Elevate the power of your work
Get a FREE consultation today!
Organizations are experiencing data breaches at an alarming rate. However, many don't take into account what the legal ramifications of a data breach are.
Over the last several years, many high-profile hacking cases have cropped up in the news, and for good reason. Hundreds of millions of individuals have had their personally identifiable information (PII) and electronic health records (EHR) stolen, putting them at increased risk of identity theft and account ransom.
But what is the legal definition of a data breach? As you can imagine, every state and federal definition of data breach differs slightly, however, the basic definition remains:
The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
One common theme found among many of these individual governmental laws is that if sensitive data is encrypted, a breach cannot occur. Encryption is considered a "safe harbor" for companies. Sadly, it is still common practice for organizations to ignore PII encryption.
That said, organizations that are the target of hackers face several serious issues including large government fines, the costs of litigation, eDiscovery, legal fees, costs of notification, brand depreciation and shareholder equity issues. Organizations with access to PII have a much higher liability to consider.
Most states that have notification breach laws require companies that have had a data breach to notify individuals affected by the breach - quickly. A well-known example of a state breach notification law exists in the State of Massachusetts.
The Massachusetts security breach and data destruction law is considered one of the toughest to date, and is used as an example for other states.
Two additional points when considering any breach notification law; penalties can be assessed for each record breached, and many state laws specify that companies outside the state holding citizens' data are also subject to the breach notification laws.
The federal government has been slow to pass a general nationwide data breach law. However, in 2017, three senators introduced a bill titled the Data Security and Breach Notification Act which would require companies to report breaches within 30 days. The bill adds some additional teeth, including a penalty; if an individual "intentionally and willfully" conceals a data breach, they could face up to five years in jail.
Two of the better known federal regulations which specify breach notification are the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The GLBA targets financial institutions, and HIPAA targets healthcare providers, health insurers, doctors' offices and any entity that handles patient information.
As has already been discussed, government fines, penalties, and in extreme circumstances, jail time, are some of the consequences of not protecting PII adequately.
One ramification many don't consider is the cost of litigation associated with a breach. Many of the associated lawsuits can end up as class-action lawsuits, potentially multiplying the total cost of the breach exponentially.
Settlements can be harsh - depending on the judge or jury. For large breaches, settlements over $100 million are not out of the question, especially when dealing with healthcare information. Another cost of a breach includes having to pay the plaintiff's legal bills, which can be extremely high.
There are a few common-sense practices that will greatly reduce the possibility of a breach.
Always encrypt sensitive PII.
Never let sensitive data be downloaded to portable devices.
Employ access controls within the firewall as well as all portable devices that contain the data.
Do not allow employees to use their personal smartphones to conduct business.
Organizations must protect sensitive data to reduce the possibility of a data breach. However, organizations need to also prepare for the eventuality of one.