BY HEIDI YERNBERG
* Heidi is a partner at Jayaram Law and is a Certified Information Privacy Professional (CIPP/US) in the US context.
We already know that our personal data is one of the most valuable assets we carry with us through life.So what exactly happens when the company you trusted with it has a breach? What is happening behind the scenes when you’ve received a dreaded letter or email stating your information has been compromised?
With over 20 years under her professional belt working in data privacy, our colleague, Heidi Yernberg, lifts the curtain on how they determine, and rectify, the wrongs—and determine if there was any wrong at all!
In 2022 IBM and the Ponemon Institute published their annual report called Cost of a Data Breach1. The statistics are striking. According to the report, data breaches are on the rise, with over 80% of organizations having experienced more than one data breach. Compromised credentials is the most common cause of a data breach. Perhaps most alarming, the Report found that the average cost of a data breach was $4.35 million2.
With statistics like this, a business that deals with data will likely experience a data breach and should be prepared to respond. An explosion in the volume of data, the tremendous value it brings to a company, and the devastating impact that a breach can have on businesses and consumers alike has led to an extraordinarily complex regulatory regime. All fifty states, several U.S. territories, and countless countries around the world have enacted comprehensive data breach laws that require a business to notify consumers when their data has been compromised. Additionally, laws regulating certain industries—like healthcare and finance—also require businesses to notify consumers. This article walks through a typical legal response to a simple hypothetical breach and highlights the ways the various laws complement and contradict each other.
The Hypothetical Breach
A hospital located in Miami, Florida (let’s call it the “Sunshine Hospital”), contracts with a vendor located in Chicago, Illinois (let’s call it the “Windy City Vendor”). Windy City Vendor offers a cloud-based service that provides surgical instructions to patients who are slated for surgery. Sunshine Hospital and Windy City Vendor enter into a contract, and Sunshine Hospital provides Windy City Vendor with a list of patients scheduled for surgery, the type of surgery, the date of the surgery, and email addresses. Windy City Vendor now has a database of 25,000 patients, all of whom are from Florida.
An employee of Windy City Vendor reports that their laptop was stolen from the back of their car. They aren’t certain of how many, but they know they downloaded at least some personal information about the patients from Sunshine Hospital. While the laptop is password-protected, it was not encrypted. Windy City Vendor quickly begins to assess its legal obligations.
Know What Laws Apply
The first step in complying with the laws is determining which laws apply. As a player in the health industry, Windy City Vendor first confirms whether the Health Insurance Portability and Accountability Act (HIPAA) is relevant. HIPAA covers both “covered entities” and “business associates,” and each has obligations with respect to breaches. “Covered entities” are health plans and certain health care providers. “Business associates” are generally those that perform services for covered entities that involve the use or disclosure of certain health information3. Windy City concludes that it is a “business associate,” and Sunshine Hospital is a “covered entity,” and that HIPAA applies to it4.
Since the patients in Windy City Vendor’s database are from Florida, Windy City Vendor next reviews Florida’s Information Protection Act (FIPA). Florida’s law covers both “covered entities” (as defined in Florida law) and “third-party agents.” It defines a “covered entity” as any commercial entity that acquires, maintains, stores, or uses personal information5. Florida law defines “third-party agent” as an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity6. Windy City Vendor concludes that it is a “third-party agent,” and Sunshine Hospital is a “covered entity,” and that it must comply with FIPA with respect to this incident.
Since Windy City Vendor is in Illinois, it next checks Illinois’ Personal Information Protection Act (PIPA). Illinois’ law covers “data collectors.” The law defines a “data collector” as an entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information7. Windy City Vendor concludes that it and Sunshine Hospital each fit the definition of a “data collector” under Illinois law. However, PIPA also states that covered entities or business associates that are subject to and in compliance with HIPAA are “deemed to be in compliance” with PIPA, subject to some notification obligations to the Illinois Attorney General that do not apply to this fact pattern8. Since both Windy City Vendor and Sunshine Hospital are regulated by HIPAA, Windy City Vendor concludes that, in this case, Illinois law does not apply.
Windy City Vendor concluded that it must comply with HIPAA and FIPA. This exercise becomes infinitely more complex if a business processes information about residents across the United States or the world. Companies that have offices in multiple locations or are in highly regulated industries such as health, finance, or education, will require a comprehensive review of applicable laws to determine which ones apply. It is possible that dozens of laws apply to an entity that processes data.
Understand What Data is Impacted by the Incident
After determining applicable laws, the next step is to determine whether the information impacted by the incident is protected by these laws.
HIPAA applies to “Protected Health Information (PHI),” which is identifiable information that refers to the past, present, or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment of health care to an individual9. The definition of PHI specifically excludes health information that an entity holds in its role as an employer or in educational records, even if that information relates to an individual’s health. Once information is PHI it can only be de-identified by removal of 18 identifiers or the application of a statistical analysis10. The definition is comprehensive and would include both publicly available information as well as information that is encrypted. However, HIPAA only requires reporting of breaches of “unsecured PHI.” Unsecured PHI is PHI that is not encrypted or otherwise rendered unusable, unreasonable, or indecipherable11. Windy City Vendor quickly concludes that unsecured PHI from Sunshine Hospital is stored on the stolen laptop12.
Under FIPA, “personal information” is defined as either of the following:
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
- A social security number
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
- Any information regarding an individual’s medical history, mental or physical condition,
- or medical treatment or diagnosis by a healthcare professional; or
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
- A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account13.
FIPA excludes publicly available information from the definition of personal information, as well as information that has been encrypted, secured, or rendered de-identified or unusable. Windy City Vendor can then conclude that personal information under FIPA is also stored on the stolen laptop. It is at this stage that Windy City Vendor realizes that had it applied industry-standard encryption to the laptop, it would not have reporting obligations under either HIPAA or FIPA.
Again, this becomes more complicated when more laws apply to a business. During this stage, it’s important to carefully read the relevant definitions—as well as the relevant exemptions—to determine which laws continue to apply to the fact pattern.
Learn What Defines a Security Breach
As you might imagine, the laws define “breach” differently. In our hypothetical, we know that Windy City Vendor needs to assess HIPAA and Florida law to determine if a breach has occurred.
HIPAA requires a business associate or covered entity to report a “breach of unsecured PHI14.” It defines a breach as an “impermissible use or disclosure” of unsecured PHI that compromises the security or privacy of the information15. HIPAA also states that an unauthorized use or disclosure is presumed to be a breach unless the entity can demonstrate that there is a low probability that the information has been compromised. There are also exceptions to the definition of a “breach” related to good faith access by a member of the workforce or when the information is not likely to be retained16.
Windy City Vendor is not certain if the thief has actually obtained access to the contents of the laptop. Its technical team, however, advises that hackers and others can break passwords routinely and so Windy City Vendor does not believe it can conclude that there is a low probability that the information has been compromised. It also reviews the exceptions to the definition of “breach,” and none of them apply to the fact pattern. Therefore, Windy City Vendor concludes that it has experienced a “breach of unsecured PHI” under HIPAA.
Under Florida law, a “breach” or “breach of security” is defined as an “unauthorized access of data in electronic form containing personal information.” Like HIPAA, good faith access of personal information by an employee or agent does not constitute a breach of security17. As with HIPAA, Windy City Vendor concludes that it is likely that an individual has obtained unauthorized access to the personal information and that it has sustained a “breach” under FIPA as well.
For businesses experiencing breaches with different fact patterns, these two laws highlight some key differences. For example, FIPA requires the data to be electronic or computerized, while HIPAA does not. Under HIPAA, it is possible to have a breach of verbal or non-electronic information. In addition, HIPAA requires the incident to compromise the data in some manner. While Florida law only requires the data to be inappropriately accessed to be a breach, we can well imagine a fact pattern that rises to the level of a breach in some states but not under HIPAA or other state law. Conducting this exercise will further narrow the list of laws that a business must follow when determining its next steps, although it is possible to still be required to comply with dozens of laws.
Make the Necessary Notifications
After concluding that it has experienced an incident that implicates HIPAA and FIPA, Windy City Vendor’s next step is to notify the relevant entities.
Under HIPAA, a business associate is required to notify a covered entity of a breach without unreasonable delay and in no case later than 60 days after discovery of the breach18. HIPAA requires the business associate to include certain information in the notification, including a description of the breach; a description of the information involved in the breach; what the business associate is doing to investigate the breach and mitigate harm; and the identities of the individuals whose information has been breached19.
Once Windy City Vendor provides notice to Sunshine Hospital, Sunshine Hospital will conduct the same assessment surrounding the incident to determine if it has independent reporting obligations under HIPAA. Given this fact pattern, a covered entity would likely conclude that its business associate has experienced a reportable breach of unsecured PHI. HIPAA requires the covered entity to initiate the following steps:
- Notify the individuals impacted by the incident without unreasonable delay and no later than 60 days after it discovers the breach with a notification that meets the requirements of HIPAA20;
- Issue a compliant press release since the incident involves more than 500 residents of a single state or jurisdiction within the same time period21;
- Notify the Secretary of Health and Human Services of the incident since the incident involves more than 500 residents of a single state or jurisdiction within the same time period with a notification that meets the requirements of HIPAA22.
Further, under FIPA, a third-party agent is also required to notify a covered entity as expeditiously as practicable, but not later than 10 days following the breach23. It must provide similar information to the covered entity as HIPAA requires. Once Windy City Vendor provides notice to the Sunshine Hospital, Sunshine Hospital will then conduct the same assessment surrounding the incident to determine if it has independent reporting obligations under FIPA. Given this fact pattern, a covered entity would likely conclude that its third-party agent has experienced a reportable breach of personal information. FIPA requires it to initiate the following steps:
- Notify the Florida Department of Legal Affairs (Attorney General) as expeditiously as possible but not later than 30 days after determination of the breach since the incident involves more than 500 Florida residents with a notification that meets the requirements of FIPA24; and
- Notify consumer reporting agencies without unreasonable delay since the incident involves more than 1000 individuals25.
Sunshine Hospital is also required to notify Florida residents, but will likely avail itself of a provision in FIPA that allows it to use the notification provided under HIPAA to satisfy the requirement26.
To comply with both laws, Windy City Vendor and Sunshine Hospital will be required to follow the most stringent of these laws. That means that Windy City Vendor must notify the Sunshine Hospital within 10 days of discovery of the breach, rather than the 60 days that HIPAA permits. Since Florida law requires attorney general notification within 30 days, Sunshine Hospital will likely issue its notices to individuals at the same time and within 30 days rather than the 60 days that HIPAA permits.
When complying with numerous laws, an entity will need to map out the required timelines, the various regulators that need to be notified, whether consumer reporting agencies need to be notified, and whether press releases must be issued. It will also need to track content requirements of all of these notifications. This can result in the need to have multiple forms of letters to be sent to residents of different states and/or regulators within different time frames. Because of the potential negative publicity, an entity often makes attempts to notify everyone at the same time, which means following the shortest timelines.
What’s to learn from all this?
Navigating a patchwork quilt of inconsistent and conflicting laws can be a challenge, and rarely is a breach as simple as this one. A few additional points and key takeaways will assist a business in its compliance obligations:
- Contracts might alter these obligations. If a service provider experiences a breach, one of its first steps is to review its contract to determine if it has more stringent contractual obligations to its customer;
- Encryption is often a safe harbor and allows an entity to avoid reporting obligations altogether and may actually be an affirmative requirement of many of these laws, which include obligations to maintain industry-standard security safeguards;
- Law enforcement may need to be consulted and they may require a delay in notification;
- Document, document, document. Even when you do everything right, regulators may follow up and initiate investigations and you want to be able to demonstrate that you’ve complied with the law.
Finally, while this article focuses on legal compliance, it is only a singular part of a comprehensive breach response. Other key elements include technical and security assessments, speedy mitigation efforts, risk management review, potential internal sanctions, and ongoing changes to processes and practices. Of course, the best solution is to minimize or avoid data breaches in the first place. A robust information security and privacy program that includes regular education and security safeguards is key to this effort.
1 IBM: Cost of a Data Breach Report 2022, available online at: https://www.ibm.com/reports/data-breach, accessed January 20, 2023
2 Id., pp. 5, 6, and 9
3 45 C.F.R. § 160.103
4 This assessment would have been done long before the incident since HIPAA imposes numerous obligations on both covered entities and business associates which would pre-date the arrangement between the parties
5 § 501.171(1)(b), Fla. Stat. (2022)
6 § 501.171(1)(h), Fla. Stat. (2022)
7 815 Ill. Comp. Stat. 530/5 (2022)
8 815 Ill. Comp. Stat. 530/50 (2022)
9 45 C.F.R. § 160.103
10 45 C.F.R. § 164.514(a)-(c)
11 45 C.F.R. § 164.402
12 As with the analysis as to whether HIPAA applies, in the real world, covered entities and business associates will already know that they possess PHI as that assessment is part of the contracting process
13 § 501.171(1)(g), Fla. Stat. (2022)
14 45 C.F.R. §§ 164.404 – 410
15 45 C.F.R. § 164.402
16 HIPAA requires an entity to assess the facts and circumstances of the incident, including four specific factors. If the entity can conclude that there is a “low probability” that the information has been “compromised,” it does not have to report the breach of unsecured PHI.
17 § 501.171(1)(a), Fla. Stat. (2022)
18 45 C.F.R. § 410. While HIPAA allows up to 60 days, market forces typically dictate a much shorter period. We normally see entities striving to make initial notification within 2-5 business days.
19 45 C.F.R. § 164.41
20 45 C.F.R. § 164.404
21 45 C.F.R. § 164.406
22 45 C.F.R. § 164.408
23 § 501.171(6), Fla. Stat. (2022)
24 § 510.171(3), Fla. Stat. (2022)
25 § 510.171(5), Fla. Stat. (2022)
26 § 510.171(4)(g), Fla. Stat. (2022)