Data Breach Notification: The Legal and Regulatory Environment
Data protection has become a top concern for American companies—and one that's intensified due to the COVID-19 pandemic. Yet, while individual states have laws surrounding data protection, the U.S. lacks a federal cybersecurity law. Combined, these factors could lead to more companies facing data breaches and the hefty fines that come along with them.
One possible solution? Taking hints for Europe to shape federal-level regulation.
In the United States, data protection has become a top priority among governments and individuals. With increased reliance on technology throughout the COVID-19 pandemic, especially, securing confidential data is more important than ever.
In 2011, the Obama administration kicked off federal discussions surrounding data breach notification regulations. Four years later, he called for stronger privacy data laws—stating the internet “creates enormous opportunities but also enormous vulnerabilities.” Since then, states have developed their own guidelines and laws surrounding data breach notifications, some already over 10 years old. Though similar overall, there are different disclosure regimes; some have a more complex breakdown with harsher penalties.
All who work with qualifying data must understand the legal and regulatory environments for breaches in their states. (Also read: US Data Protection and Privacy in 2020.)
Making a Federal Case
On a federal level, a legal case can fall into a few different categories depending on the data that’s been accessed.
For health care and the organizations and industries who must comply with the legislation, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology Act for Economic and Clinical Health (HITECH) both strictly protect medical data and patient health information. Similarly, the Gramm-Leach-Bliley Act (GLBA) is essential in safeguarding financial data. Moreover, the National Conference of State Legislatures (NCSL) has a full list of states and their applicable breach notification laws.
Case Study: The Hollywood Presbyterian Medical Center Ransomware Attack
In 2016, the Hollywood Presbyterian Medical Center in Los Angeles faced a ransomware attack on its personal data. After promptly notifying consumers and patients, executives at the hospital announced they had paid the ransom—which was $17,000 worth of Bitcoin currency—stating the data was too great to lose.
This kind of breach created a federal case with support from an FBI investigation. More recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory to alert the public that the ransom payment cybercriminals demand may be a violation of U.S. law.
However, if the hospital had not made some form of announcement, it would’ve been in direct violation of the notification policies of HIPAA, HITECH and the Department of Human Health and Services (HHS). Similar to what happened with this patient data, a violation like this situation has recently made headlines in the financial world.
Case Study: Mortgage Solutions' Consumer Data Protection Penalty
In 2020, brokering service Mortgage Solutions faced a $120,000 penalty after the Federal Trade Commission (FTC) stated the service failed to protect customer information. The FTC charged this civil penalty on grounds of violating the GLBA, the Fair Credit Reporting Act (FCRA) and section five of the FTC Act.
This case came about because of a claim that Mortgage Solutions had released sensitive personal data belonging to its customers—including income sources, taxes and health information—in response to negative Yelp reviews from consumers and mortgage applicants. (Also read: Massive Data Breaches: The Truth You May Not Know.)
Establishing Breach Laws in California
Though these acts are invaluable for helping consumers and the general public understand data breaches on a federal level, states have their own breakdowns of data breach laws. California, for instance, is one of the most thorough states when it comes to dealing with notification regulations.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired or reasonably believed to have been acquired by an unauthorized person, as soon as possible. The state clearly defines what qualifies as personal information, from Social Security numbers to biometric data. With new tech evolving daily, things like edge computing and the Internet of Things (IoT) carry invaluable data that companies must protect at all costs.
If Californian companies violate this act, or fail to take action in any way, penalties may add up to $250,000. Notification failures or violations, specifically, can accrue hundreds or thousands of dollars in penalties depending on the timeline and response. This notification violation was a recent development and not always part of the law.
Learning from Europe
As of January 2021, the European Data Protection Board (EDPB) has laid out strict guidelines on data breach notifications. Various countries in Europe have been notoriously wary of how companies use data. For instance, in 2020, Ireland’s Data Protection Committee sent Facebook an order to suspend the transfer of European user data to the United States. Failure to comply with this ruling could’ve cost Facebook up to $2.8 billion.
Through these regulations and actions, Europe has prepared itself for a breach coming from any direction. The EDPB's guidelines outline that companies must contact authorities and individuals whose data has been involved in a breach. (It's worth mentioning, however, that notification to a regulator only happens once the data controller—i.e., the company of business in charge of the data—has discovered the breach. And by then, the breach could have been going on for weeks, months or even years.)
The document also defines the different types of breaches, the corresponding fines and penalties and ways to work with the General Data Protection Regulation (GDPR) during these instances.
Some examples of breaches that could occur, as outlined by the EDPB, include:
- Email data exfiltration.
- Ransomware attacks.
- Theft of devices or physical documents.
- Social engineering.
The key focus here is that the U.S. can learn from Europe.
While individual States have their own sets of rules and regulations about data breach notifications, the U.S. government must develop an overall federal cybersecurity law. This addition would provide another layer of protection for the ever-growing data world. (Read also: The Best Way to Combat Ransomware in 2021.)
As the tech world evolves, and uses more data with each innovation, companies must protect that information. If not, they could face breaches that will force them to follow data breach notification laws more strictly. To stop this domino effect, the U.S. should see more federal-level regulation.
Techopedia uses high-quality sources to support the facts within our content including peer-reviewed studies, academic research institutions, professional organizations, and governmental organizations.
- Barack Obama calls for stronger data privacy laws. (2015).