Nervous about the Impending GDPR? Don’t Forget about the U.S. Laws & Regulations
By Bill Tolson, Vice President of Marketing at Archive360
Many high profile hacking cases have cropped up in the news of late, and for a good reason. Hundreds of millions of individuals have had their personally identifiable information (PII) as well as electronic health records (EHR) stolen which has placed them at serious risk of identity theft and account ransom. And, if you are among those that have experienced this, you know that the resulting problems cannot be fixed overnight – in fact, there are those that suffer the aftermath for months, even years, if not indefinitely.
For a business, what are the legal ramifications of a data breach? To start, lets take a look at the legal definition. It is probably not surprising to you that virtually every state and federal government definition of data breach differs slightly, however, the basic definition remains:
The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
An important point that is found in common among many of these individual governmental laws is that if sensitive data is encrypted – making data unusable – a breach cannot have occurred, even if a device such as a phone or laptop containing or providing access to sensitive data is stolen. If data is encrypted, then the notification requirement is not triggered. Encryption is considered a “Safe Harbor” for companies providing them a great deal of protect. Unfortunately, it is still common practice for organizations to ignore PII encryption security.
Today, organizations that are the target of hackers face several serious issues including large government fines, the costs of litigation and eDiscovery and court expenses, such as the costs associated with alerting potential victims, brand depreciation, and negative effects on shareholder equity and of course, the inevitable associated lawsuits. Both state and federal regulations, as well as many foreign governments, have put in place data breach laws. Organizations doing business in these states and foreign countries have to make it over significant hurdles in order to track and prepare for these numerous laws.
State Data Breach Mandates
The majority of states that have data breach laws require companies that have had a data breach that includes PII, to notify those individuals affected by the breach – quickly. A well-known example is the state of Massachusetts.
The Massachusetts security breach and data destruction law is considered one of the toughest to date. Penalties can be triggered by the breach itself however, the biggest fines can be levied on organizations who ignore or can’t meet the notification requirements in the time specified. These fines can amount to hundreds of thousands, even millions of dollars, based on the severity of the organization’s failure to comply.
The Massachusetts Office of Consumer Affairs and Business Regulation publishes a report every year detailing all the data breaches for the previous year. In 2016, the state reported over 1,900 data breaches which included personally identifiable information. A 2017 paper from Backer Hostetler, lays out a complete summary of each state’s data breach laws providing a handy resource for corporate legal departments to reference.
There are two additional points to consider; penalties can be assessed for each record breached, and many state laws specify that companies outside the state holding citizen’s data are also subject to the data breach notification laws.
Federal Data Breach Notification Mandates
The federal government has been sluggish to adopt a general nationwide data breach law. – This is really the main reason states have taken it upon themselves to put these laws in place. However, in 2017, three Senators introduced a bill entitled the Data Security and Breach Notification Act which would require companies to report data breaches within 30 days. The bill adds some additional teeth including a penalty; if an individual knowingly conceals a data breach, they could face up to five years in jail.
Two of the better known federal regulations which specify data breach notification is the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The GLBA is targeted at Financial Institutions, and HIPAA is focused on Healthcare providers, Health insurers, Doctor’s offices, and any entity that handles patient information.
General Data Protection Regulation (GDPR) Mandates
Certainly, one of the most onerous data breach laws is the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR is a regulation created by the European Commission to strengthen and unify data protection for individuals within the EU. The GDPR also addresses export of personal data outside the EU.
What organizations are affected by The GDPR? Any company that stores or processes personal information about EU citizens are subject to the GDPR, even if they do not have corporate offices within the EU. Specific criteria are:
- They have a business presence in an EU country
- They do not have a presence in the EU, but it processes personal data of European residents
- They have more than 250 employees
- Or, they have fewer than 250 employees but its data-processing impacts the rights and freedoms of EU data subjects is not occasional or includes certain types of sensitive personal data. That effectively means almost all companies that do business with EU citizens
Non-compliance of the GDPR can trigger huge fines including up to €20 million or 4 percent of global annual turnover, whichever is higher.
One of the hardest requirements of the law is the 72-hour rule. Companies must report data breaches to governmental supervisory authorities within 72 hours. This requirement is a challenge because the notification must include specific information including the data type affected, the size of the breach, and the individuals affected.
So, what are the legal ramifications of a data breach?
As mentioned, government fines, penalties, and in extreme circumstances – jail time, are some of the consequences of not protecting PII adequately.
Legal ramifications many don’t consider is the cost of litigation associated with a data breach. Many of the associated lawsuits can end up as class-action lawsuits potentially multiplying the total cost of the breach to unprecedented levels.
Data Breach settlements can be harsh – depending on the Judge or jury. For large data breaches, settlements over $100 million are not out of the question, especially when dealing with healthcare information. Another cost of a data breach many don’t include in their planning is having to pay the cost of the plaintiff’s legal bills, which can be extremely high.
An ounce of common sense…
All organizations have existing and emerging data breach laws that must be identified and covered. But, there are just a few common sense practices that if adopted, will greatly reduce the costs if a breach does occur. These include:
- Encrypting sensitive PII is a process which every organization can employ. Remember, if data is encrypted and later accessed by cyber criminals, then the breach did not, in fact, occur. Cyber-criminals are extremely good at getting past firewalls and access controls, but if the data is encrypted, it is legally protected. Why this practice is still ignored by many companies is a mystery.
- Never let sensitive data be downloaded to portable devices such as laptops, smartphone, or other types of removable storage. By ignoring this practice is in reality inviting employees to take sensitive data outside of your firewall. Many data breaches occur because employees didn’t understand the value nor the consequences of the sensitive data they were taking. Two of the most common reasons for a data breach are; employees losing a device containing sensitive data or the device was stolen, for example from their car trunk. In all of these notable cases, the sensitive data was not encrypted.
- Employ access controls within the firewall as well as all portable devices that contain the data.
- Do not allow employees to use their favorite smartphone to conduct business also known as Bring Your Own Device(BYOD). This practice has become a popular practice in the last several years. Again, this practice invites employees to move sensitive data outside the firewall. Instead, security-conscious organizations should issue company-owned devices with the appropriate security so they can remotely monitor, and if need be, erase the device if it’s been reported missing.
The bottom line is that organizations must do everything possible to secure and protect sensitive data to reduce the possibility of a data breach. However, organizations must also prepare for its eventually. The cost of the actual breach can be small when compared to the cost of not preparing adequately for notification. This includes knowing quickly when a breach has occurred. Organizations need to go the extra mile to ensure data security, even if it’s costly. Remember, just one data breach of sensitive data can cost your organization many times more in money, bad press, shareholder displeasure, and jobs then the cost to protect and respond to it.