Tag Archives: breach notification

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase

And Then There Were 50… Breach Notification Laws

 

As mentioned in last week’s post, Alabama was the sole “hold out” of states without a breach notification law. Alabama Governor, Kay Ivey, changed that on March 28, 2018, when she signed the Alabama Data Breach Notification Act of 2018 into law.

Alabama: Breach Notification Law

Here are the highlights:

  • Applies to:
    • “Covered entities” and their “third-party agents.”
      • “Covered entity” is defined as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.”
      • “Third-party agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”
  • Sensitive Personally Identifying Information:
    • “Sensitive Personally Identifying Information” includes a person’s first name or first initial and last name combined with one or more of the following typical data elements: SSN, driver’s license number, government ID number, account number with access code, etc.
    • The definition also includes the combination with health information, medical history and “a user name or email address, in combination with a password or security question answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive PII.”
  • Breach Definition:
    • “Breach of security” or “Breach” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of data in electronic form containing sensitive personally identifying information (PII).
    • Exceptions to the “Breach” definition include: (1) “good faith acquisition by an employee or agent of a covered entity” or (2) “the release of a public record not otherwise subject to confidentiality requirements.” An additional atypical exception includes: (3) “any lawful investigative, protective, or intelligence activity of law enforcement or intelligence agency of the state, or a political subdivision of the state.”
  • Encryption Safe Harbor:
    • Personally Identifiable Information (PII) does not include information that is “truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.”
    • Basically, this gives the covered entity a safe harbor for encrypted computerized data that is breached.
  • Breach Notification Requirements:
    • Trigger: After a “good faith and prompt investigation”, if a covered entity determines that sensitive PII was “acquired or is reasonably believed to have been acquired by an unauthorized person”, then that entity should give notice to each affected individual.
    • Timeline: Written notification to affected individuals is required within 45 days of determination of the breach.
    • If the covered entity determines that notice is not required, they must document this determination and keep written records of this determination no less than five years.
  • Harm Threshold:
    • Notification is NOT required if the entity can reasonably determine that the breach will not likely result in substantial harm to the “individual”.
  • Reasonable Security Measures
    • This breach notification act also includes a requirement for each covered entity and third-party agent to implement and maintain “reasonable security measures to protect sensitive PII”. The Act gives examples of these reasonable security measures, including adoption of information safeguards, a designated security officer, and an assessment of such security measures.
  • Notice Content Requirements:
    • Not all breach notification laws include content requirements, but Alabama included these required details: the date range of the breach, a description of the sensitive information acquired, a description of actions taken by the covered entity, a description of the steps an individual can take to protect themselves from identity theft, and contact information for the individual to inquire about the breach.
  • Other Notification Requirements:
    • Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
    • Attorney General: If more than 1,000 individuals are affected, the entity must provide written notification to the Alabama Attorney General. This notice to the AG must be made within 45 days of determination of the breach, and must include a synopsis of the events surround the breach, the number of those affected and any services being offered to the affected individuals, without charge.
    • Consumer Reporting Agencies: If more than 1,000 individuals are affected, the entity must also notify “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.”
  • Penalties:
    • A violation of these notification requirements is an unlawful practice under the Alabama Deceptive Trade Practices Act, but is not a criminal offense.
    • The Attorney General has exclusive authority to enforce the breach notification law and may impose a fine of up to $500,000 per breach, and up to $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with this act.
    • There is no private cause of action.
  • Government Entities:
    • All government entities are exempt from civil penalties of the law, provided that the AG may bring action against any government employee to compel performance or enjoin them from acting in bad faith.
  • Exceptions:
    • If an entity is already regulated by federal or state laws or regulations on data breach notification is exempt from this act IF the entity (1) maintains procedures pursuant to those laws, (2) Provides notice pursuant to hose laws and (3) timely provides a copy of such notice to the AG when the number of individuals exceeds 1000.
  • Data Disposal:
    • Not directly related to breach notification requirements, this new Alabama law also addresses the reasonable measures required for disposing information that contains sensitive PII.
    • “Disposal” includes “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards.”

This law takes effect May 1, 2018.

 

For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

Virginia Adds a New Twist to its Breach Notification Law

Virginia passes a first-of-its-kind amendment in reaction to popular payroll tax scams.

Breach Notification Laws are constantly evolving and reacting to the perils of cyber threats and vulnerabilities. Two of the most recent regulatory updates (NYDFS & VA) show specific reactions to the rapidly changing security threats.

One prominent threat impacting legislation is the increasing persistence of W-2 scams. The W-2 scams have raised the issue of cybersecurity beyond the common stereotype that breaches only occur to large retailers. With this employee-focused social engineering scheme, organizations large and small in all industries are now targets.

This threat was recently addressed through an amendment to Virginia’s data breach notification law. Virginia amended their notification requirements by expanding the types of data requiring notification and adding the requirement for state authorities to be promptly notified of a breach of payroll data.

As recent at March 13, 2017, Virginia’s governor approved the amendment requiring employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Once the Attorney General’s office receives notice, the Office of the AG must then notify the state’s Department of Taxation of the breach.

Background

Existing state law requires that an entity or individual that owns, maintains, or possesses personal information of Virginia residents, and who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, must report the unauthorized breach to the Office of the Virginia Attorney General, and also must provide notification to each affected Virginia resident.

How is this amendment different?

This new notification requirement stands even if the organization is not required by the statute to notify affected residents of the state of the breach. Therefore, this amendment not only expands the definition of types of data that require notification, but requires notification of this data even if the same circumstances would not currently trigger the notification requirement of individuals.

Additionally, the notice to the Attorney General’s office requires additional details from the organization, including the affected employer or payroll service provider’s name and federal employer identification number. This notice to the Office of the AG must be made “without unreasonable delay”

When is this effective?

These amendments to the Virginia law are effective July 1, 2017.

Practical Application: Employee Awareness & Training

Companies and individual taxpayers should remain vigilant and exercise care in responding to any request for copies of W-2 forms. Employees are often an organization’s weakest link leading to a data breach. Training employees on data security best practices and awareness of potential risks and consequences of such threats can greatly reduce security risks.

ePlace Solutions provides a series of training courses on Social Engineering, including Spear-Phishing attacks such as the W-2 Scam. If you’re reading our newsletter, it’s likely your organization has access to these training courses through your cyber insurance policy. Reach out to cyberteam@eplaceinc.com to take advantage of your free training resources for your workforce.

Australia Passes Data Breach Notification Law

If you’re keeping tabs of the ever-evolving world of data breach notification laws, you can finally add Australia to the list. Organizations who experience a data breach affecting Australian citizens now have new reporting and notification requirements.

The new breach notification law in Australia amends the Privacy Act of 1988. Thus, the new law applies to organizations governed by the Privacy Act – companies with over $3 million AUD in revenue.

Updated Australian Notification Requirements

The requirements recently passed in Australia will mirror other breach notification laws in various jurisdictions. Here are the most notable updates:

  • Notify affected Australian residents and the Australian Information Commissioner in the event of an eligible data breach
  • Take all reasonable steps to ensure that an assessment of the incident is completed within 30 days of discovery
  • If the assessment finds an eligible data breach has occurred, required parties must be notified as soon as practicable
  • If the notification to the affected parties is not practicable, the updated amendment allows for substitute notice

In the unfortunate event that an organization determines a breach occurred, the notification even has certain content requirements:

  • Identity and contact details of the breached organization
  • Description of the serious data breach
  • Kinds of information possibly breached
  • Recommendations about steps individuals should take in response to the breach

Notifications can be sent through the normal method of communication with affected individuals.

Penalties

Failure to properly notify the required parties can lead to heavy fines and consequences for organizations. The highest penalty is set for $1.8 million AUD for noncompliant organizations.

It’s important to consult with counsel and review the definitions in the law to determine if an eligible data breach has occurred affecting personal information. However, in the accompanying  several examples of notifiable data breaches were given:

  • A malicious breach of the secure storage or handling of information – i.e. cybersecurity incident with compromised data
  • Accidental loss – i.e. theft of IT equipment, laptops, or hard copy documents
  • Negligent or improper disclosure of information

The effective date for the new law has not yet been set.

Tardy Breach Notification Results in $475K HIPAA Penalty

The Office for Civil Rights (OCR) is starting 2017 off strong. OCR reached its first settlement of the year with Presence Health over tardy notification of a data breach.

Presence Health is one of the largest healthcare networks in Illinois with around 150 locations. The settlement resulted in a $475,000 penalty and a corrective action plan.

Breach Details

In 2013, Presence discovered paper-based operating room schedules missing from the Presence Surgery Center at one of their locations. The protected health information of 836 individuals was involved. Data elements included:

  • Names
  • Dates of birth
  • Medical record numbers
  • Types of procedures
  • Dates of procedures
  • Surgeon names
  • Types of anesthesia

Presence notified OCR of the incident over 3 months from the discovery of the breach. After investigating, OCR concluded that Presence failed to notify required parties without unreasonable delay and within 60 days of discovering the breach.

Corrective Action Plan

Presence agreed to a corrective action plan to resolve the gaps in their breach response processes and procedures. Specific action items include:

  • Revising existing policies and procedures related to breach notification
  • Distributing those updated policies and procedures to the workforce
  • Providing training to the workforce on those policies and procedures

OCR Director Jocelyn Samuels chimed in, “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Key Takeaways

This settlement serves as an important reminder to stay prompt on breach notifications. Organizations should ensure their policies and procedures address breach notification requirements and call for immediate engagement of their incident response plan.

The incident response plan should outline which personnel should be notified regarding the incident and address the timeline of tasks for timely notification. Getting the right people engaged early on (i.e. a breach coach familiar with notification requirements and breach response) will help get notification letters out in a timely manner.

When it comes to notifications, organizations should also include public relations in the incident response plan. Getting PR involved in breach response can go a long way when it comes to external communication efforts.

California Amends Data Breach Notification Law…Again

California passed AB 2828, amending the state’s breach notification law once again. With the latest change, California joins Illinois, Nebraska, Nevada, and Tennessee in addressing breaches of encrypted information.

The current law requires companies to disclose breaches of “unencrypted” information. California’s new law now considers encrypted information breached if it’s acquired along with the key or credential that would render the information readable and usable.

Encryption usually gives companies a safe harbor from notification requirements when encrypted personal information is breached. But this amendment fills the gap of the old law and correctly triggers notification protocols when there’s a breach of readable or usable data.

This provision is already reflected in several other state laws, so the change should be taken in stride. Companies should take note and adjust their incident response plans accordingly.

The amendment will go into effect January 1, 2017.

Is Ransomware a Breach Under HIPAA?

Keyboard equipped with a red ransomware dollar button.

With the dramatic rise in ransomware, there has been much speculation on whether ransomware attacks constitute a reportable breach under HIPAA. The Department of Health and Human Services (HHS) issued guidance to provide clarity on this controversy once and for all. Short answer: yes, it does.

HIPAA Rules

HIPAA defines a breach as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromise the security or privacy or the PHI.”

Whether ransomware constitutes a breach under HIPAA is a fact-specific determination. HHS’s guidance states that when a healthcare organization is hit with a ransomware attack and electronic protected health information is encrypted as a result, a breach has occurred.

During a typical ransomware attack on a healthcare organization, ePHI is encrypted when attackers take control of the information. Thus, the ePHI was acquired and results in a disclosure not permitted by the Privacy Rule.

Unless the attacked organization can show a low probability of PHI being compromised, a breach of the information is presumed. This requires organizations to comply with the breach notification rules in HITECH – i.e. notification to affected individuals, HHS, etc.

“Low Probability”

How can an organization show a low probability that PHI was compromised as a result of a ransomware attack? HIPAA relies on a risk assessment of the breach taking into consideration the following four factors:

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to PHI has been mitigated

As far as ransomware goes, victim organizations should note the following in their risk assessment:

  • The exact type and variant of malware discovered
  • The algorithmic steps undertaken by the malware
  • Communications between the malware and the attackers’ command servers
  • Whether or not the malware infected other systems

Identifying these factors should help an organization determine what type of data the malware was searching for, whether or not the data was taken from the organization’s systems, and whether the information was actually acquired or viewed.

Key Takeaway

The important thing to note from this HHS guidance is that for healthcare organizations, a ransomware attack could result in a reportable breach. Many security experts and breach lawyers viewed ransomware attacks in a different light, and not many organizations were reporting these attacks to the HHS.

With the new guidance, we expect to see more breaches reported to the HHS at the end of the year, as well as more breaches hitting the HHS’s Wall of Shame.

With an uptick in the number of reported breaches, it’s also expected that OCR will get more involved with investigations into ransomware attacks. It’ll be interesting to see if any new HIPAA enforcement actions will arise from organizations hit with ransomware.

If your organization suffers a ransomware attack, it’s crucial to get a breach coach involved right away to help navigate the different reporting requirements.

Illinois Amends Breach Notification Statute

Illinois Governor Bruce Rauner signed HB1260 into law, amending the state’s Personal Information Protection Act and adding to the law’s breach notification requirements. The new law will be in effect January 1, 2017.

Amendments

Personal Information

The amendments expand the definition of personal information to include the bolded items below:

Individual’s first and last name in combination with any of the following:

  • Social Security number
  • Driver’s license number
  • State identification card number
  • Financial account number with password to access the account
  • Medical information
  • Health insurance information
  • Unique biometric information
  • Username or email address in combination with the password or security question and answer to allow access to the account

Encryption

The amendments provide some clarity to the encryption safe harbor provision. If personal information is encrypted, but the data can be read through the decryption key or other means, the safe harbor does not apply.

Notice Requirements

There are several changes to the requirements when issuing notice of a breach:

Individuals: If personal information that falls under the username or email address category of personal information has been breached, notice should be provided in electronic form, prompting the individual to change the username, password, or security question and answer to protect the security of the account.

Attorney General: If an entity is required to notify HHS of a breach under HITECH, they must also notify the Illinois Attorney General within five days of notifying HHS.

State Agencies: If a State agency suffers a breach affecting more than 250 Illinois residents, it shall notify the Attorney General within 45 days of discovery of the breach or when it notifies affected individuals, whichever is sooner. The notice shall include the following:

  • The types of personal information compromised;
  • The number of Illinois residents affected;
  • Any steps the State agency has taken to notify affected individuals; and
  • The date and time-frame of the breach.

Data Security

The amendments create a new provision in the law requiring any entity that controls personal information about an Illinois resident to maintain reasonable safeguards to protect the information from unauthorized access.

A similar provision applies to contracts between entities that control the personal information and any third-party to whom they disclose the information. The contracts must include a provision requiring the third-party to adhere to the same standards of maintaining reasonable safeguards to protect the information from unauthorized access.

Exceptions

Under the new law, entities complying with the following regulations are considered compliant with the law’s standards:

  • GLBA: An entity compliant with the Gramm-Leach-Bliley Act is deemed compliant with this law.
  • HIPAA: A covered entity or business associate compliant with HIPAA and HITECH is deemed compliant with this law.

Nebraska Amends Breach Notification Statute

Nebraska Governor Pete Ricketts signed into law LB 835, amending the state’s breach notification statute by expanding the definition of personal information and adding notification requirements.

Amendments

The definition of personal information is expanded to include – in combination with first and last name – a user name or email address in combination with the password or security question and answer that would allow access to an online account.

Additionally, the law requires notice to the Nebraska Attorney General no later than notice is provided to Nebraska residents.

The amendments also provide clarification that data is not considered encrypted if the encryption key was reasonably believed to have been obtained during the breach.

The changes will be in effect July 20, 2016.

Tennessee Amends Breach Notification Statute

Tennessee Governor Hallam signed into law S.B. 2005, amending the state’s breach notification statute to include a notification deadline and remove an important provision.

It appears that the amendments were made to include companies that weren’t reporting data breaches based on improper access by employees.

Key amendments:

  • Notification of a data breach must be made to affected Tennessee residents within 45 days of discovery unless a longer period of time is required due to the legitimate needs of law enforcement.
  • Notification of a data breach must be made regardless of whether or not the data was encrypted.
  • “Unauthorized person” includes an employee that obtained personal information and intentionally used it for an unlawful purpose.

The law will be in effect July 1, 2016.

**Note: Tennessee is the first state to require notification of a data breach regardless of whether the information is encrypted.