Advertisement

Data Breach Notification: The Legal and Regulatory Environment

By Devin Partida | Reviewed by John MeahCheckmark | Last updated: February 25, 2021
Key Takeaways

Governments create legislative and regulatory requirements for corporate data breach notification, but keeping up with the pace of cybercriminals is proving difficult.

Source: iStock/WhataWin

In the United States, data protection has become a top priority among governments and individuals. With an increased reliance on technology through the COVID-19 pandemic, especially, securing confidential data is more important than ever.

Advertisement

In 2011, the Obama administration kicked off federal discussions surrounding data breach notification regulations. Four years later he called for stronger privacy data laws, stating the internet “creates enormous opportunities but also enormous vulnerabilities.” Since then, states have developed their own guidelines and laws surrounding data breach notifications, some already over 10 years old. Though basically similar overall, there are different disclosure regimes, some have a more complex breakdown with harsher penalties.

All who work with qualifying data must understand the legal and regulatory environments for breaches in their states. (Read also: US Data Protection and Privacy in 2020.)

Advertisement


Making a Federal Case


On a federal level, a legal case can fall into a few different categories, depending on the data that’s been accessed.

For health care and the organizations and industries who must comply with the legislation, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology Act for Economic and Clinical Health (HITECH) both strictly protect medical data and patient health information. Similarly, the Gramm-Leach-Bliley Act (GLBA) is essential in safeguarding financial data. (For a full list of States and their applicable breach notification laws see Security Breach Notification Laws).

Advertisement

In 2016, the Hollywood Presbyterian Medical Center in Los Angeles faced a ransomware attack on its personal data. After promptly notifying consumers and patients, executives at the hospital announced they had paid the ransom — which was $17,000 worth of Bitcoin currency — stating the data was too great to lose. This kind of breach created a federal case, with support from an FBI investigation. More recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory to alert the public that the payment of ransom demanded by cybercriminals may be a violation of US law.

However, if the hospital had not made some form of announcement, it would’ve been in direct violation of the notification policies of HIPAA, HITECH and the Department of Human Health and Services (HHS). Similar to what happened with this patient data, a violation like this situation has recently made headlines in the financial world.

In 2020, brokering service Mortgage Solutions faced a $120,000 penalty after the Federal Trade Commission (FTC) stated the service failed to protect customer information. The FTC charged this civil penalty on grounds of violating the GLBA, the Fair Credit Reporting Act (FCRA) and section five of the FTC Act.

This case came about because of a claim that Mortgage Solutions had released sensitive personal data belonging to its customers — including income sources, taxes and health information — in response to negative Yelp reviews from consumers and mortgage applicants. (Read: Massive Data Breaches: The Truth You May Not Know.)


Establishing Breach Laws in California


Though these acts are invaluable for helping consumers and the general public understand data breaches on a federal level, states have their own breakdowns of data breach laws. California, for instance, is one of the most thorough states when it comes to dealing with notification regulations.

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person as soon as possible. The state clearly defines what qualifies as personal information, from Social Security numbers to biometric data. With new tech evolving daily, things like edge computing and the Internet of Things (IoT) carry invaluable data that companies must protect at all costs.

If Californian companies violate this act or fail to take action in any way, penalties may add up to $250,000. Notification failures or violations, specifically, can accrue hundreds or thousands of dollars in penalties depending on the timeline and response. This notification violation was a recent development and not always part of the law.


Learning from Europe


As of January 2021, the European Data Protection Board has laid out strict guidelines on data breach notifications. Various countries in Europe have been notoriously wary of how companies use data. For instance, in 2020, Ireland’s Data Protection Committee sent Facebook an order to suspend the transfer of European user data to the United States. Failure to comply with this ruling could’ve cost Facebook up to $2.8 billion.

Through these regulations and actions, Europe has prepared itself for a breach coming from any direction. The guidelines outline that companies must contact authorities and individuals whose data has been involved in a breach. It’s worth mentioning that Notification to a Regulator only happens once the breach has been discovered by the Data Controller (the company or business) and the breach could have been going on for weeks, months or even years in some cases. The document also defines the different types of breaches, the corresponding fines and penalties and ways to work with the General Data Protection Regulation (GDPR) during these instances.

Some examples of breaches that could occur, as outlined by the European Data Protection Board, include:

The key focus here is that the U.S. can learn from Europe. While individual States have their own sets of rules and regulations about data breach notifications, the U.S. government must develop an overall federal cybersecurity law. This addition would provide another layer of protection for the ever-growing data world. (Read also: The Best Way to Combat Ransomware in 2021.)


Advancements in Reporting Data Breaches


As the tech world evolves and uses more data with each innovation, companies must protect that information. If not, they could face breaches that will force them to follow data breach notification laws more strictly. To stop this domino effect, the U.S. should see more federal-level regulation.

Advertisement

Share This Article

  • Facebook
  • LinkedIn
  • Twitter
Advertisement

Written by Devin Partida | Editor-in-Chief for ReHack.com

Profile Picture of Devin Partida

Devin Partida is the Editor-in-Chief for ReHack.com, and has had her freelance work featured in the official CES magazine, as well as various other tech publications. When she isn't writing about the latest tech, gadgets or cybersecurity trends, you can find her biking around the Golden Gate Bridge. To view Devin's full professional portfolio, please visit this page.

Related Articles

Go back to top