Data security breach notification is rapidly becoming a significant compliance risk for global enterprises. A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations and class action lawsuits. Among other benchmarks, the Ponemon Institute estimates that a data security breach now costs an organization approximately $214 per compromised record or $7.2 million on average per incident.1 Given that organizations increasingly use, store, and share data, and regulatory authorities are rapidly adopting new requirements with more significant penalties for non-compliance, it is clear that data security breach is moving into the "upper right quadrant" on the compliance chart that maps likelihood of an incident against the severity of its potential harm. This client alert summarizes the current state of affairs with the "rising tide" of global data security breach notification requirements, and identifies ten key steps every global enterprise should take to address such obligations.
A. The "Rising Tide" of Global Data Security Breach Notification Requirements
From the adoption of the first data security breach notification law in California in 2003, there has been a rising tide of breach notification requirements adopted in the US and abroad. It is critical to understand the scope and application of these laws in order to make reasonable decisions about how to allocate resources to manage the corresponding risks.
1. US State Breach Notification Laws
Almost every US state has now adopted a breach notification law. The specifics of the laws can vary substantially, but in very general terms, the laws mandate that when certain sensitive personally identifiable information ("Sensitive PII") is subject to unauthorized access or acquisition in unencrypted form, the business that "owns" such data must notify affected state residents, state agencies, consumer protection agencies, and in some instances, state-wide media. If a service provider maintains the Sensitive PII on behalf of its customer (the "data owner"), the service provider generally must notify the data owner which, in turn, must make the required notices.
In practice, the variations in these laws can present significant challenges. For example, the scope of covered "Sensitive PII" varies among the states. Some states, such as Illinois, focus on the key data fields of name plus Social Security Numbers, bank account numbers, and credit or debit card numbers. Other states, such as North Dakota, have laws that cover a broad range of other data fields, such as date of birth, electronic signature, unique physical representation (e.g., a photo), employer identification number, and the like. Collectively, across the patchwork of state laws, there are more than thirty different categories of Sensitive PII that can trigger a breach notification obligation.
There are also variations as to what constitutes a notifiable "breach." For example, Colorado does not require notice unless misuse of the data is likely (i.e., a "risk of harm" threshold applies before notice is required). In contrast, Indiana mandates notification whenever there is a reason to believe that covered information has been subject to unauthorized acquisition of data, regardless of any risk of harm.
Other variations apply regarding mandatory content in the notice. For example, North Carolina mandates that the notice to the individual must describe the nature of the incident. In contrast, Massachusetts specifies that the individual notice must not describe the nature of the incident. Such direct conflicts generally drive towards different notices to different state residents, although such divergent requirements pose obvious challenges in situations where notice must be made via the organization’s website (given that both North Carolina and Massachusetts residents will view the same website).
Perhaps the most acute challenges arise on the timing of the notice. Some states establish specific timelines for notification in certain cases (e.g., California requires notice in 5 days for certain health records). In contrast, other states, such as Arizona, impose affirmative obligations to conduct a reasonable investigation regarding the incident before notifying the affected individuals. In practice, a reasonable investigation may actually require more than 5 days to complete, particularly if the situation involves a hacking incident or other complex scenario. The organization thus may not be able to satisfy both Arizona and California law on timing, even though both laws may apply to the same incident.
More fundamentally, as a practice point, it is critically important for an organization to perform a reasonable investigation, and to know what it is talking about, before it notifies affected individuals. Premature notification may seem like a good idea in the short term, because it helps avoid questions about "why did the company wait X days to notify?". It is not, however, a strategy that is in the best interests of the affected individuals nor the organization. Among other concerns, premature notification can cause more harm than good, as the population of individuals initially notified may be excessively large or inappropriately narrow (depending on whether a reasonably complete investigation would show that more or fewer individuals were actually affected), and the substance of the notice to individuals may be materially misleading (e.g., if a reasonably complete investigation would reveal that more data fields, or fewer data fields, actually were affected). Simply put, a "ready, fire, aim" approach to notification does not work well in this context.
2. Federal Breach Notification Laws
There is also a growing body of federal breach notification laws. In particular, health care providers and other "covered entities," as well as their "business associates," have duties to notify breaches of unsecured protected health information ("PHI") under the Health Information Technology for Economic and Clinical Health Act ("HITECH"), an amendment to the Health Insurance Portability and Accountability Act ("HIPAA"). HITECH requires various forms of reporting to the Department of Health and Human Services ("HHS"), notice to the media if more than 500 individuals affected, and notification to the individuals. A similar set of requirements apply to vendors of personal health records pursuant to Federal Trade Commission regulations issued under HITECH.
In the financial services area, the federal functional regulators have issued Guidelines on Response Programs for Unauthorized Access to Customer Information. These include obligations to maintain a response program and to notify the applicable regulatory agency and customers if misuse possible. Comparable regulations have been issued by the Federal Trade Commission ("FTC") that are applicable to entities that provide certain financial products and services to consumers, and other requirements have been issued at the state level that are applicable to insurers.
Various additional bills have been introduced recently in Congress on data security breach. It is difficult to predict when such legislation will be enacted, but in general, such legislation probably will be adopted at some point. This would follow a similar trajectory to how a variety of state electronic signature laws were pre-empted by the federal E-SIGN Act in 2000, and a few years later a similar patchwork of state anti-spam laws were pre-empted by the CAN SPAM Act in 2003.
3. Emerging Non-US Breach Notification Laws
Non-US jurisdictions are quickly "jumping on the band wagon" with the adoption of breach notification requirements. This may become particularly problematic for global enterprises because non-US jurisdictions often adopt "omnibus" privacy regulations that apply to a much broader range of data about individuals than the "Sensitive PII" regulated under state and federal laws in the United States.
For example, Germany has now adopted breach notification requirements in three different laws. Under the Federal Data Protection Act, a breach notification requirement applies to a wide array of personal data, including: (i) sensitive personal data (defined as any information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life); (ii) personal data specifically protected by professional secrecy duties (e.g., in the medical, insurance or legal industry); (iii) personal data concerning criminal acts, administrative offenses, or the suspicion of the same; and (iv) personal data in relation to bank or credit card accounts. Under the Telecommunications Act and the Telemedia Act, notification is required if the breach involves contact data (e.g., customer’s name and address, billing information, or the like) and traffic data (i.e., data in relation to connections such as the caller’s number, the number called, IP addresses, duration of a call, and the like). The good news is that, due to certain Constitutional prohibitions on self-incrimination, data protection authorities in Germany are limited in their ability to pursue criminal and administrative sanctions actions against organizations that notify them about data security incidents. This serves as an incentive for organizations to notify data protection authorities about such matters, even though such notifications do not preclude the authorities from pursuing actions on broader privacy matters, nor do they limit affected individuals from pursuing claims against the organization.
Russia has also recently adopted a breach notification requirement as part of its data protection law that applies to unauthorized access to any "personal information." Personal information is broadly defined as "any information concerning an individual that may be identified on the basis of that information, including his or her family name, first name, patronymic, the year, month, date and place of birth, address, family, social, property status, education, profession, incomes and other information." The notification must be provided to individuals, although the organization is obligated to respond to any requests for information raised by the data protection authority. Perhaps more notably, Russia requires data security incidents to be "cured" within 3 days, and appears to impose a duty to notify affected individuals within 3 days after such cure. Although these statutory requirements have not been interpreted through cases or official advisory opinions from the data protection or other authorities, the combination of the broad scope combined with the strict timelines for notification may pose acute challenges in practice.
A wide range of other jurisdictions have also adopted breach notification requirements in certain sectors. For example, telecommunications providers in the European Union are subject to breach notification obligations pursuant to the European Commission Directive on Privacy and Electronic Communications, and broader notification requirements are expected as part of the revision to the European Commission Directive on Data Protection. In India, certain "intermediaries" must report a cyber security incident to the Indian Computer Emergency Response Team ("CERT") within the Department of Information Technology. A notifiable "cyber security incident" is defined to include any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization. Other jurisdictions, such as Japan, have adopted breach notification duties that apply in the financial services industry.
Other requirements are also emerging. Chile has established a general consumer protection requirement that any actions that may harm consumers (such as data security breaches) must be notified to the Chilean consumer protection agency. Mexico also has recently adopted a data security breach notification obligation as part of its data protection law. In addition, other countries, such as Brazil, have active consumer protection agencies that generally are willing to pursue actions against global enterprises for data security breaches or other incidents when they affect local consumers.
4. Other Breach Notification Duties
Beyond regulatory obligations, breach notification duties can arise pursuant to contractual obligations between relevant parties. Perhaps most notably, merchants that accept credit cards and their service providers have various duties to notify data security breaches pursuant to Payment Card Industry ("PCI") requirements. The required timing for these notifications can often be significantly shorter than those that apply under regulatory duties (e.g., merchants often have duties to immediately notify merchant banks about potential incidents).
B. Ten Steps To Help Address Data Security Breach Notification Requirements
What should organizations do in the face of an expanding array of global data security breach notification requirements? The specifics of an organization’s actions should be tailored to reflect its industry, geographic footprint, data collections and transfers, history of data security incidents, degree to which it shares data with service providers and external parties across its "extended" enterprise, and other factors. However, basic steps that all organizations should take include the following:
Establish the Appropriate "Tone at the Top." Senior management should explicitly state that data security is a mission-critical and core value for the enterprise. Given that data security vulnerabilities exist throughout the organization, such clear communications can be critical for ensuring that everyone understands their duties regarding data security and expedited reporting "up the chain" of any potential incidents.
Identify What Sensitive PII the Organization Obtains, and Confirm Whether Such Collections Could Be Minimized. This analysis will require both an understanding of the scope of applicable breach notification requirements, as well as a firm understanding of the organization’s operations. In practice, it is important to minimize such Sensitive PII collection, use, and disclosure wherever possible as a means of managing risk. If the data is not collected, there is no risk.
Conduct an Information Security Assessment, and Establish Appropriate Controls. The organization should review where Sensitive PII resides internally and within the extended enterprise, and it should establish data security controls that are appropriate in light of applicable data security obligations under state, federal, and non-US laws, as well as contractual obligations and industry best practices. Sensitive PII should be subject to appropriate encryption where feasible, due to exemptions from breach notification duties under many laws for properly encrypted Sensitive PII.
Evaluate Service Provider Relationships As Part of the "Extended Enterprise." A key source of potential risk for an organization are the service providers that store or access Sensitive PII on its behalf. Typically, if a breach occurs at the service provider level, the organization must provide required notices. Managing this risk requires a focused effort in the contract negotiation process (to structure appropriate privacy, information security, audit, liability terms), and ongoing review to ensure security measures are followed in practice, and to ensure that the organization will have adequate control in the event of an actual data security incident.
Establish and Implement an Incident Response and Breach Notification Policy. The organization should adopt an incident response policy that provides procedures for responding to an incident, and addresses applicable breach notification duties. This policy should establish relatively simple procedures (given the time pressures of actual incidents), although it should also include details regarding methods of notification and other jurisdiction-specific provisions that can facilitate compliance with notification obligations.
Shop Early For Incident Response Providers. Organizations should shop early for service providers that will be critically-important in the event of a actual breach, such as forensics firms, public relations firms, call center providers, and notification delivery services. The organization can actually engage such service providers prior to any event, so as to be ready to go in the event of an actual incident. Such contracts, however, should be structured through legal counsel where possible, particularly external legal counsel for global organizations, in order to be mindful of potentially critical attorney-client privilege issues.
Enhance Communication and Training. The most carefully drafted policies and procedures may be ineffective if they are not properly communicated throughout the enterprise, or if proper training is lacking. Training should be appropriate to the role of the individual, but every individual within an organization should receive at least minimal training so as to know how to report a potential breach "up the chain" to appropriate managers.
Conduct Incident Response "Scenarios." For Key Team Members, it is useful to conduct "scenario" training with key incident response team members to allow them to develop a feel for an actual incident response. Key issues to test in the scenarios relate to the timing of any notification, as such experience can be critically helpful in the context of an actual incident.
Update Record Retention Policies. The organization should update its record retention policies so that it can securely dispose of Sensitive PII when it is no longer needed for its identified purpose. Note that there are various state, federal, and non-US laws that establish standards for the secure disposal of such information, but if performed properly, this can be an important aspect of managing data security breach risk.
Conduct Ongoing Review. The organization must conduct ongoing reviews to confirm that their existing controls, including data security measures and incident response policy, reflect current technology, business activities, and information security threats. The ongoing battle between the information security professionals and data thieves and risks, as well as legal standards, are ever-changing. Controls that are appropriate today may not be appropriate tomorrow, and regular assessment will help prevent and manage data security incidents.
Data security and breach notification is an issue that now warrants priority attention from all global organizations. Following the ten steps outlined above should serve as a high level roadmap for organizations to manage this increasingly important risk. As in other areas of risk management, the establishment and implementation of such appropriate policies and procedures can produce real cost savings for the company over time, both in terms of preventing security incidents as well as effectively managing them when they do invariably arise.