Today, many transactions containing sensitive, personal information are completed electronically and companies sending and receiving this information are responsible for keeping it secure. Fulfilling this responsibility can be difficult as companies are constantly being targeted by cybercriminals who seek to gain access to personal information. When a cybercriminal is successful in accessing electronically stored information, the targeted company holding the information suffers from a data breach. Despite increased measures to protect personal information, data breaches are occurring with greater frequency. In 2014, approximately 400 data breaches were reported to the Indiana attorney general.[1] In 2017, the number of reported breaches jumped to approximately 800.[2] Moreover, according to a study performed by the Ponemon Institute, the odds of a company suffering a data breach over a 24-month period are approximately 1 in 4.[3] This type of loss has become so common that it is included in most insurance carriers’ cyber liability insurance policies.
Given the frequency of these unfortunate events, it is important that companies understand their legal responsibilities when responding to a data breach. The purpose of this article is to assist with this endeavor by providing general information regarding noteworthy Indiana and federal requirements to identify and report a data breach. Please note that each matter involving a data breach is unique and that this article does not include an exhaustive list of all potential data breach scenarios or address each and every corresponding State and/or federal legal requirement pertaining to data breaches. The reader is encouraged to use this general information (for educational purposes only) to stay vigilant, enact cyber risk protocols and if a data breach occurs, notify any carriers (if applicable) and obtain the assistance of legal counsel and a cyber security consultant to ensure all specific, applicable data breach response requirements are fulfilled.
Data Breach Response
Upon receiving notice of a data breach[4], it is important to obtain all information regarding the breach including, but not limited to, the type of breach, type of personal information compromised by the breach, the individuals impacted by the breach, when the data breach occurred and when it was discovered. Under Indiana law, ‘personal information’ includes the following:
(a) social security numbers; and
(b) first and last names plus
(i) a driver’s license number;
(ii) state identification card number;
(iii) credit card number;
(iv) financial account number or debit card number in combination with a security code, password, or access code that would permit access to the individual’s account.
Consideration should be given to retaining a cyber security forensics firm to investigate and provide necessary information regarding the data breach, to assist in stopping the breach, and to provide any other necessary guidance to internally remedy the issue.
After information regarding the data breach is gathered, all potentially affected individuals must be provided a Notice of Data Breach without unreasonable delay. Indiana statutes define a ‘reasonable delay’ as the time taken to restore the integrity of the computer system, to discover the scope of the breach or to respond to the attorney general because disclosure would impede a criminal or civil investigation or jeopardize national security. The Indiana Attorney General has stated that notice to affected individuals after more than 30 days after discovery of the breach may constitute unreasonable delay.
The Notice of Data Breach to affected individuals should include details regarding the breach, the company’s efforts to cure the breach and steps the affected individuals can take to protect their information. The Notice can be sent via mail, e-mail, facsimile, or by telephone, although, notice by telephone is not a recommended practice. Many companies also offer affected individuals free credit monitoring from providers such as Experian, Equifax, Lifelock, etc., which is a recommended practice. Additionally, a Data Breach Notification Form must be completed and submitted to the Indiana Office of Attorney General an Indiana. The Notice of Data Breach to affected individuals should be attached to the Data Breach Notification Form.
A targeted company may also have to comply with certain federal notice requirements. For example, financial institutions that have “nonpublic personal information” (i.e., name, address, income, Social Security number, account numbers, etc.) compromised must provide data breach notices to the Federal Trade Commission (“FTC”) in accordance with the Gramm-Leach Bliley Act. Companies that have health information (i.e., information collected from an individual regarding their physical or mental health, condition, etc.) compromised must report data breaches to the FTC under the Health Breach Notification Rule and the Department of Health and Human Services under the HIPAA Breach Notification Rule. The FTC and HHS have their own respective notice forms that must be completed and filed.
The size of the breach also impacts the reporting requirements. In Indiana, if more than 500,000 residents are affected or the cost of disclosure is greater than $250,000.00, the company must conspicuously post notice on its website and provide notice to major news reporting media in the geographic area where the affected individuals reside. Under certain federal regulations, notifications pertaining to breaches of health information affecting more than 500 individuals must be reported to HHS no later than 60 days from the discovery of the breach and must be reported to prominent media outlets serving the residents of the State or jurisdiction.
Data breaches can also be reported to the FBI and/or local law enforcement agencies and in turn, those agencies may provide assistance. The size of the breach and its impact on public security, health and/or safety are factors that will likely affect the decision as to whether to notify these agencies.
As evident herein, there are multiple reporting requirements unique to each company. The type of company, size of breach and type of information compromised, for example, will dictate the specific steps that must be taken to comply with applicable State and federal law. Please note that failure to comply with applicable legal requirements can result in severe penalties. For example, in Indiana, failure to make a required data breach disclosure constitutes a “deceptive act” that is actionable by the Indiana attorney general. A violator faces civil penalties – – up to $150,000.00 for each deceptive act – – and the attorney general’s costs to investigate and maintain its action. Consequently, as stated above, is highly recommended that a company that experiences a data breach consult with a cyber security forensics firm and obtain counsel who can provide assistance and help ensure that all applicable State and federal laws are followed.
Conclusion
Data breaches are common in today’s technologically-dependent society. It is important for companies to understand the ever-growing threat of data breaches and actions they must take in response thereto. By being proactive, companies reduce their risk of violating State and federal reporting requirements and mitigate any damage(s) incurred by affected individuals.
****Disclaimer: This article provides general information for educational purposes only and should not be used as a substitute for legal advice from a licensed attorney. If legal advice or other expert assistance is required, the services of a professional should be sought.****
[1] See Indiana attorney general’s 2014 List of Security Breaches in Indiana, available at https://www.in.gov/attorneygeneral/files/2014_Security_Breach_Information_November_2015_2014.pdf
[2] See Indiana attorney general’s 2017 List of Security Breaches in Indiana, available at https://www.in.gov/attorneygeneral/files/2017%20breaches%20for%20the%20year.xlsx
[3] See 2017 Cost of Data Breach Study, Global Overview, Ponemon Institute LLC, June 2017, available at http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf?t=1510933508399.
[4] Notices of a data breach come in many forms. Security software or security logs may provide notice. A company may experience changes to its files, slow or inoperable systems, unauthorized downloads, locked user accounts, unusual traffic, etc., which can also indicate data breaches.