Data breaches continue to happen to countless individuals who have had their personal information exposed in at least one data breach or multiple data breaches. Several years ago, when a data breach happened, its occurrence was seen as “things happen” and the company involved scrambled to respond and clean up the aftermath. Indeed, some companies got their response right, while others only made their situation worse and we all know the ones that got it all wrong so no need to name them here.
Let’s fast forward to when a data breach happens today, long gone is the “things happen” thinking which has since been replaced with “this should not have happened” and “how did you let it happen?”
When It Does Happen, Data Breach Reporting is all Over the Place
While this article will not delve into whether there should be “one” or “50 State Privacy Laws”, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.
Besides the 50 states requiring their residents to be notified, the state attorney general in each of the 50 U.S. states have different notification requirements and there are important differences, meaning a one-size-fits-all approach to notification will not suffice. In addition, for those sector based companies, there is the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) that has additional notification requirements.
Lastly, don’t forget to report your breach to a law enforcement agency which should ultimately be your second phone call and at the top of your list to notify. Since you’re probably wondering who your first call should be, if you have a cyber insurance policy, your cyber insurance broker and insurance carrier should be your first call.
Data Breach Reporting
When a data breach happens, you will need to draft your data breach notification to the affected individuals and all of the above.
For example, in California, the State of California’s Sample Notice of Data Breach to affected individuals asks your company to disclose:
- What happened?
- What information was involved?
- What are you doing?
- What the individual can do.
- Phone # for additional information/questions
In addition, many state’s have a data breach notification form available on their website to report your company’s breach. Indeed, the data breach notification process is an intense process, which requires speed, accuracy and as many details as possible many of which may not be available at the time you need to submit notification.
My apologies if your head is spinning….. hold on to your chair!
Data Breach Litigation has Escalated to a Point We Have Never Seen Before
The States of Arizona; Arkansas; Florida; Indiana; Iowa; Kansas; Kentucky; Louisiana; Minnesota; Nebraska; North Carolina; and Wisconsin have gathered together to file the first ever multi-state data breach lawsuit against Medical Informatics Engineering, Inc DBA Enterprise Health, LLC and K&L Holdings, and NoMoreClipboard, LLC.
The summary of the case states that Intermittently between May 7, 2015 and May 26, 2015, unauthorized persons (“hackers”) infiltrated and accessed the inadequately protected computer systems of Defendants. During this time, the hackers were able to access and exfiltrate the electronic Protected Health Information (“PHI”), of 3.9 million individuals, whose PHI was contained in an electronic medical record stored in Defendants’ computer systems. Such personal information obtained by the hackers included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (names and potentially dates of birth), email addresses, dates of birth, and Social Security Numbers. The health information obtained by the hackers included lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s name and birth statistics.
The defendant’s WebChart app is designed to collect and manage electronic health record (EHR) information. The app allows medical providers to input information via their computers, which is then managed by the defendants’ servers.
The lawsuit claims that the defendants failed to take adequate and reasonable measures to ensure their computer systems were protected, failed to take reasonably available steps to prevent the breaches, failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ personal health information, failed to honor their promises and representations that patients’ personal health information would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the United States.
Whilst, lawsuits that address data breaches are not uncommon, what makes this one the first of its kind is that the plaintiffs are neither individual patients nor a class of patients harmed by the alleged actions of the defendants. Rather, the plaintiffs are the twelve states whose attorneys general jointly filed the complaint.
This is a lawsuit that will be closely watched and one that could set a precedent for many other data breaches that have already occurred or have yet to happen.
Cyber Insurance Provides the Services and the Response Team that Could Help in Critical Situations Like this One
When a data breach incident happens, a company can no longer be unprepared and must be able to show what steps were taken and in place before and after the breach. While incident response is certainly still key, the pendulum seems to be swinging towards what a company did to prepare for their data breach before it happened. Because after all, inquiring regulator minds will want to know how you let your data breach happen, and will investigate what you did or didn’t do before the breach happened so that in the end they can assess your company fines/penalties for its occurrence. While fines/penalties after a data breach is nothing new, the plaintiff lawsuit mentioned above that involves 12 State Attorneys General is one to watch.
Nevertheless, if your company ends up with a data breach, due to its data breach response services, and highly experienced response team, cyber insurance has become the desired choice of many companies today.
I always ask prospective clients who they will call when a data breach happens and since you can’t call 911 for a data breach emergency, your cyber insurance broker is your next best choice.