The title of this blog entry is somewhat of a misnomer because there is no single national data breach notification law that governs all information the same way as the state data breach notification laws do. So, for the time being, companies and consumers are forced to determine which state data breach notification laws apply to them and what the differences are between them. Nevertheless, there are federal laws that require disclosure of data breaches in certain instances, and usually these laws are “industry specific.”
Examples of federal laws that require data breach notification are two laws governing the health care industry – the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Together, these laws require “covered entities” and many of their service providers to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of “protected health information” (commonly referred to as “PHI”). A covered entity is a health plan, a health clearinghouse, or a health care provider who transmits health information.
If there is a breach, the covered entity must notify the individuals whose information has been accessed (and law enforcement) without unreasonable delay and no later than 60 days after the breach was discovered. (The law also requires notification to the media in cases where the breach affects more than 500 individuals). Whether there is a breach that triggers the duty to notify depends on whether, with some exceptions, there was an impermissible use or disclosure that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. The notice must state what occurred, what type of information was accessed by the breach, what steps individuals should take in response, what is being done to investigate, mitigate, and protect against further harm, and contact information should be provided. HITECH imposes these same notification requirements on the covered entity’s vendors and service providers.
Another example of a federal data breach notification requirement is found within the Gramm-Leach-Bliley Act (GLB), which governs companies engaged in financial services. Under GLB, when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct an investigation to determine the likelihood that the information has been or will be misused. If there is a determination that the misuse has occurred or is reasonably possible, the institution must notify the affected customer as soon as possible, save a law enforcement determination that notification will interfere with a criminal investigation.
Sometimes a company’s duty to disclose may be required by a government agency. For example, publicly traded companies need to be aware of the October 13, 2011, SEC Disclosure Guidance: Topic No. 2. Although the guidance is not the law but rather an agency’s interpretation of the law, it clearly states that publicly traded companies should report significant instances of cyber incidents to the SEC. The company must determine whether a reasonable investor would consider information about the incident important to an investment decision. In making this determination, a company should consider several factors, set forth in the guidance, in determining whether to make the disclosure. The guidance also states what information should be in the disclosure.
These examples and the descriptions of them are admittedly very superficial and are not meant to capture the entire universe of federal laws requiring data breach notification. The point of this post is that there is no uniform federal data breach notification law. Data breach notification requirements at the federal level arise from a variety of laws and other legal authority. As a result, a company that believes it may have suffered a data breach must consult the laws of any state where any of its customers reside, a variety of federal legal sources that regulate the company’s industry, and—as will be explained in an upcoming post—international law. If your company has customers overseas, it will need to be aware of data breach notification requirements abroad. The next part of this series on data breach notification laws will focus on Europe as a case study of how data breaches notifications are addressed in other countries.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.