Thirteen years after California passed the first security breach notification law, breach notification requirements are still at the forefront of legislative developments around the world.
At the end of June 2015, Canada passed the Digital Privacy Act to introduce into the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal data privacy law, new notification obligations in the event of a breach of security.
A few weeks before that, at the end of May 2015, the Netherlands adopted amendments to its data protection law to include provisions addressing the response to a breach of security that caused the disclosure of personal data.
In 2002, California passed the California Security Breach Disclosure Act,
Since the historical passage of the California law, numerous laws, regulations and guidelines, worldwide, have recognized that individuals and oversight agencies should be informed of the occurrence of a breach of security that affects personal data, so that they are aware of the increased risk of identity theft and can take appropriate measures to minimize the consequences of the incident.
In the 13 years since the passage of the California law, close to 100 security breach notification laws, regulations or guidelines have been adopted in states, territories, countries and regions throughout the world. In addition, several countries—including the European Union member states through the proposed EU General Data Protection Regulation—are evaluating draft measures.
While the original provisions of the California law have served as a blueprint to many of them, there is now a wide range of approaches to regulate the assessment of, and response to, a security incident.
Further, these security breach notification laws, regulations and guidelines have brought thousands of breaches to the public’s attention. Public and private organizations have collected data about these breaches, such as the number of individuals affected (ranging from 2 million or 3 million to 100 million), the nature of the breach (from an error in the mailing of invoices to sophisticated hacking attacks on a large global network) and the costs of responding to a security incident.
With this abundance of information available, it is useful to look at the combined experience of different countries in dealing with security breaches to identify patterns and better strategies. A single breach of security is likely to generate a complex mosaic of issues. Thousands of breaches and close to 100 laws provide valuable data points and insights on the many facets of the security breach ecosystem.
Lessons can be learned and shared. Based on these lessons, existing regimes can be refined or improved, and new regimes can be better structured to focus on what is truly important, without creating an unnecessary burden on the affected entities that have to report the breach. The understanding of the dynamics and effects of breach notification may also help streamline or structure the review by the oversight agencies that are responsible for evaluating or monitoring the breach or breach response. In most cases, these agencies, due to budget constraints, do not have the sufficient resources to address the tsunami of breach notifications and often find that they must be selective and strategic in their enforcement efforts.
This Special Report explores 13 years of experience with security breach notification laws in the U.S. and throughout the world and the responses to hundreds of thousands of breaches in order to identify patterns. It also attempts to suggest practical measures that could be used when developing or improving legal or regulatory regimes so that they are better adapted to address the significant threats to the confidentiality, security, integrity and availability of personal and other data held by today’s businesses and government entities without excessively burdening companies with cumbersome reporting that is not commensurate with the risks to the individuals.
The Structure of Security Breach Notification Laws
Security breach disclosure laws, regulations and guidelines around the world tend to address the same issues as those that were identified by the drafters of the 2002 California security breach disclosure law and tend to follow a similar outline. They define what constitutes a breach and what types of data are protected, and they require that the affected organization notify the concerned individuals and certain oversight agencies. They usually address separately the handling of massive breaches. For each of these aspects, the legislators or the drafters of a bill must choose among a number of options. The following provides examples of the different courses of action and potential effect of the choices.
When Does a ‘Breach of Security’ Occur?
Given the wide range of potential incidents, what definition is or should be used to identity a “breach” or “breach of security”? The choices made in the existing laws, guidelines and regulations worldwide can be grouped into two categories.
Broad Definition of Breach
Some laws take a very broad approach. This is the case, for example, in California, where a breach of security is defined as an event where “unencrypted personal information was, or reasonably believed to have been, acquired by an unauthorized person.”
Harm-Based Definition of Breach
Other laws have used a much narrower approach, looking instead at the harm that might result from the incident. This approach requires an evaluation of the potential effects of a breach.
For example, the Netherlands’ security breach law requires the reporting of a breach of security only if it has, or is likely to have, serious adverse consequences for the protection of personal data. The law indicates that at least the following factors must be taken into account in assessing the consequences of a breach: 1) the nature and scope of the breach; 2) the nature of the compromised personal data; 3) to what extent technical measures of protection were in place to protect the data; and 4) the possible consequences for the privacy of the affected individuals.
In the U.S., several laws follow a similar approach. The security breach regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, for instance, allow entities to perform a risk assessment in order to determine whether there is a low probability that the protected health information has been compromised. If this is the case, the entity that suffered the breach of security is not required to make the notifications. Under that regulation, the risk assessment must evaluate at least four factors: 1) the nature and extent of the protected health information involved; 2) the unauthorized person to whom the disclosure was made; 3) whether the information was actually acquired or viewed; and 4) the extent to which the risk to the protected health information has been mitigated.
Each alternative has drawbacks. Reporting any breach of security may be thorough, but in practice is very cumbersome and might be ineffective. Affected individuals end up quickly with “breach notice overdose” if they receive numerous notices in a short period. This overdose causes numbness and apathy. For example, it has been noted that few people affected by a breach actually take advantage of the free credit report offered to them.
Reliance on a risk of harm approach may have significant drawbacks, as well. Entities that suffered a breach may not have the right skills or incentive to evaluate the seriousness of a breach. The approach might also leave unreported and unremedied breaches that appear minor at first, but end up being significant after further examination, or years later, once the full consequences of the breach are understood. This may lead to the under-reporting of breaches.
Which Categories of Data Should Be Protected?
Laws, regulations and guidelines around the world also make different choices when determining the type of data that should be protected.
Outside the U.S., there are two trends. Some countries have opted to protect only some categories of data. This is the case, for example, in Argentina, where only breaches of security affecting bank and financial institutions must be reported.
Otherwise, when the security breach law is not limited to a specific sector, countries outside the U.S. have opted to protect any type of data. In South Korea, for example, both the Act on the Promotion of Information and Communications Network Utilization and Data Protection (APICNU) and the Personal Information Protection Act (PIPA), the two privacy laws, protect “personal information.”
On the other hand, consistent with its sectoral approach to privacy protection, the U.S. security breach disclosure laws and regulations have opted to protect only limited categories of data. For example, the Washington state security breach law protects only an individual’s first and last name in combination with any one or more of the following data elements: 1) Social Security number; 2) driver’s license number or Washington identification card number; or 3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The definition excludes any information that is made available to the public from federal, state or local government records.
Each of these alternatives has consequences. Opting for no limitation and requiring notification when a breach of security exposes any “personal data” is bound to cause administrative nightmares and clog the services with unnecessary reports if there is no other way to narrow down the number of breaches that mandate reporting or notification. This may be the case, for example, in South Korea, where the disclosure requirement applies to any unauthorized disclosure of personal information.
Selecting a narrow scope obviously keeps out some categories of data and reduces the number of notifications and the related burden on the affected entities. As time passes, however, we are discovering that an increasing amount of data is susceptible of misuse, in particular in the context of identity theft.
It is an appreciation of this evolution that prompted California to amend and augment the scope of its security breach law over time. The initial definition of “security breach” in the California law was limited to the protection of driver’s license numbers, Social Security numbers and payment information. The law was supplemented in several amendments, so that, as of mid-2015, medical information, insurance information and user name or e-mail address in combination with a password or security question and answer that would permit access to an online account are within the scope of the law.
Which Forms of Data Should Be Protected?
We can also observe a discrepancy in the approach taken worldwide with respect to the forms in which data are provided, communicated, lost or stolen. Indeed, data can be found in three different formats. They can be recorded on paper (for example, in invoices, labels or envelopes). They can be communicated orally (for example, when a customer communicates with the company’s call center or help desk). They also can be stored, transferred or communicated in electronic form (for example, in an e-mail or as a database). Data protection laws around the world take a different approach to the protection of these three formats.
Most of the security breach notification laws, regulations or guidelines outside the U.S. tend to cover the entire spectrum of data, independent of the form or format in which the personal data are lost or exposed. They tend to refer to “personal data” without specifying the format for those data. In that case, the protection applies to personal data in any form or format, without any qualifier. This is the case, for example, with the 2002 e-Privacy Directive, which defines a “personal data breach” as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”
In the U.S., on the other hand, most of the state security breach notification laws limit their scope to only computerized data.
A company may neglect to securely shred its accounting files, including payment information or health records, before disposing of these files in a dump, thereby exposing the details of the transactions to dump divers. Envelopes used for a mailing by a company or government agency to its employees might inadvertently display their Social Security number as part of the employee’s address, allowing anyone familiar with the recipient of that envelope easy access to this highly sensitive information the ability to reuse it for identity theft purposes.
Data in aural form may also contain highly sensitive information. There have been numerous cases where call center employees that were hired to assist customers retained the sensitive information (such as name, address and credit card details or Social Security number) that they received from the customers during calls and sold it to criminals.
The experience of these past 13 years leads to the conclusion that all data in tangible form (i.e., printed) or aural form (e.g., provided in a telephone conversation) may deserve to be treated with the same respect as those in digital form.
Should There Be a Difference Between Types of Security Breaches?
The press is replete with analysis and comments concerning recent spectacular breaches, such as those that occurred at Target Corp.,
At the other end of the spectrum, there are the “small breaches,” which may affect only a handful of individuals. These incidents are not as spectacular as those described above and usually do not make the news headlines. This would be the case, for example, when the human resources manager of a 100-person company leaves her laptop with unencrypted HR files on the backseat of her car, and the laptop is stolen from the parked car while she is running errands. The thief may just be interested in the commercial value of the laptop. Nevertheless, the Social Security numbers and banking details stored on the laptop may be also be easily accessible to the purchaser of the stolen laptop, who may be tempted to resell them.
Should security breach notification laws treat these incidents in the same way? Is “one size fits all” the right approach? Do massive breaches require higher scrutiny because of the likely ties with organized crime?
Some security breach notification laws have acknowledged that massive breaches should be handled in a different way than those that affect only a small number of individuals. For example, South Korea sets a threshold at 10,000 individuals. If the personal information of more than 10,000 individuals is affected by the breach, there are additional reporting requirements. The entity affected by the breach must immediately report the occurrence of the breach to the Ministry of Security and Public Administration (MOSPA) and the Korea Information Security Agency (KISA) and report on the measures that it has taken to minimize the damage to the aggrieved data subjects.
Amendments Will Be Needed over Time
As time passes, technologies change and information is processed and used in different forms, the nature of security incidents evolves. The laws cannot remain static. What constitutes a breach of security, the consequences of breach of security and the criteria used to evaluate a breach are evolving. This is a new field of reflection for scholars and legislators. Each year brings new questions or new fact patterns that seem to deserve adjusting the law because they were not caught in prior drafts of the law. States and countries should keep updating their laws periodically to adjust the legal requirements to the reality. This is an example of a sector where laws lag significantly behind technological and daily reality.
In California alone, the state security breach notification law has been amended almost every other year since its enactment. These changes resulted from lessons learned from past incidents. For example, after observing the consequences of security incidents, it became clear that personal data are likely to be sold in the underground market and then reused for identity theft purposes. The acts of the criminal under the stolen identity are likely to affect the reputation of the person whose identity was stolen by making him appear overloaded with financial commitments or unable to pay his debts. These observations, in turn, made it clear that the monitoring of a person’s credit rating was essential in protecting individuals from the consequences of a breach of security.
As a result of these observations, the California security breach disclosure law was amended to require the entity that was the source of the breach of security to offer appropriate identity theft prevention and mitigation services at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to the victim of a breach of security that exposed or may have exposed the individual’s Social Security number, driver’s license number or California identification card number.
The Security Breach Preparedness Ecosystem
The enactment of security breach notification laws has triggered the need for new structures and new services, which has caused the development of a new ecosystem. New means and methodologies have been created to anticipate and respond to a breach of security.
Incident Response Plan
Some of the laws that address the security of personal information require that the covered organizations prepare a security incident response plan.
A security incident response plan helps keep organized the entity that suffered a security breach despite the state of panic that is bound to occur. A security incident response plan should be designed to provide a practicable and easy-to-follow plan of action to serve as guidance in case of an emergency. It identifies, for example, the team that will be tasked with making all decisions regarding the response to the incident and the third parties to be contacted. It also outlines a course of action for the activities to be performed and contains sample documents. The plan may also suggest sample remediation measures, which are focused on addressing the consequences of the breach, preserving evidence and resuming business.
The preparation also entails periodically conducting tabletop exercises, similar to “fire drills,” that simulate a hypothetical breach of security and the response provided by the entity—following the guidance set forth in the incident response plan. These exercises are intended to ensure that the company’s personnel and service providers are prepared to perform in an organized manner in case of an actual breach of security. The more an entity, its personnel and its consultants or service providers are trained and prepared to address a breach of security, the smoother the ride will be when a breach occurs.
Third-Party Services to Assist in Breach Response
The complexities of security incidents, security breach notification laws, security breach remediation and security breach litigation have also resulted in the creation of new offerings in addition to the identity theft protection services briefly discussed above. For example, the assessment of a breach requires the intensive use of forensic analysis. As a result, we have seen the development of companies specializing in offering security breach forensic services.
Providers of forensic services must be mindful of unique legal issues associated with their work. The evidence that they collect is likely to end up as evidence in court. Thus, special precautions must be taken to collect and preserve evidence in a proper form and format so that it is admissible as evidence in court. In this regard, the assistance of attorneys to oversee the process and ensure that all protective measures are taken is invaluable.
Further, since the security breach notification laws require that individuals be notified in writing, companies affected by a breach must promptly communicate with the affected individuals. When the number of affected parties is greater than a couple of hundred and the applicable laws require that notice be sent in writing, the affected company will likely need to use the resources of mailing services and call centers to communicate effectively with the affected customers, patients or employees whose personal details have been exposed. A special website might have to be developed to serve as a hub where important information and guidance regarding the hub can be made available to the affected individuals.
In the U.S., for example, services companies and consultants have developed offerings specialized in post-breach interaction to assist companies that have suffered a breach of security to communicate with large numbers of individuals. They may provide mass mailing service (offering the ability to send hundreds of letters in a short time). They may offer call center services to handle phone inquiries made by concerned individuals through a call center with personnel especially trained to respond to this type of inquiry. They may provide special communication services to help address public relations and protect the entity’s reputation.
The services provided by these third parties are invaluable in time of crisis. A well-designed incident response plan will contain a list of these services. In addition, the company would be well advised to establish contacts and discuss the terms and conditions of their offering ahead of time, in order to ensure smooth handling when a breach occurs.
The Financial Consequences of a Breach of Security
Security breaches are costly. Companies should be prepared to fund the significant expenses associated with responding to, and preparing for, a breach of security and should acquire adequate insurance coverage.
Compliance Costs
In addition to the material drain on companies’ resources, the response to a security incident is likely to cause significant expenses, such as those that stem from the likely necessary repair and cleanup of the information systems and the use of forensic analysis to determine the root cause of the breach of security.
Compliance with the applicable laws, regulations or guidelines will also cause significant expenses. These include, for example, the cost of the attorneys who assist in the legal analysis of the company’s obligations; the third-party services that are engaged to mail the notifications to the affected individuals or respond to calls from concerned individuals; or the credit monitoring and identity theft protection services that are purchased to assist the affected individuals in managing the potential misuse of the stolen information.
Lawsuits and Enforcement Actions
The notification of a breach of security to the affected parties also results in the immediate publication of the news that a breach of security has occurred. This news in turn frequently triggers the filing of lawsuits. In general, these lawsuits are filed by, or on behalf of, the affected individuals whose personal data have been stolen or compromised, seeking compensation for the costs and damages incurred because of the breach.
The cost of responding to these lawsuits, usually in the form of class actions, and of paying the damages awarded by the court or negotiated in a settlement can be significant. For example, in March 2015, Target agreed to pay $10 million to settle a lawsuit filed after its 2013 security breach.
In some cases, the disclosure of a breach of security may cause data protection authorities or government agencies—in the U.S., the Federal Trade Commission (FTC), the Federal Communications Commission, the Securities and Exchange Commission and the state attorneys general—to investigate the practices of the company that suffered the breach. The investigation is likely to dig into the entity’s operations, the causes of the breach and the handling of the breach by the entity (e.g., how reactive it was, how it interacted with affected individuals), or it will evaluate whether the security measures taken were sufficient and the breach could have been avoided.
In the U.S., the FTC and the state attorneys general have filed numerous enforcement actions against companies that suffered a breach of security to investigate the soundness of the security measures employed during the period immediately preceding the breach.
Funding and Insurance
The compliance, litigation and enforcement costs resulting from security breach disclosure laws have created a significant financial burden for companies. According to a multi-country survey, the cost of responding to a security breach in 2014 was $154 per stolen or lost record, whereas breaches in the health-care field averaged $363 per record.
In this survey, the cost of a breach was determined by compiling the expenses incurred by an organization in 1) engaging forensic experts; 2) outsourcing hotline support; 3) providing free credit monitoring subscriptions; 4) providing discounts for future products and services; 5) in-house investigations and communication; and 6) the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates. It should be noted that the survey was limited to the immediate compliance costs and did not look at the legal costs resulting from any related litigation. These costs are usually substantial, especially in the case of large organizations.
To address these costs, companies need to set aside funds and attempt to obtain adequate insurance coverage that might help pay for some of the losses. Companies should plan to set aside funds to address both the immediate cost of responding to the breach, for example, the cost of hiring third parties to provide forensics or mailing services, and the cost of potential litigation when customers or financial institutions sue the company to obtain damages.
In the U.S., cybersecurity insurance coverage has been developed to address the cost resulting from reacting to and remediating a breach. These costs are generally not covered by regular general liability insurance.
Interaction with Service Providers
Service providers play a significant role in the life of most public and private organizations. When an entity entrusts personal data to a third party, it must be prepared to address the possibility that the service provider might have caused or might be the victim of a breach of security. Security breach disclosure laws usually require that the service provider immediately contact the entity to which it is providing the services in order to notify it of the existence of a security incident so that, in turn, the entity that is the custodian of the personal data and is directly responsible to the individuals can proceed with the formalities outlined in the applicable security breach notice law.
The security breach notification laws, however, tend not to address the allocation of liability and costs between the service provider and its own customer. These issues are deemed better suited to be addressed in the related services agreement, where the parties can allocate the burden through appropriate negotiations. In this case, it is important for a company and its service provider to agree in advance and in writing on the respective roles of the parties, such as the obligation for the service provider to report the breach to the company and the time frame for such reporting. The contract should also identify the respective responsibilities for the costs of responding to the breach, notifying the affected individuals, reissuing credit cards or changing locks and keys, as well as indemnification obligations.
Responding to a breach of security and addressing the consequences of a breach of security can be very expensive, as discussed above. A company that intends to hire a service provider that will receive access to personal data should conduct appropriate due diligence to evaluate the security measures used by the proposed service provider and its ability to identify and respond to a breach. It must also ensure that its contracts with the selected service providers anticipate the occurrence of a breach. Contract provisions can be developed to address the service provider’s responsibilities. These provisions could address, for example: the obligation to develop and maintain a security incident response plan; the time frame for notifying the customer of the occurrence of the breach; a commitment to cooperate with the customer in analyzing and assessing the likely consequences of the breach; the obligation to promptly mitigate the effects of the breach; or the financial liability for the cost and expenses stemming from the response to the breach.
Conclusion
Security breach disclosure laws have provided individuals with the important benefit of having the right to receive information about matters of high significance to them, and some help to attempt to prevent certain forms of identity theft. It is encouraging to see that, throughout the world, nations are adopting security breach notification laws.
However, as these laws come into effect, entities subject to these laws are struggling to understand the minefield ahead of them and the many nuances that make the security breach notification world such a complex and ever changing mosaic. The significant discrepancies between the security breach disclosure laws, globally, create a substantial challenge to companies that do business in multiple jurisdictions.
The collective experience of 13 years of compliance with security breach disclosure laws in different parts of the world and the lessons learned from observing the different regimes should help the creation of better laws and guidelines or the revision of existing ones in order to develop a more efficient and sensible regime that achieves the reasonable protection of individuals without burdening covered entities with excessive compliance costs.
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.