Breaking the News: Disclosing Data Breaches and Withstanding Regulatory Scrutiny
Breached companies are often crime victims, but they are also potential targets for regulatory actions (and, as we will discuss in future installments, potential parties to a wide range of litigation). Therefore, as soon as you discover – or reasonably suspect – that your organization has suffered a breach that may have resulted in acquisition of sensitive or personal information by unauthorized parties, you should begin considering your disclosure obligations and your exposure to regulatory actions. In this installment of our special series, A Desk Guide to Data Protection and Breach Response, we discuss disclosure and enforcement actions by regulators, including state attorneys general, the U.S. Federal Trade Commission (the “FTC”), and the U.S. Department of Health and Human Services (the “HHS”).
State Law Disclosures and Regulatory Actions
In the United States, disclosure of breaches of personal information (also referred to as “personally identifiable information” or “PII”) is largely governed by the law of the state(s) where the affected individuals reside. Accordingly, in the event of a known or suspected breach, you should determine as quickly as possible whether PII may have been exposed and, if so, whose PII was exposed and where those individuals reside.
Currently, 46 states, the District of Columbia, and several U.S. territories have enacted laws requiring companies to notify their residents of breaches involving personal information. As we explained in our first installment, the precise definition of “personal information” varies by state, but it typically includes names combined with social security numbers, driver’s license numbers, state ID card numbers, or financial information (e.g., bank account numbers or credit or debit card numbers). Some states’ definitions of PII include additional information, such as medical data, tax identification numbers, or passport numbers.
Under most state laws, disclosure obligations are triggered when a company knows or reasonably believes that personal information was acquired by unauthorized third parties, and disclosures are to be made in the most expedient time possible and without unreasonable delay. However, many states provide for delayed disclosures under certain circumstances, including (1) when delay is necessary to determine the scope of the breach, (2) while the company is securing the integrity of the data system, or (3) at the request of law enforcement. Some, but not all, of the states that provide for law enforcement delay require the request to be in writing (or even require that the written request be provided to the state attorney general), so if law enforcement requests that you delay disclosure, you should examine the laws of the relevant states before complying with an oral request alone.
The timing of disclosures is critical. Disclosing companies face intense, negative scrutiny regarding perceived delays in disclosure from a variety of entities, including politicians and regulators, the media, and consumers and consumer advocacy organizations – even when the “delays” are no more than a few days. Certain state attorneys general have been active in investigating the timing of disclosures, and they have been taking action – ranging from warning letters to civil prosecution – against companies whose disclosures they deem untimely. For example, the California attorney general recently filed a case against Kaiser Foundation Health Plan, Inc. alleging that Kaiser’s notification to current and former employees – who were California residents – regarding a breach of their personal information was unreasonably delayed. The attorney general alleged that Kaiser should have provided notice of the breach to affected individuals on a rolling basis as soon as it determined that each individual’s information had been or was “reasonably believed to have been breached” – even before Kaiser concluded its internal investigation. (For additional information, see our coverage of that case.)
Actions by the FTC
Companies that have suffered a data breach can become the target of an enforcement action by the FTC, which is the most active federal government regulator when it comes to ensuring that businesses protect personal information. The FTC is responsible for enforcement of the Children’s Online Privacy Protection Act (“COPPA”), the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act of 2003, and (along with the HHS Office for Civil Rights) the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. And, starting in the 1990s, the FTC began bringing privacy enforcement actions to address “unfair” and “deceptive” trade practices under Section 5 of the FTC Act.
Typically, an FTC enforcement action begins with a claim against a company that it has committed an unfair or deceptive trade practice or has violated one of the statutes mentioned above. A data breach is not a prerequisite for an FTC action, but when a data breach has occurred, the FTC generally has little trouble concluding that a company has been deceptive or unfair in its data protection promises or practices.
Once a claim is initiated, the FTC will investigate the company, and may initiate an enforcement action if it believes the claim has merit. Most FTC enforcement actions are settled through consent decrees, through which subject companies agree to change their practices, but do not admit wrongdoing. The terms of consent decrees vary depending on the violation, but many recent consent decrees require companies to undergo periodic third-party audits of their privacy practices for up to twenty years. A good example of this is Twitter’s consent decree to settle FTC charges related to a hack of its service in 2009. Consent decrees can also include the payment of significant monetary penalties. For example, a company agreed in 2012 to pay $22.5 million to settle claims by the FTC that it misrepresented privacy protections to consumers, even though no data breach occurred.
Occasionally, enforcement actions are not settled through a consent decree, and instead lead to a full trial before an administrative law judge. The hotel company Wyndham Worldwide and the medical facility LabMD are currently involved in separate data security suits with the FTC related to data breaches suffered by each company.
The FTC has broad discretion to label privacy practices “unfair” or “deceptive,” especially if a data breach has occurred. But the FTC has not issued any regulations that would provide more detail to companies looking to avoid an FTC investigation. Counsel with an understanding of previous FTC enforcement actions is often the best source of guidance on the types of privacy practices the FTC may find objectionable. Additionally, the FTC published guidelines titled “Fair Information Practice Principles” in 2009, which highlight the FTC’s privacy enforcement priorities. Those guidelines encourage companies to address five core principles of privacy and data security: (1) notice and awareness, (2) choice and consent, (3) access and participation, (4) integrity and security, and (5) enforcement and redress.
U.S. Department of Health and Human Services Enforcement
As we discussed in the first installment of this Series, personal health information is protected in the United States under the federal Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the HITECH Act. The HHS (along with the FTC) is responsible for enforcing HIPAA’s Privacy and Security Rules, which apply to health care providers, health insurers, and their vendors (“Covered Entities”). When Covered Entities suffer a breach of unsecured protected health information (“PHI”), they must file a breach report with the HHS. (The size of the breach determines the timing of the report. Breaches involving more than 500 affected individuals must be disclosed within 60 days of discovery of the breach; there is more leeway on the timing of disclosure for smaller breaches.) The HHS has been active in bringing enforcement actions against companies that violate the Privacy and Security Rules. For example, it recently settled a case against Affinity Health Plan involving a breach of PHI of more than 300,000 individuals. In that case, the HHS alleged Affinity impermissibly disclosed PHI that had been stored on the hard drives of leased photocopiers by returning the copiers to the leasing agent without wiping the drives. Affinity was required to pay more than $1.2 million to settle the case.
Other Regulatory Exposure
Depending on a company’s profile, it may also be exposed to enforcement actions by other regulatory bodies. For example, U.S. issuers may face scrutiny from the Securities and Exchange Commission for failure to fully or timely disclose a material data breach. Additionally, companies that do business internationally may own or control databases in the United States that contain personal data belonging to foreign citizens, potentially subjecting U.S. companies to foreign privacy laws and enforcement action by foreign regulators.