Data Breach Liability and Notification, 1115 SCBJ, SC Lawyer, November 2015, #44

Author:Kelly M. Jolley and Lindy L. Gunderson, J.

Data Breach Liability and Notification: What Do You Need to Know?

Vol. 27 Issue 3 Pg. 44

South Carolina BAR Journal

November, 2015

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0 Kelly M. Jolley and Lindy L. Gunderson, J.


\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Whether directly affected by the most recent major data breaches—Anthem, Target, Sony and others—consumers and businesses alike are feeling the impact from mounting threats to data security. Identity theft and other crimes related to fraud, perpetrated by using private information gathered through data breaches, has been the largest consumer complaint received by the Federal Trade Commission (FTC) for the past 15 years.1 These criminal acts can be devastating, but data breaches are far more widespread than criminal activity. Many are simply the result of negligent business practices or system errors that fail to appropriately protect consumer data. In 2014, there was a record high of 783 data breaches in the United States. This was a 28 percent increase from 2013. From these data breaches, over 85 million private records were confirmed as compromised and millions more records believed to be exposed.2

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Eleven of these breaches were attributed to South Carolina entities, including government, health care, business and educational institutions. Beyond these, it is unclear how many South Carolina residents have been impacted, since these 11 do not include the nationwide breaches that affected millions of individuals in multiple jurisdictions or breaches by entities doing business in South Carolina but headquartered in another state.3

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The costs of a breach include investigating and repairing damages, notifying individuals and state agencies of the occurrence, and managing public relations. The breach may affect a company’s ongoing business if reputational harm is incurred due to negative customer perceptions post-breach. And, litigation costs can rack up: a business may choose to initiate legal action against the parties who caused the breach, or it may be forced to defend itself against lawsuits from consumers and regulatory actions by the government for willful or negligent violations of the law. One study from 2013 found that the average cost to a business for each record compromised in a data breach is $201.4

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Unfortunately, there is no single standard that governs data breach notification protocols. Forty-seven states have enacted data breach notification laws in addition to various federal laws relevant to data privacy. While there are some similarities, the laws are not uniform. Standards vary by state as to what constitutes a data breach, what circumstances trigger a notification requirement, who must receive notification and how that notification must be made, and so forth.5Additionally, each state is constantly updating its data security laws, tweaking requirements to provide more protection. In 2015, at least 32 states are considering bills or amendments to refine security breach notification regulations.6 All of this combined complicates the practical response of a business when a data breach occurs, particularly for those businesses that have interests or consumers in multiple jurisdictions and may have to comply with dozens of different laws.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Will the real regulator please stand up?

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Currently, federal regulation of data is industry-specific. Financial data and personal health information are categories of information that are protected through industry-specific standards, while consumer data is also protected through several mechanisms. All private information can be subject to FTC enforcement actions applying to interstate commerce under unfair/deceptive trade practice regulation.7These regulations are notoriously difficult for companies to navigate, due to overlapping restrictions on certain types of information. For example, the FTC’s Section 5 powers may be used to address data privacy issues related to health care data, despite the existence of more specific HIPAA/HITECH legislation designed to protect private health information.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Financial institutions are regulated through a variety of rules, the most prominent being the Gramm-Leach-Bliley Act, or GLBA. Under this regime, financial entities may not disclose personally identifiable financial information to non-affiliated third parties, unless the institution has provided notice to the consumer.8

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0There are multiple regulators: the FTC or Consumer Financial Protection Bureau regulate non-depository institutions and depository institutions with assets valued over 10 billion dollars, while banking regulators cover entities holding 10 billion or less under the same rules. The “Safeguards Rule” mandates for businesses significantly engaged in providing financial products and services to have a plan ensuring customer data security. The FTC and the CFPB can then bring actions against organizations that do not comply.9 GLBA preempts state law, except to the extent that state law provides greater protections to consumers. There is no private cause of action related to improper disclosure of personally identifiable financial information. Institutions are also regulated by a variety of federal executive agencies, depending on the type of institution. GLBA explicitly does not cover the insurance industry, which is state regulated. In addition, some financial institutions that are creditors are subject to consumer data protection laws such as the Fair Credit Reporting Act, discussed below.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Health data, protected by HIPAA and HITECH, has been extensively covered in SC Lawyer—see “The New HIPAA Privacy and Security Rules are Here: What Do Our Clients Need to Know?” published March 2010, and “HIPAA: A Road Map to Disclosure,” published in March 2008. HIPAA and HITECH protect personal health information from unwarranted disclosures by covered entities and business associates of those entities. The Department of Health and Human Services Secretary imposes fines on parties not in compliance with federal regulations, and criminal penalties may be brought as well for those who knowingly violate HIPAA. There is no private cause of action to address violations of HIPAA; the HIPAA Privacy Rule is enforced by the Office of Civil Rights, should DHHS choose to pursue an investigation of the reported violation.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0General consumer data is reg- u lated through a few different laws: the Fair Credit Reporting Act, and the Federal Trade Commission’s broad Section 5 powers, which disallows unfair or deceptive trade practices.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Under the Fair Credit Reporting Act, any consumer reporting agency that provides consumer reports must provide an individual access to records being held on that person, establish a procedure to correct information in records, and set limits on disclosure of those records. Disclosure must be only for a specified purpose and those not in compliance can be subject to civil liability, including actual damages in the case of negligent disclosures or punitives in the case of willful violations, plus attorney’s fees...

To continue reading