Timing is everything. Indeed, we have all heard these wise words shared when we are being counseled on the value of patience in our lives. Well, the same can be said of data breach. Indeed, when dealing with security incidents (not all incidents are breaches), I always counsel clients to take a breath, work their incident response plan like we practiced, and be patient. Good advice, if I do say so myself. However, while patience is important, when a breach is properly discovered and any harms mitigated, companies also need to move with a sense of urgency to properly notify individuals and regulators of the breach as required by state and some federal law (HIPAA). Failing to meet those deadlines can make a bad situation worse by exposing a company to operational, legal and reputational harm. We may be seeing this with the recent news of a second breach at Yahoo!
On December 14, 2016, Yahoo! reported a second breach of its systems in which one billion (yes, with a “b”) accounts with customer names, email addresses, telephone numbers, dates of birth, passwords, and encrypted or unencrypted security questions and answers were compromised. The company reported that the breach took place in 2013. In September of this year, Yahoo! reported another breach of 500 million records dating back to 2014. Needless to say, these numbers are staggering and understandably get all the press. But, what is also notable, at least to me, is the amount of time that has lapsed since the alleged breaches and the company’s providing notice of those breaches. We are talking 2-3 years, here. Surely, that can’t be right??
Well, as we lawyers like to say, “It depends.” To be sure, there are many reasons such a delay may be reasonable and in compliance with the law. And while class actions have been filed and Congress has chastised the company for taking so long to provide notice to affected individuals, there are several reasons such a delay may take place.*
1. No Knowledge of the Hack or Breach. It is possible that the company did not discover either hack or breach until 2016. It is important to remember, as well, that a hack does not always result in a data breach in which information is taken or compromised. As I wrote before, often an intrusion can take place without detection for months, if not years. Yahoo! reported that the 2014 breach was only discovered in the summer of 2016, when it conducted a security review in response to another, unrelated attack. Is this possible? Yes.
What is clear is that notice cannot be provided for a breach that has not been identified. For this reason, many state laws provide entities time to properly investigate a security incident to determine if a breach has taken place. This is a very important point to understand: not all incidents are “breaches” under the law. To make such a determination takes time, effort and expertise from a variety of disciplines, of which the law is just one. Depending on the nature of the attack and the information systems compromised, it can take weeks to determine what, if any, information was accessed, viewed or taken. It is very possible that Yahoo! did not have notice of the hack until this year and it is also very possible that it took even longer to determine if information was actually compromised as a result of the hack. Before a breach notification obligation can be triggered, you have to know you had a “breach” under the law.
2. Law Enforcement Holds/Delays. Another possibility for the most recent delay is that the company discovered the breach and notified law enforcement, as a crime may have been committed. Every state with a breach law allows for such a delay to allow law enforcement to take action without alerting the perpetrator of the investigation. While some investigations have indeed gone on for years, they are rare.
3. State Law Clocks. So once a company has actual knowledge of a breach under the law and has taken steps to remedy the breach and mitigate any resulting harm, it must take note the clock is running to provide notice to affected individuals. Some states also require notice to regulators, such as the state attorney general.
To say the timeframes for providing such notices are varied is an understatement. Currently, there are 47 different breach notification laws on the books. Most state laws do provide room for discretion in providing notice. And, again, this is for good reason. It takes time to properly determine if you even have a “breach” and to properly determine its scope and range of harm. So, rather than specifying a number of hours or days to provide notice, many states require notice to be provided “in the most expedient time possible” or “without unreasonable delay.” Many states, however, do specify a number of days to provide notices ranging from five days to as many as 90 days. In Ohio, the requirement is 45 days. Such time frames vary depending on the entity breached, the number of records involved and the party to which notice is being given. For example, Connecticut requires 5 days for notice of “incidents” when given by special licensees and registrants of the state insurance department, but then also allows 90 days’ notice to state residents of any “breaches.”
So what does this all mean and how can you make sense of it? In a nutshell, your business should consider the following, including consulting counsel, when appropriate.
1. Properly determine if you have an incident or breach. Each state defines personally identifiable information differently, and likewise defines “breach” differently. Be proactive. Invest time now in a sound data governance program which will make you more capable of identifying and responding to a breach when it occurs.
2. Determine which laws apply to your incident or breach. Generally speaking, whether a law applies depends on whether a state resident’s information has been involved in the incident or breach. Don’t forget HIPAA.
3. Check the applicable statutes to ensure compliance with each state’s notification requirements. Review each state’s requirements not only for the timeframe to provide notice, but to whom you must provide notice and what must be included in said notices.
So the story remains to be told as to why Yahoo! has taken so long to report either breach, and the resulting fallout likewise remains to be seen. What companies can take away from this is a reminder with data breach, it is not IF but WHEN. And, WHEN it does happen, remember the clock is ticking on your duties to notify.