Data Breach 101
Federal – Technology & Intellectual Property
The risk of unauthorized access to personal identifying information ("PII") and personal health information ("PHI") poses a genuine threat to every business and every person. According to a recent study published by Javelin Research, 11.1 million adults were victims of identity theft in 2009, suffering a combined $54 billion in total fraud (up 12.5 percent from 2008). Those same people, in turn, could have claims against the companies who maintained their PII or PHI and exposed them to the identity theft.
What is a "Data Breach"?
A data breach is generally considered to be the release or exposure of PII maintained in electronic format to an unauthorized individual. A data breach can result from a hacking incident, lost or stolen laptops and hard drives, as well as the improper disposal of computer equipment. PII is usually considered to be names in combination with social security numbers, drivers' license numbers or financial account numbers. All but a handful of states now have data breach notification laws meant to protect consumers from these incidents. Although the specific requirements of state laws vary widely, most states define a breach as any unauthorized acquisition of PII regardless of whether the security or confidentiality of such information has been materially compromised. To complicate matters, there are regulations and federal laws that conflict with state laws that need to be reconciled when developing a data breach response plan.
What is Required When a Data Breach Statute is Triggered?
If a breach of PII or PHI occurs, the parties to be notified under a typical state statute may include the individuals whose information has been compromised, the state Attorneys General, credit reporting agencies, law enforcement and/or any applicable government agencies. The parties subject to required notification will differ depending on factors such as the number of individuals within a state whose information has been compromised. However, the affected individual, typically, must always be notified.
The time frame in which notice must be provided varies by state, regulation and federal law as well. Most states require notice to the affected individuals "without unreasonable delay." However, some states impose specific timelines. This means the clock is running and an investigation and notification must be completed relatively quickly.
In addition to the state laws regarding data breach notification, the federal Health Information Technology for Economic and Clinical Health Act ("HITECH") provides breach notification requirements for certain disclosures of PHI. PHI may include diagnostic and treatment information associated with an individual, and a "breach" is an unauthorized acquisition, access, use or disclosure of PHI that poses a significant risk of financial, reputational or other harm to the individual.
Unlike state data breach laws, which attach to residents of that state and typically apply to any entity, HITECH applies to only certain entities regulated by the Department of Health and Human Services ("HHS"), such as hospitals, pharmacies and physicians. Patients affected by a HITECH breach must be notified with 60 days. The HSS Office of Civil Rights ("OCR") and the press may also need to be notified.
Enforcement and Related Costs - i.e. Why Should Insurance Carriers be Concerned?
Data breaches can lead to a variety of costly consequences for an affected entity and/or its insurance carrier. Most state data breach statutes provide for enforcement actions brought exclusively by the state Attorney General. A minority of states also provide for private rights of action. There is no private right of action under HITECH; however, state Attorneys General may file cases in federal district court to enjoin violations or obtain damages on behalf of individuals.
Another concern is the threat of class action litigation. For example, in March 2008, the Hannaford Bros. supermarket chain disclosed that it suffered a breach which resulted in the theft of credit/debit card holder data of approximately 4.2 million individuals. This breach led to extensive and costly class action litigation. However, in a ruling issued on September 21, 2010, the Maine Supreme Court held that consumers affected by a data breach cannot claim damages unless they suffer uncompensated financial losses or some other tangible injury. In other words, the plaintiffs could not sue Hannaford merely for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.
In addition to the threat of litigation, data breaches can result in significant fines and penalties. Some state data breach statutes include civil penalties for failure to comply with the notification laws. HITECH provides for various tiers of penalties, depending on whether a violation is committed unknowingly, with reasonable cause or with willful neglect. These fines range from $100 per violation if an entity did not know and could not know of the violation, to $50,000 per violation for a violation caused by willful neglect that is not cured within 30 days.
Carriers should also be aware that data breaches may trigger costly mandatory investigations, credit monitoring costs and/or public relations costs. A 2010 study by the Ponemon Institute estimates that the total average cost of handling a data security incident in the United States in 2009 was $6.75 million ($204 per record). Of that $6.75 million, $4.47 million ($135 per record) was comprised of lost business. The remaining $2.28 million ($69 per record) was attributable to notification costs, defense costs (including attorneys' fees), crisis management, credit monitoring and call center support, internal and regulatory investigation costs and fines/penalties.
Our Technology, Media & Intellectual Property Practice Group, along with our Health Law Practice Group, have helped clients respond to various breaches. Some examples include fairly common events, such as the theft of a laptop or briefcase, to mitigating file transfer errors which impact the privacy rights of millions of people. Developing the proper response plan is critical not only for compliance with the numerous laws, but also to help avoid the regulatory backlash following the event because of the underlying conduct that caused it to happen in the first place.
*Eric is an associate in our Philadelphia, Pennsylvania, office who can be reached at (215-575-4554 or firstname.lastname@example.org. Nicolai is a graduate attorney in our Philadelphia, Pennsylvania, office.
Defense Digest, Vol. 16, No. 4, December 2010