[BreachExchange] Tick Tock: When Is a Data Breach Notice Needed?

[Audrey McNeil]

https://www.hitechanswers.net/tick-tock-when-is-a-data-breach-notice-needed/

Notice of a new data breach is posted at least once a day. A frequent
feature of many notices is the disclosure that the conduct giving rise to
the breach happened months earlier, with the delay sometimes going into
years in some instances. The notices typically do not provide much insight
into the reasoning for the delays, which gives rise to the question; when
should notice of a data breach be provided?

The answer is seemingly straightforward. The HIPAA data breach notification
rule states that, absent certain narrow exceptions, a covered entity needs
to provide notice without unreasonable delay, which should be no more than
60 days following discovery of the breach. The language “without
unreasonable delay” is key. While the rule gives up to 60 days, that full
60 day period should not be used to avoid providing the notice. Instead,
notice is supposed to go out as soon as possible. The breach notification
rule goes on to set out the required contents of a breach notification,
with detail being included as possible. The qualifying language suggests
that notice could go out before all relevant details are finalized.

While notification should be provided without unreasonable delay, the
timing runs from when the breach is “discovered.” As with any good
regulation, the word discovered is specifically defined. For purposes of
breach notification, a breach is treated as discovered on the first day
that the breach is known or would have been known if reasonable diligence
was exercised. The breach is also discovered if any person, other than the
person causing the breach, in an organization knows or using reasonable
diligence would have known of the breach. The full scope of the definition
of discovered underscores that it is very easy for a breach to be known and
for the clock to start running to notification.

When implementing the definition of discovered, comments in the regulations
emphasized that a broad range of people should be able to discover a breach
and bind an entity to that discovery. The commentary offered slight clarity
that reasonable care means the exercise of the business care and prudence
expected of a person seeking to satisfy a legal requirement. Arguably that
statement raises more questions since the level of attention and care can
vary greatly depending upon the legal requirement under consideration. At
times, it can feel as though certain legal requirements do not receive the
full scope of attention and energy deserved, which claim has been applied
to HIPAA related compliance efforts.

The plain language of the breach notification rule and the commentary
demonstrate the discovery is not intended to be a matter open to discretion
or broad interpretation. The goal is to shorten the timeframe in which a
breach should be detected, investigated, and then revealed. The goal is not
to hide the ball, but to get information out to impacted individuals.

While notification is the broad goal, the rule does include one limited
exception for when notification must be delayed. The one exception arises
when a law enforcement official requests delay in notification. The request
should only be made when the law enforcement official states that
notification would impede or investigation or cause damage to national
security. Both elements are interesting in that either could be a vague
standard and could potentially be invoked for a variety of reasons.

The first exception for not impeding an investigation is the one that could
most likely be invoked. For example, many breaches arise from phishing,
ransomware, malware, or some other form of external attack on a system. If
law enforcement want to pursue a breach in an attempt to track down the
attacker, then it would reason that delay in notification would be
requested. Since most breach notifications result in some level of
attention during a news cycle, any disclosure would draw attention and then
reveal that the infiltration is known. Conversely, if a victimized
healthcare entity notifies law enforcement and is instructed to keep the
attack quiet, then it could be possible to track down the responsible party.

While the description and reasoning for a delay is plausible, the whole
concept relies upon the impacted organization actually notifying law
enforcement. It may not be possible to know exactly how many organizations
tell law enforcement when a breach occurs, but a cursory review of notices
does not reveal many instances when a delay is stated, much less than law
enforcement has been contacted or involved.

While it is tempting to suggest that law enforcement requests are the
reason so many notices do not come out quickly, the truth likely lies
elsewhere. Another aspect of the common notice could provide a clue. So
many times the notice states that a breach or intrusion happened months
before and either was not found until recently or the organization needed
to take months in order to determine who and how many individuals were
impacted. The first statement raises the question of whether the attack was
so hard to find that it could not be discovered or if the organization was
just not being diligent enough in reviewing activity. Either scenario is
not comforting and arguably at odds with the definition of discovered.

The second statement is more troubling. As noted, the breach notification
rule does require a fairly detailed notice to be issued, but at the same
time only requires information to be included to the extent known. If not
all of the details are known in the first 60 day or less period, then
should an organization send an initial notice with more detail to follow?
While not preferable from the perspective of allaying worries, that
approach could avoid allegations of delay and wanting to prevent
notification.

Ultimately, the key is to get notice of a data breach out in a timely
manner that aligns with the requirements of the breach notification rule.
That means it should be within 60 days of discovering the breach without
playing around with what it means to discover the breach. Such an
interpretation would likely result in notices coming more quickly and
requiring follow up as more detail and impact are determined, but then
again conducting an investigation is not really necessary to actually
discover the breach. While breaches are inevitable, the real attention
should be on enhancing efforts to strengthen defenses and make it harder
for the breach to occur in the first place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/f462736d/attachment.html>