December 15, 2018

December 14, 2018

Subscribe to Latest Legal News and Analysis

December 13, 2018

Subscribe to Latest Legal News and Analysis

Proposed Law Would Criminalize Failures to Report Data Breaches

A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year.

The proposed “Data Security and Breach Notification Act” (the Act) would require an organization subject to Federal Trade Commission (FTC) jurisdiction—which includes health care organizations—to notify each individual whose personal information is implicated in a data breach and to also notify credit reporting agencies if more than 5,000 people are affected. Notice would be required within 30 days of the breach unless there is justification for delay, such as a law enforcement investigation. The Act also requires regulated entities to implement information security policies and procedures, similar to those required by HIPAA. This would entail, among other things, implementing administrative, physical and technical security safeguards and the appointment of a security officer. The Act would be enforceable by both federal authorities and state attorneys general.

Under HIPAA, covered entities and individual executives or employees face criminal liability for knowingly obtaining or disclosing protected health information. Under the new legislation, anyone who intentionally and willfully conceals a data breach can face up to five years in prison and fines (as long as the breach results in $1,000 of economic harm to any individual). The regulated entity may also be fined $1,000 per individual per day, up to $100,000 per day, for each day that the regulated entity is out of compliance.

HIPAA covered entities and business associates would be deemed compliant with the Act if they comply with HIPAA standards. However, covered entities and business associates out of compliance would be subject to enforcement for both HIPAA violations and for violations under the Act.

As large scale data breaches continue to dominate the news cycle, we are likely to see congressional responses, such as the Act, adding compliance requirements for regulated entities and greater exposure to penalties. Regulated entities should prioritize compliance with existing security standards in order to minimize the risk of a data breach in the first place. Failing that, prompt and compliant data breach reporting is critical to minimize the risk of harm to consumers and the risk of being on the wrong side of federal lawmakers, who have apparently determined that jail is appropriate for those who fail to report.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz Levin
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. A large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process.

She also counsels health care clients and other business entities on the requirements of the HIPAA Privacy Rule and Security Standards,...

(617) 348-1614
Ryan Cuthbertson, Health Care Attorney, Mintz Levin, Air Force Alum, Lawyer
Staff Attorney

Before joining the firm, Ryan was with the US Air Force for nearly 10 years. Most recently, he was with the Defense Contract Management Agency, where he oversaw the contract performance and compliance of military development programs. Previously, Ryan was with the Air Force’s Electronic Systems Center and led a high-profile software development program, for which he drafted contract documents and managed cost, schedule, and performance. Prior to this, he was in the Aircraft Sustainment Group at Robins Air Force Base and was responsible for technical orders for the entire US Air Force and Allied F-15 fleets. Before this, he served in the Combat Sustainment Group at Robins, and he managed the commander’s executive staff and negotiated and executed a foreign military sales contract to procure an electronic warfare system.

617.348.1796