Navigating Breach Notification Requirements

October 13, 2018

Today’s business climate involves constant cyber-attacks against all types of organizations, regardless of industry. Unfortunately, it is an inevitable occurrence that organizations must be prepared to handle. These attacks target organizations that have developed and implemented a proper security program and organizations that have misconfigured and poorly implemented security programs. They are targeting an organization based on the value of the data that they maintain, such as Protected Health Information (PHI) and Personally Identifiable Information (PII).  Once the breach occurs, it can result in data exfiltration which requires the Organization to adhere to specific Breach Notification Laws that can be difficult to navigate.

The organization must first identify what data they manage and contain so they can understand what laws need to be followed based on the industry that is operates within.  This step can deal with both federal and state requirements. For example, when handling PHI, Health and Human Services has documented on their website the HIPAA Breach Notification Rule along with how it defines a breach and it provides notification requirements if a breach occurs. These requirements are enforced by the Federal Trade Commission (FTC). These requirements, when dealing with PHI, requires the covered entities to notify affected users within sixty (60) days of identifying that a breach has occurred. The notification period could be shorter business associates, resulting in notifications being sent within a few days. This can be in the form of mail, email or media notices.[1]

After looking at the federal requirements, the next step is to evaluate what the state requires for a breach notification. The requirements are not just for the state that the entity has their headquarters, but also includes the laws of the states that they operate in as well. In 2018, Maryland adjusted the Personal Information Protection Act, adding more identifiers to what is considered PII. In the past, the list included items such as SS Numbers, driver’s license numbers, etc. Now the list includes biometric data and health information.[2] Under the Maryland requirements, organizations are required to handle a “Good Faith” investigation to identify if data has been compromised. Notice must be provided as soon as reasonably practicable. This could be delayed if a federal or state investigation is in progress.

Once the federal and state requirements have been evaluated, identify the gaps and differences to determine which is the stricter of the two. Implement that rule since it would encompass the less binding requirement. A good option is to engage a lawyer in the field of Cyber Law. The lawyer will provide strict guidance on how to handle breach notifications for the specified industry, removing any potential of additional fines or penalties for mis-handling the occurrence.

Finally, once the required actions are identified for handling a breach, they need to be documented within an Incident Response Plan. The IR Plan should have specific categories, so the organization understands how to handle different types incidents. In the case of handling a breach, it will identify what key players, such as stake holders and insurance policies, are involved to properly identify and isolate the compromised components without affecting the evidence of the breach. Once the IR Plan is in place, it must be run through numerous times to flush out any deficiencies within the plan to minimize the risk of not properly handling a potential breach.

 

[1] https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

[2] http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx