Data Theft and State Law: When Data Breaches Occur, 34 States Require Organizations to Speak Up by Alan S. Wernick, Esq.
Thirty-four states currently require that organizations notify individuals whose personal data have been exposed in a security breach. Healthcare entities should have policies and plans in place.
You can hardly pick up a newspaper or visit a major online news source without reading about an incident involving a data breach. Laptops are stolen, private information is mistakenly exposed on public Web sites, and employees access data for illegal purposes.
Healthcare organizations are not immune. Providers and payers obtain, organize, analyze, copy, and distribute data around the clock. Data copied and distributed without authorization can result in legal complications that include violation of a data breach notification statute, identity theft, loss of employment, financial damages, and damages for breach of a legal statutory duty or obligation.
The time to prepare for responding to a data breach is now, not after it occurs. An organization's preparedness in knowing applicable laws, developing appropriate policies, monitoring those policies, and having an appropriate response team assembled in advance will help manage the legal risks and minimize the potential liabilities and costs, both in dollars and in trust.
What Are the Data in a "Data Breach"
Data are protected by several state and federal statutes against unauthorized access, use, copying, and distribution. By way of example, and not limitation, these statutes include HIPAA, the Financial Services Modernization Act (otherwise known as Gramm-Leach-Bliley), and the Sarbanes-Oxley Act. Congress currently is considering data breach and related legislation. By way of example, the Identity Theft Protection Act (S 1408) and the Federal Agency Data Breach Notification Act (HR 5838) were under consideration in Congress in late 2006.
On the state level, more than 30 states currently have adopted data breach notification laws requiring organizations to notify consumers whose personal information have been exposed in a data breach (see list [below]). Notification is intended to alert consumers about the potential for identity theft that occurs as a result of a breach. Data breach and other privacy laws can also help improve data security and privacy practices for the organizations complying with them.
Many of the state laws treat data as "personal identifiable information," or PII. Depending on the applicable statute, PII may include data stored on paper, a computer, or other media such as CD-ROM, DVD, flash memory drive, and PDA.
Depending upon the particular state's law, PII includes, by way of example and not limitation, an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
Two Strong State Laws
The California data breach notification law, effective July 1, 2003, is one of the first of such statutes in the United States, and the one other states and Congress have considered in the drafting of similar legislation.1 The California data breach notification law defines "personal information" to mean
any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.
For purposes of triggering a data breach notification, personal information in the California law means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Personal information under this section of the California statute does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Another example of a recent data breach notification law is the one adopted in Illinois, which became effective on January 1, 2006, and closely follows the California statute.2 The Illinois data breach notification law, known as the Illinois Personal Information Protection Act (PIPA), defines personal information in the same terms as the California law (also excluding information publicly available and lawfully disclosed by a government agency).
When organizations consider what data are subject to notification in the event of a breach, they should also note that applicable state law may provide that data other than customer data trigger a notification requirement in the event of a data breach (e.g., employee data). Further, depending upon the residence of each of the individuals whose data are the subject of the breach, more than one state's law may apply.
Notification laws generally require that the organization provide prompt notification as soon as it either discovers or is notified of a breach, or if it reasonably believes that the personal information may have been acquired by an unauthorized person.
The disclosure notification typically must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. However, depending upon the applicable law, some constraints on the timing of the notice may include consideration of the legitimate needs of law enforcement if a notification might impede a criminal investigation and the need to take reasonable measures to determine the scope of the breach and restore reasonable integrity to the system.
The specific contents of the notice depend both on the applicable law and the facts of the breach. Generally, however, the contents of the notice may include, in addition to other relevant disclosures:
Depending on the applicable data breach notification law, a safe-harbor provision may exist for those organizations that, in advance of a data breach, have developed and maintained their own notification procedures as part of their information security practices for treatment of personal information, provided that such procedures are otherwise consistent with the notice timing requirements of the applicable data breach notification law. Thus, if an organization's notification procedures comply with the applicable data breach notification laws, then pursuant to the statutory safe-harbor provision, those procedures may be followed in lieu of the applicable statutory notification framework.
Be Prepared: Strong Security, Thorough Response Plans
Data privacy and security are closely intertwined. A fundamental principle of information and data stewardship is that organizations collecting or managing individuals' personal information should use reasonable security safeguards to protect that information against unauthorized access, use, disclosure, modification, or destruction. Protecting personal identifiable information requires more than just a strong physical structure to house the data; it includes appropriate data security considerations, data handling policies, and monitoring of those policies.
One example of a data security standard is ISO 17799 ("Information technology—Security techniques—Code of practice for information security management"), second edition (2005). It covers topics including:
Some questions to consider in reviewing your organization's risk for managing personal identifiable information include:
While these questions may help you evaluate some of the data breach risk within your organization, it is not meant to be an exhaustive list. Each organization has different people, structures, and needs regarding the PII it manages.
The bottom line is that when your organization experiences a data breach, your preparedness in knowing the applicable laws, developing appropriate policies, monitoring those policies, and having an appropriate response team assembled in advance (including knowledgeable legal counsel) will assist in compliance to manage the legal risks and minimize the potential liabilities and costs. These liabilities and costs include the financial costs of responding to the breach, and they include the impact on the organization's good will in the community and the impact on the time of the organization's professionals, management, and staff.
In the context of today's evolving technology, privacy concerns, and data breach notification laws, Ben Franklin's centuries-old advice still rings true: an ounce of prevention is worth a pound of cure.
[Alan S. Wernick can be reached at (firstname.lastname@example.org).]