Proposed Law Would Criminalize Failures to Report Data Breaches
A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year.
The proposed “Data Security and Breach Notification Act” (the Act) would require an organization subject to Federal Trade Commission (FTC) jurisdiction—which includes health care organizations—to notify each individual whose personal information is implicated in a data breach and to also notify credit reporting agencies if more than 5,000 people are affected. Notice would be required within 30 days of the breach unless there is justification for delay, such as a law enforcement investigation. The Act also requires regulated entities to implement information security policies and procedures, similar to those required by HIPAA. This would entail, among other things, implementing administrative, physical and technical security safeguards and the appointment of a security officer. The Act would be enforceable by both federal authorities and state attorneys general.
Under HIPAA, covered entities and individual executives or employees face criminal liability for knowingly obtaining or disclosing protected health information. Under the new legislation, anyone who intentionally and willfully conceals a data breach can face up to five years in prison and fines (as long as the breach results in $1,000 of economic harm to any individual). The regulated entity may also be fined $1,000 per individual per day, up to $100,000 per day, for each day that the regulated entity is out of compliance.
HIPAA covered entities and business associates would be deemed compliant with the Act if they comply with HIPAA standards. However, covered entities and business associates out of compliance would be subject to enforcement for both HIPAA violations and for violations under the Act.
As large scale data breaches continue to dominate the news cycle, we are likely to see congressional responses, such as the Act, adding compliance requirements for regulated entities and greater exposure to penalties. Regulated entities should prioritize compliance with existing security standards in order to minimize the risk of a data breach in the first place. Failing that, prompt and compliant data breach reporting is critical to minimize the risk of harm to consumers and the risk of being on the wrong side of federal lawmakers, who have apparently determined that jail is appropriate for those who fail to report.