Data Breach Notification

 

 

As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information.  Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.

These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act.  As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act.  Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.

On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS.  The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs.  For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.

In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain.  Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations

You may not realize how much personal information your insurance company has about you. Scarier still is that much of this data is sensitive and valuable to hackers – such as your Social Security number, financial information, medical history, even itemized schedules of your most expensive personal property.  As data breaches affecting insurers have piled up in the past couple of years (Anthem, Premera Blue Cross and Blue Shield, Excellus Health Plan, UCLA Health System just to name a few), so too have calls for stronger data security protections applicable to insurance data.  In response, the CyberSecurity Task Force of the National Association of Insurance Commissioners (“NAIC”), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories (“Task Force”) is racing to finish its Insurance Data Security Model Law (“Model Law” or “Law”) by the end of this year so that states can begin the adoption process as early as 2017.  Continue Reading Insurance Regulators Fine Tuning Cybersecurity Guidance

As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

 

Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often:  KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches.  Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers.   This attack is notable for all companies and not just healthcare providers covered by HIPAA.   Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system.  In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases.  The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17. Continue Reading To Protect Data: Keep Your Network Access Close, and Your Vendors Closer

Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur.  By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures.  Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security

If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators.   In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices.    In still other states, notice letters must be sent to one or multiple regulators.

Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR).    It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice.  A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR.  The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”

Make sure you update your incident response plan to account for this additional notice requirement.

As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers.  The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.

The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act.  The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service.  The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs.  With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading FCC Broadband Privacy and Security Proposed Rulemaking Underway

In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.imitated

Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

Some changes of note

Tennessee is our most recent state to amend its existing state data breach notification law.  Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:

  • Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
  • Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
  • Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”

California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015.  Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on  the Mintz Matrix when consulting various states.

What should you do now?

Spring cleaning.   Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line.    In particular:

  • Note tightened response deadlines (Rhode Island, Tennessee)
  • Add identity theft prevention or identity theft mitigation services (Connecticut, California)
  • Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
  • Revise notice templates to comply with the new California format

As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!

21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.   Read on for the gory details….. Continue Reading Not again …. yet another health care data breach

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report