Data Breach Notification: The Legal and Regulatory Environment
Governments create legislative and regulatory requirements for corporate data breach notification, but keeping up with the pace of cybercriminals is proving difficult.
In the United States, data protection has become a top priority among governments and individuals. With an increased reliance on technology through the COVID-19 pandemic, especially, securing confidential data is more important than ever.
In 2011, the Obama administration kicked off federal discussions surrounding data breach notification regulations. Four years later he called for stronger privacy data laws, stating the internet “creates enormous opportunities but also enormous vulnerabilities.” Since then, states have developed their own guidelines and laws surrounding data breach notifications, some already over 10 years old. Though basically similar overall, there are different disclosure regimes, some have a more complex breakdown with harsher penalties.
All who work with qualifying data must understand the legal and regulatory environments for breaches in their states. (Read also: US Data Protection and Privacy in 2020.)
Making a Federal Case
On a federal level, a legal case can fall into a few different categories, depending on the data that’s been accessed.
For health care and the organizations and industries who must comply with the legislation, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology Act for Economic and Clinical Health (HITECH) both strictly protect medical data and patient health information. Similarly, the Gramm-Leach-Bliley Act (GLBA) is essential in safeguarding financial data. (For a full list of States and their applicable breach notification laws see Security Breach Notification Laws).
In 2016, the Hollywood Presbyterian Medical Center in Los Angeles faced a ransomware attack on its personal data. After promptly notifying consumers and patients, executives at the hospital announced they had paid the ransom — which was $17,000 worth of Bitcoin currency — stating the data was too great to lose. This kind of breach created a federal case, with support from an FBI investigation. More recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory to alert the public that the payment of ransom demanded by cybercriminals may be a violation of US law.
However, if the hospital had not made some form of announcement, it would’ve been in direct violation of the notification policies of HIPAA, HITECH and the Department of Human Health and Services (HHS). Similar to what happened with this patient data, a violation like this situation has recently made headlines in the financial world.
In 2020, brokering service Mortgage Solutions faced a $120,000 penalty after the Federal Trade Commission (FTC) stated the service failed to protect customer information. The FTC charged this civil penalty on grounds of violating the GLBA, the Fair Credit Reporting Act (FCRA) and section five of the FTC Act.
This case came about because of a claim that Mortgage Solutions had released sensitive personal data belonging to its customers — including income sources, taxes and health information — in response to negative Yelp reviews from consumers and mortgage applicants. (Read: Massive Data Breaches: The Truth You May Not Know.)
Establishing Breach Laws in California
Though these acts are invaluable for helping consumers and the general public understand data breaches on a federal level, states have their own breakdowns of data breach laws. California, for instance, is one of the most thorough states when it comes to dealing with notification regulations.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person as soon as possible. The state clearly defines what qualifies as personal information, from Social Security numbers to biometric data. With new tech evolving daily, things like edge computing and the Internet of Things (IoT) carry invaluable data that companies must protect at all costs.
If Californian companies violate this act or fail to take action in any way, penalties may add up to $250,000. Notification failures or violations, specifically, can accrue hundreds or thousands of dollars in penalties depending on the timeline and response. This notification violation was a recent development and not always part of the law.
Learning from Europe
As of January 2021, the European Data Protection Board has laid out strict guidelines on data breach notifications. Various countries in Europe have been notoriously wary of how companies use data. For instance, in 2020, Ireland’s Data Protection Committee sent Facebook an order to suspend the transfer of European user data to the United States. Failure to comply with this ruling could’ve cost Facebook up to $2.8 billion.
Through these regulations and actions, Europe has prepared itself for a breach coming from any direction. The guidelines outline that companies must contact authorities and individuals whose data has been involved in a breach. It’s worth mentioning that Notification to a Regulator only happens once the breach has been discovered by the Data Controller (the company or business) and the breach could have been going on for weeks, months or even years in some cases. The document also defines the different types of breaches, the corresponding fines and penalties and ways to work with the General Data Protection Regulation (GDPR) during these instances.
Some examples of breaches that could occur, as outlined by the European Data Protection Board, include:
- Email data exfiltration.
- Ransomware attacks.
- Theft of devices or physical documents.
- Social engineering.
The key focus here is that the U.S. can learn from Europe. While individual States have their own sets of rules and regulations about data breach notifications, the U.S. government must develop an overall federal cybersecurity law. This addition would provide another layer of protection for the ever-growing data world. (Read also: The Best Way to Combat Ransomware in 2021.)
Advancements in Reporting Data Breaches
As the tech world evolves and uses more data with each innovation, companies must protect that information. If not, they could face breaches that will force them to follow data breach notification laws more strictly. To stop this domino effect, the U.S. should see more federal-level regulation.