[BreachExchange] Data security and breach notification in the USA

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=b9a0edc0-fc09-4924-a531-
f669e9b8941f

Data security and breach notification

Security obligations Are there specific security obligations that must be
complied with?

Sector-specific laws impose information safeguarding requirements on
covered entities in certain industry sectors. For example, the
Gramm-Leach-Bliley Act requires financial institutions in the United States
to establish appropriate administrative, technical and physical safeguards
to ensure the security and confidentiality of their customers' personally
identifiable financial information. Similarly, Health Insurance Portability
and Accountability Act covered entities and their service providers (known
as business associates) must, pursuant to the Health Information Technology
for Economic and Clinical Health Act, implement specific administrative,
physical and technical safeguards to protect and ensure the confidentiality
of protected health information.

Certain states have laws which impose general information security
standards on organisations that maintain personal information. For example,
California law requires organisations that own or license personal
information about California residents to implement and maintain reasonable
security procedures to protect the information from unauthorised access,
use, disclosure, destruction or modification. Similarly, Massachusetts
Standards for the Protection of Personal Information require organisations
that hold personal information about Massachusetts residents to maintain a
comprehensive, written information security programme to protect that
personal information (note that the Massachusetts law applies to both
consumer and employee data). At least eight other states have information
security laws which require organisations to implement reasonable security
measures with respect to certain types of information.

Nevada law requires that businesses encrypt customer personal information
if the information is transmitted electronically outside the business’s
secure system, other than via fax, and when moving a data storage device
containing personal information outside the logical or physical controls of
the business. Nevada’s encryption law also requires businesses collecting
payment card information in Nevada to comply with the Payment Card Industry
Data Security Standard. Minnesota law similarly codifies selected
requirements of the Payment Card Industry Data Security Standard, including
prohibitions on storing payment card data once a transaction is completed.

Several state laws impose specific information security requirements with
respect to certain types of sensitive personal information. For example,
Connecticut and New Jersey require data security safeguards and security
practices for health insurance information. Over a dozen states (eg,
California and New York) also impose safeguarding requirements with respect
to social security numbers.

Breach notification Are data owners/processors required to notify
individuals in the event of a breach?

Since California’s breach notification law in 2003, 48 US states, the
District of Columbia, Guam, Puerto Rico and the US Virgin Islands have
enacted data breach notification laws that require affected individuals to
be notified in the event of an information security breach. There is no
national data breach notification requirement. Organisations which have
experienced a data breach must comply with the legal requirements of each
state in which affected individuals reside. Minor variations in the state
breach laws can create compliance challenges when residents of multiple
jurisdictions are affected. For example, certain state breach laws include
provisions that limit the notification requirement to include only those
breaches that pose a risk of harm to affected individuals, or exempt
entities that are subject to federal regulations regarding breach
notification. However, other state breach laws require notification in the
event of unauthorised access regardless of the likelihood of harm or the
applicability of federal regulations. Accordingly, determining whether
notification is legally required pursuant to state breach laws requires a
fact-specific, state-by-state analysis.

In the event of a data breach, the entity that owns or licenses the data
typically bears responsibility for notifying affected individuals. Where a
service provider of a data owner experiences an information security
breach, the state laws generally impose an obligation on the service
provider to notify the data owner on discovering the breach, and the data
owner is then required to notify affected individuals.

Additionally, sector-specific laws impose notification obligations on
covered entities, including financial institutions and healthcare entities.
Pursuant to the Interagency Guidance on Response Programmes for
Unauthorised Access to Customer Information and Customer Notice (the
interagency guidance) – issued in 2005 by federal banking regulators – a
financial institution that becomes aware of an incident involving
unauthorised access to or use of “sensitive customer information” must
promptly notify its primary federal regulator (as well as appropriate law
enforcement authorities if the incident involves federal criminal
violations that require immediate attention). The entity also must notify
affected customers if misuse of sensitive customer information “has
occurred or is reasonably possible”. Regarding healthcare, the Health
Information Technology for Economic and Clinical Health Act and the breach
notification section of the Final Omnibus Rule require:

Health Insurance Portability and Accountability Act covered entities that
experience an information security breach involving unsecured protected
health information to notify affected individuals; and business associates
of Health Insurance Portability and Accountability Act covered entities to
notify the covered entity following discovery of such a breach.

Are data owners/processors required to notify the regulator in the event of
a breach?

Over half of the states require organisations to notify the state attorney
general or other state agency in the event of a legally cognisable security
breach. Some states require notification to state regulators when an entity
chooses to rely on the state law’s notification harm threshold as a basis
for not notifying affected residents. Additionally, sector-specific laws
require regulator notification by covered entities as discussed above. For
example, the interagency guidance requires financial institutions to notify
their primary federal regulator and law enforcement authorities (where
appropriate) in the event of a breach. Similarly, Health Insurance
Portability and Accountability Act covered entities must provide notice of
data breaches to the Department of Health and Human Services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171013/dddabe82/attachment.html>