As a reminder that state attorneys general have enforcement authority over breach notifications, the New York Attorney General recently announced a $130,000 settlement for a failing to provide breach notification in a reasonable time. Organizations should ensure that they are prepared to quickly provide required notifications in the event of a breach, and should properly document any request from law enforcement to delay notification.

CoPilot Provider Services (“CoPilot”), which assists physicians with coverage determinations, experienced a breach in October 2015 when an unauthorized person accessed and downloaded confidential patient data including names, birthdates, addresses, phone numbers, and medical insurance information. CoPilot learned of the breach on December 23, 2015, but did not notify patients until January 18, 2017. The Attorney General concluded that CoPilot violated New York’s breach notification law for waiting more than one year to provide notice of a breach that exposed data of 221,178 patients.

N.Y. Gen. Bus. Law, Article 39-F, § 899-aa requires entities to provide notice of a breach “within the most expedient time possible and without unreasonable delay,” unless a law enforcement agency determines that notice will impede an investigation, in which case notification must be delayed until authorized by the law enforcement agency. CoPilot asserted that it did not report the breach more expediently because the Federal Bureau of Investigation (“FBI”) was conducting an investigation upon CoPilot’s request. The New York Attorney General, however, stated that “the FBI never determined that consumer notification would compromise the investigation and never instructed CoPilot to delay victim notifications,” which made the delay in notification unreasonable.

A company’s failure to perform timely breach notification can also result in liability at the federal level, as was the case for Presence Health in January 2017. There, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) stated that it took Presence Health 101 calendar days to notify OCR and 104 calendar days to notify affected individuals and media, when the notification should have been without unreasonable delay and in no case later than 60 days after discovering the breach. See 45 C.F.R. §§ 164.404-408.

Practical Considerations:

  • Most states have breach notification reporting requirements and some do not include specific timeframes, therefore companies that handle sensitive information must be acutely aware of reasonableness standards and ensure that procedures are in place to minimize delays in notification.
  • Davis Wright Tremaine’s Summary of U.S. State Data Breach Notification Statutes is a useful tool to use in order to identify timing and other state breach notification requirements.
  • When a law enforcement agency has opened an investigation related to a breach, companies should clarify and document whether or not the agency has requested a hold on breach notification.
  • Time is of the essence in any breach situation. Workforce should report actual or suspected breaches immediately. Robust breach notification policies and training can equip an organization and its workforce to respond to a breach.