there’s no one size fits all policy when it comes to covering your breach.
A robust cyber policy will bring with it access and approved data breach privacy attorney resources to help you immediately start to comply with both federal and state regulations. Key to having the right resources is knowing what to do and when to do it. This only comes along with an experienced broker that’s savvy in data breach risk and compliance.
1Kaspersky Security Bulletin 2016. Story of the Year: The Ransomware Revolution.