Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?
As organizations of all stripes increasingly rely on cloud computing services to conduct their business, (with many organizations entering into cloud computing arrangements with multiple cloud providers), the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. Cloud providers are sitting on reams of data from thousands of customers, including sensitive information such as personal information, trade secrets, and confidential and proprietary information. To criminals Cloud providers are prime targets. At the same time, based in large part on the amount of risk aggregated by Cloud providers, most Cloud customers are unable to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.
A Short History of Cyber Insurance Coverage*
*This section ended up longer than I anticipated. If you already have a base knowledge of cyber coverage or don’t want to bother with some historical background, please skip ahead to this section: "Where Privacy and Security Risk Breaks Down in Cloud Computing Contracts"
In the early 2000s, just around the “DotCom Bust”, some insurers began developing a product designed to address the financial loss that might arise out of a data breach. This was a time where most “brick and mortar” companies were just beginning to leverage the economic potential of the Internet. At that time insurers wanted to target the big “dotcom” companies like Amazon, Yahoo, eBay, Google, etc., and other companies pioneering e-commerce and online retailing. At some point, somebody dubbed this type of insurance “cyber insurance.”
The early cyber policies included liability and property components. The liability coverages addressed claim expenses and liability arising out of a security breach of the insured’s computer systems (some early policies only covered “technical” security breaches, as opposed to policy violation-based security breaches). The property-related components covered business interruption and data asset loss/damage arising out of a data breach (during the holiday season many online retailers suddenly developed a tasted for business interruption coverage after realizing just how negatively their business would be impacted by a denial of service attack). Additional first party coverages included cyber-extortion coverage and crisis management/PR coverage.
Unfortunately for the carriers, it was not easy to get people to understand the need for this coverage (and that is still a challenge today, but certainly a lesser challenge with all of the security and privacy news constantly streaming). Early on there were very few lawsuits and regulators were just beginning to consider enforcement of relatively new statutes like GLB and HIPAA.
Two things changed that made cyber insurance much more relevant. One was a rather sudden event, and the other more gradual.
First, in 2003, California passed SB1386, the world’s first breach notification law. The reality then (as now) is that companies suffer security breaches each and every day. Prior to SB1386, however, breaches of personal information simply went unreported. With SB1386 and the subsequent passage of breach notice laws in 45 other states (and now coming internationally), the risk profile changed for data breaches. Instead of burying the breaches, companies were required to incur significant direct expenses to investigate security breaches and comply with applicable breach notice laws, including the offering of credit monitoring to affected individuals (which is not legally required by existing breach notice laws, but is optionally provided by many companies or "suggested" by state regulators). As a result, the plaintiffs’ bar now had notice of security breaches and began filing class action lawsuits after big breaches (usually involving high-profile brand name organizations). As such, cyber insurance coverage went from coverage addressing a hypothetical risk of future lawsuits, to a coverage addressing real-life risk (and now we have lawsuits getting deeper into litigation and public settlements of these types of cases). Moreover, shortly after the passage of SB 1386 many cyber insurance policies began covering the direct costs associated with complying with breach notification laws, including attorney fees, forensic investigation expenses, printing and mailing costs, credit monitoring expenses and call center expenses. Breach notification costs are direct and almost unavoidable after a personal information breach. Regardless of lawsuit activity, a direct financial rationale for cyber insurance coverage now existed.
The other change that occurred more gradually over time, but which has had a significant impact concerning the frequency and magnitude of data breaches was organized crime. In the early 2000s hacking was more of an exercise in annoyance or a used for bragging purposes. Hackers at that time wanted their exploits talked about and know. They wanted credit for hacking into or bringing down a sophisticated company (or better yet a division of the Federal Government or military). As such, when an attack happened it was discovered and remediated, and that would be the end of it.
True criminals, of course, are less interested in such notoriety. In fact, when trying to steal thousands/millions of records to commit identity theft or credit card fraud it is much better to NOT be detected. Lingering on a company’s network taking information for months or years is a much more profitable endeavor. Recognizing that this type of crime is low risk (it can be performed from thousands of miles away in Eastern Europe with almost not chance of getting caught) and high reward, organized crime flooded into the space. And in this context the word “organized” is truly appropriate – these enterprises retain very smart IT-oriented people that use every tool possible to scale and automate their crimes. They leverage the communication tools on the Internet to fence their “goods” creating, for example, wholesale and retail markets for credit cards, or “eBay”-like auction sites to hawk their illicit wares (e.g. valuable information). The change in orientation described above has essentially resulted in a 24/7/365 relentless crime machine constantly attacking and looking for new ways to attack, and always seeming to be one step ahead of those seeking to stop them. That is why we read about security and privacy breaches practically every day in the newspaper.
Fast-forward to present time. Cyber insurance is a much more established market with more carriers entering on a regular basis. There are primary and excess markets available for big risks, and companies of all sizes are looking at cyber more as a mandatory purchase rather than discretionary. As the world continues to change at seemingly light-speed and cyber risks increase (with the advent of hacktivism, social media and the consumerization of IT/BYOD ) the need for cyber is also growing. With competition pushing cyber insurance prices down, and significant security and privacy risk being retained by organizations, risk transfer is becoming very attractive (and from an overall big picture systemic point of view, spreading is risk is also attractive). Another area where cyber may help smooth out security and privacy risk is with cloud computing.
Where Privacy and Security Risk Breaks Down in Cloud Computing Contracts
As we have written extensively of in the past, Cloud computing raises significant privacy and security risks that are often difficult to hammer out in a Cloud computing negotiation (to the extent a Cloud customer gets a chance to negotiate at all). The net result of these contract negotiation difficulties and Cloud provider unwillingness in many cases to take on meaningful risk contractually, is that the risk is retained solely by the Cloud customer. The following examples outline the privacy and security-related Cloud issues that impact the Cloud customer's risk:
- a Cloud provider failing to maintain reasonable security to prevent data breaches;
- a Cloud provider failing to comply with privacy and security laws applicable to the Cloud customer;
- a Cloud provider refusing to allow a Cloud customer to conduct its own independent forensic investigation of a data breach suffered by a Cloud provider;
- potential conflict of interests with respect a Cloud provider’s handling a data breach that may have been the fault of the Cloud provider, including failing to cooperate with its Cloud customers if that cooperation could adversely impact the Cloud provider;
- the Cloud customer’s potential obligation to comply with breach notice laws, including absorbing expenses for legal fees, forensic investigators, printing and mailing, credit monitoring and maintain a call center;
- lawsuits and regulatory actions against the Cloud customer because of Cloud provider security and privacy breaches, and the legal fees, judgments, fines, penalties and settlement costs associated with them; and
- Cloud providers seeking to leverage and data mine Cloud customer information being processed in the Cloud.
The justification used by Cloud providers to avoid responsibilities for these risks and the costs associated with them is essentially risk aggregation. Cloud providers maintain that, because they serve hundreds or thousands of customers on shared computing resources, a single attack could expose Cloud providers to liability from all of those customers at the same time. In fact, we already have one example involving a business interruption of a Cloud provider that demonstrates how multiple customers can be affected by a security breach. They also claim that independent forensic investigations by customers in the wake of a data breach are not possible because they cannot accommodate multiple customers at one time, and even if they could a forensic assessment would essentially expose each Cloud customer’s data to every Cloud customer conducting such an investigation.
Cyber Insurance: Addressing Retained Risk in the Cloud
So how does cyber insurance fit into this picture? As it currently stands, cyber insurance can be a very valuable tool for Cloud customers who are not able to get their providers to contractually take financial responsibility for security and privacy risk. Most cyber insurance policies cover data security and privacy breaches of not only the computer networks directly under the control of the insured, but also those computer networks operated by third parties for or on behalf of the insured. What this means in the Cloud context is that most cyber insurance policies may cover data breaches of the Cloud provider’s systems where the Cloud customer's/insured's data is stored and processed on those systems. This coverage will typically include most of the expenses listed above, including those direct expenses to comply with breach notice laws and costs to defend lawsuits and regulatory actions arising out of Cloud provider data breaches. As such, in the event a Cloud customer cannot get reasonable contract terms, assuming it has purchased the correct cyber coverage, it will have a fallback risk transfer and will not be retaining that risk solely on its own.
Is there a catch? Not really currently, except of course the premium that must be paid and the fact that most cyber insurance policies have a self-insured retention that must be satisfied by the insured before the carriers is required to pay. However, there may be longer term problems that arise for the carriers.
At this point, whether they like it or not, carriers whose cyber insurance policies cover security and privacy breaches of third party service providers are already beginning to aggregate their risk when it comes to Cloud providers. Imagine a world with a relatively small number of Cloud providers serving a much larger customer base (to some degree we may already live in such a world considering the dominance of Google, Amazon, Rackspace and other big cloud players). Many insureds/Cloud customers are going to be dealing with this relatively small number of Cloud providers. For example, I am sure that for most cyber insurance companies, if they were to check their books, would find that many of their insureds already use the same Cloud providers and/or other third party service providers to store and process the insureds’ data. Further consolidation of Cloud provider, should that occur, will only increase the aggregation of risk.
However, as long as cyber insurance is more widely adopted, the aggregation risk may be manageable. The entire purpose of insurance is to spread the risk across a wide community of insureds, and by doing so hopefully individual insureds that experience a breach are not catastrophically impacted. At the same time carriers can build reserves and achieve reasonable profits. The long term question is whether there are enough insureds purchasing cyber insurance to spread the risk and allow for the building of reserves to cover a breach of a major cloud provider that impacts a wide audience of insureds.
We probably are not there yet, and unless demand increases, we may not get there. One thing that may happen, perhaps, is a push from the Cloud provider/customer community to somehow make cyber insurance more of a mandatory condition of doing business in the Cloud. Time will tell as to whether the cyber insurers view this aggregation issue as serious, and whether they will take steps to mitigate it (hopefully those steps will not involve narrowing the coverage). In the meantime, companies that are going deep into the Cloud should quantify the risk they are retaining and seriously consider Cyber insurance coverage. The price may be right, and the peace of mind priceless.
"I'll Be Watching You"
David Navetta weaves some movie trivia into his conversation with COMPUTERWORLD reporter Karen Kroll in an attempt to explain the significance of the SEC's recent guidance document on cyber security incident reporting.
SEC Issues Guidance Concerning Cyber Security Incident Disclosure
(co-authored by Nicole Friess) Publicly traded businesses now have yet another set of guidelines to follow regarding security risks and incidents. On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that assists registrants in assessing what disclosures should be made in the face of cyber security risks and incidents. The guidance provides an overview of disclosure obligations under current securities laws – some of which, according to the guidance, may require a disclosure of cyber security risks and incidents in financial statements.
Drawing from certain SEC forms and regulations, the guidance emphasizes that registrants should disclose the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” Registrants are expected to evaluate security risks, and if a registrant determines that disclosure is required, the registrant is expected to “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.
The SEC indicated that in analyzing cyber security risks and whether those risk should be reported, registrants should take the following into account:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
Additionally, the guidance advises registrants to address risks and incidents in their MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Other situations requiring disclosure include if one or more incidents has materially affected a registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” and if an incident is involved in a material pending legal proceeding to which a registrant or any of its subsidiaries is a party. Registrants are also expected to disclose certain security incidents on financial statements, as well as the effectiveness of disclosure controls and procedures on filings with the SEC.
While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore. Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company.
What the guidance document does stress, however, is process and risk assessment. One read of this guidance is that companies internally are going to have to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security. This analysis will go well beyond privacy-related security issues where most companies have focused (due to various privacy laws and regulator activity), and implicate key operational issues impacted by security breaches. It will be interesting to see how this affects the internal corporate dynamics between CIOs and their business counter-parts. This guidance may provide additional leverage for security risk managers to obtain bigger budgets, new technology and more personnel.
This guidance may impact the traditional breach notification process as well. Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financials statements. This new guidance also raises the specter of directors and officers lawsuits. We saw a D&O suit in the Heartland data breach that went nowhere, does this guidance provide more legs to plaintiffs? Only time will tell.
California Amends Its Data Breach Law - For Real, This Time! (As California Goes, So Goes the Nation? Part Three)
California's infamous SB 1386 (California Civil Code sections 1798.29 and 1798.82) was the very first security breach notification law in the nation in 2002, and nearly every state followed suit. Many states added their own new twists and variations on the theme - new triggers for notification requirements, regulator notice requirements, and content requirements for the notices themselves. Over the years, the California Assembly and Senate have passed numerous bills aimed at amending California's breach notification law to add a regulator notice provision and to require the inclusion of certain content. However, Governor Schwarzenegger vetoed the bills on multiple occasions, at least three times. Earlier this year, State Sen. Joe Simitian (D-Palo Alto) introduced Senate Bill 24, again attempting to enact such changes. Yesterday, August 31, 2011, Governor Brown signed SB 24 into law.
SB 24, which will take effect January 1, 2012, requires the inclusion of certain content in data breach notifications, including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California. In addition, importantly, SB 24 requires data holders to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 Californians. This adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches (note that California already requires notice to the Department of Public Health for certain regulated entities in the event of a breach involving patient medical information, Health & Safety Code section 1280.15). Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia.
You can find the text of SB 24 here.
IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim
In one of InfoLawGroup’s first blogposts to kick off 2011 we surveyed a handful of privacy lawsuits that are in the process of potentially altering the privacy and security legal risk landscape. ILG recently discovered another case (through an excellent service we use called Nymity), one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court upheld a lower court’s dismissal of a lawsuit involving the unauthorized disclosure of sensitive personal information, including names, addresses, social security numbers, marital status, dates of birth, medical and dental insurers and health insurance plan information. While we have seen plenty of courts dismissing data breach cases on motion to dismiss, most of those have focused on the lack of alleged damages. In Cooney, however, the court actually rendered a decision on whether any common law duty exists to safeguard personal information for purposes of a negligence claim. The Cooney court's ultimate answer was that no such duty exists. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court.
Background
In Cooney, the main defendants were the Chicago Public Schools and its Board (“CPS”), and a printing and mailing company known as All Printing & Graphics, Inc. (“All Printing”). All Printing was retained by CPD to print, package and mail a COBRA Open Enrollment List to approximately 1,750 former CPS employees. Unfortunately each of the 1750 employees was sent a list containing the personal information of all the other 1749 former employees, including names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. CPS notified the employees of the breach and offered one year of free credit protection insurance. Several of the employees filed individual and class action lawsuits, which were consolidated at the trial court level. The complaints alleged several causes of action (including common law negligence), which were all dismissed by the lower court. The appellate court set out to determine whether the dismissal was in error, and ultimately held that it was proper. One of the appellate judges, however, dissented. The following is a summary of the court’s opinion for the main causes of action alleged.
Common Law Negligence
In addressing the plaintiffs’ common law negligence claim, the court laid out the traditional elements necessary to allege negligence, and first set out to determine whether CPH was under a duty to safeguard the plaintiffs’ personal information.
First, under Illinois law, a violation of a statue designed to protect human life and property may be used as prima facie evidence of negligence (e.g. it can be used to allege a “duty” for purposes of negligence, and a violation of that duty). In this case, the plaintiffs argued that HIPAA and Illinois' breach notice law (815 ILCS 530) created a duty for negligence purposes. The court, however, rejected both arguments.
On HIPAA the court indicated that 45 CFR § 160.103 excluded “employment records held by a covered entity in its role as employer” from HIPAA coverage. According to the reasoning of the majority, since the CPH "held" the plantiffs’ health insurance elections in its role as employer, the disclosure of such records was not a HIPAA violation. Notably, however, the dissenting judge disagreed with this assessment. He indicated that the exception only applied to employment records actually “held” by the covered entity, as opposed to those disclosed (and therefore no longer held by CPH) to unauthorized third parties. In the dissent's view, then, the plaintiffs did properly plead a negligence claim based on allegations that HIPAA had been violated. If this is appealed to the Illinois Supreme Court this will likely be a key issue in the case. One important item to note here is that it appears that both the majority and dissent agreed that a data security statute can be used to establish a duty for negligence purposes even if the underlying statute does not itself provide a private right of action.
The plaintiffs also claimed that Illinois' breach notice law was violated because a “breach of the security of the system data” had occurred as defined in that law. The court rejected this argument as well, noting that Illinois' breach notice law already provided a specific and exclusive remedy for a breach of security of the system data: notice to the data subjects (which was properly provided in this case).
Second, the court considered whether a "new" duty to safeguard personal information existed in general for negligence purposes (i.e. without having to rely on a specific statute). On this issue, the court rejected the plaintiffs’ argument that the sensitivity of personal information such as birth dates and social security numbers justified the recognition of a duty. Notably the court did not consider any “foreseeability” arguments or analyze whether a duty should have existed based on something like Judge Learned Hand's risk formula. Based on the foregoing, the court found that the lack of an alleged duty justified dismissal of the common law negligence claim against both CPH and All Printing.
IL Consumer Fraud and Deceptive Business Practices Act
Section 2QQ of Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1, et. seq.) prohibits a “person” from publicly posting or displaying an individual’s social security number. In this case the court held the CPH Board was a “body politic” and therefore not a “person” under the Act. In addition, while All Printing does qualify as a “person” covered under the Act, the plaintiffs failed to allege actual damages as required under the Act. Relying on the large body of case law on the damages issue, the Court specifically rejected plaintiffs’ contention that increased risk of identity theft, and costs to pay for credit monitoring, constitute actual damages.
Traditional Privacy Torts
The plaintiffs also alleged “intrusion upon seclusion” and “public disclosure of private facts.” In considering these theories the court indicated that both torts require disclosure of “private” matters or facts. The court held that the privacy element was not satisfied because no law existed in Illinois defining social security numbers as private information. In addition, names and dates of birth did not qualify as private facts because they are matters of public records. Finally, while Illinois law had defined social security numbers as “personal information,” the court held that personal information does not equate to “private” information. Private information, in the court’s view, means private facts that are facially embarrassing and highly offensive, if disclosed. As such, the court ruled that these claims were properly dismissed by the trial court.
Other Miscellaneous Causes of Action
The appellate court, sometimes in a very cursory fashion, affirmed the dismissal of other causes of action the plaintiffs attempted to allege, including:
- Negligent infliction of emotional distress (dismissed because traditional negligence elements had not been alleged, as required)
- Breach of fiduciary duty (dismissed because no authority found to indicate that a fiduciary duty exists based on the plaintiffs providing their personal information “in confidence” to the CPS)
- HIPAA violations (dismissed because the plaintiffs did not allege that they had been deprived of a constitutionally protected right caused by a “municipal policy”; and because HIPAA does not provide a private right of action against non-state actors like All Printing)
- 4th Amendment privacy violation (dismissed because the plaintiffs failed to properly raise the issue before the trial court)
Conclusion
This case is very interesting because it is one of the first (if not the first) to squarely rule on whether a common law duty exists to safeguard personal data. It will be very interesting to see if this case is appealed to the Illinois Supreme Court. Based on the strong dissent it appears as if the majority opinion may be at risk for an overturn. What is somewhat disappointing, however, is the lack of deep analysis by the appellate court (especially on the issue of whether a common law negligence duty existed). It may be that key issues were not raised or briefed by the plaintiffs, but it would have been nice to see a full-throated analysis of "law school 101" issues like foreseeability, reasonableness and risk reduction. InfoLawGroup will try to get a hold of the appellate briefs and other underlying documents to see if they provide additional insight as to how the court reached its decisions (and we will post them here once we have them). We look forward to your thoughts, comments and questions on this case.
California Department of Public Health Breach Fines and Legally Defensible Security
The California Department of Public Health (“CDPH”) recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH’s press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).
In this post we take a deeper look at the CDPH fines and the legal framework that gave rise to them, and explore the concept of legally defensible security in this context.
Legal Framework and Basis for these Fines and Penalties
It is best to start at the beginning and take a quick look at the legal framework for the fines and penalties imposed on the hospitals. In this case it was a potent combination of California laws involving:
(1) a breach notice law that requiring hospitals to provide notice to the CDPH of unlawful or unauthorized access to, and use or disclosure of medical information with 5 days after detection;
(2) a duty to prevent unlawful or unauthorized access to, and use or disclosure of medical information; and
(3) an obligation to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information and reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure; and
(4) potential fines of $25,000 per patient ($17,500 per subsequent breach per patient) capped at $250,000 per event.
These legal requirements are all contained in two bills that amended California law in 2008: AB 211 and SB 541 (you can find the final amendments incorporated into the actual statutes here and here). Also referenced by the CDPH is Title 22, Section 70707(b)(8) of California's Code of Regulations, which lists the following as a mandatory "patient right" under the law:
Confidential treatment of all communications and records pertaining to the care and the stay in the hospital. Written permission shall be obtained before the medical records can be made available to anyone not directly concerned with the care.
Legal Defensibility
To refresh, the following summarizes a legally defensible security approach:
The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements. Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.
In the case of the California laws outlined in this post, hospitals should be asking themselves as they develop their security programs, how will the CDPH interpret the security obligations contained in those laws, and in the event (or the inevitability as the case may be) of a security breach, what legal arguments does the hospital have to persuade regulators to refrain from issuing a fine?
A full blown analysis of the key security-related legal issues is well beyond the scope of this blogpost. However, there are some key issues posed by these laws that would be addressed under a legal defensibility approach.
Relationship between AB 211 and SB 541.
The obligations set forth in AB 211 and SB 541 appear to overlap and impact the development of an information security program. The relevant amendment set forth in SB 541 reads as follows:
1280.15. (a) A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in subdivision (g) of Section 56.05 of the Civil Code and consistent with Section 130203.
(emphasis supplied). Section 130203 was actually added by AB 211, and provides in relevant part:
Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.
One reading of SB 541 is that no violation would exist due to a failure to prevent unauthorized access as long as the hospital could establish that it had “appropriate administrative, technical and physical safeguards” and reasonably safeguarded medical information (see AB 211). Another might read this part of SB 541 as creating regulatory liability if a hospital fails to prevent unauthorized access to medical records regardless of the hospital's security stance. Listening to the press conference put on by the CDPH it is not clear whether (or to what extent) they took the hospitals' security into account (and the CDPH indicated that it had not issued any "best practices" in this regard).
From a legal defensibility standpoint, legal analysis should be performed to determine arguments for and against each position. This analysis might look deeper into the legislative history behind these laws as wells as prior decisions and documents issued by the CDPH (e.g. the survey findings reports issued by the CDPH). That legal analysis will help to inform the hospital’s security team as to what actions to take and where to focus its efforts.
Appropriate Controls
Assuming that establishing and implementing appropriate/reasonable safeguards would provide a hospital with the means to escape regulatory fines, a legal defensibility approach would require research and analysis as to the meaning of “appropriate” and “reasonable” in this context. This meaning might be derived from legislative history, case law, other statutes using analogous language or decisions or documents issued by the CDPH concerning security measures (or the lack thereof).
Hospitals lawyers that perform this analysis while they are building their security program can help to guide their security teams to address crucial areas and reduce liability. Would compliance with particular standards improve their legal position? Would a evidence of a comprehensive security risk assessment persuade regulators that the hospital had done the right thing despite the breach? What security measures has the CDPH stressed or scrutinized in prior investigations? Employing a legal defensibility strategy would allow the hospitals to have established legal positions concerning their security in order persuade regulators not to impose fines and penalties
Risk Factors to Mitigate Potential for Fines
Both SB 541 and AB 211 set forth specific factors that regulators may take into account when deciding whether a security breach involving medical information is worthy of a fine and how much the fine should be. For instance, SB 541 provides:
For purposes of the investigation, the department shall consider the clinic’s, health facility’s, agency’s, or hospice’s history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility’s ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.
Again, the key issue here is when developing the information security program, in light of these factors, what security should be implemented to reduce legal risk. More to the point, based on these factors, what arguments exist for the hospital to claim that they should not be fined. For example, based on references to detection, prevention and “immediate correct[ion],” a hospital that established a security program with strong intrusion detection and prevention controls might persuade regulators to refrain from imposing fines. Moreover, if the security program’s incident response procedures stressed rapid correction of breaches, and such correction took place, this fact may mitigate against the imposition of fees.
There are many other legal issues presented by this language that could impact how a security program is implemented so that it is legally defensible. For example, which of these factors do the legislators or regulators weigh more heavily (or are they all treated the same)? Is there any evidence (perhaps past regulatory actions and documents related thereto) that indicate other factors regulators may take into account when deciding whether to impose fees (at the CDPH press conference the spokesperson indicated that it had taken the "rural" nature of two hospitals into account in assessing penalties). Answering these questions requires careful legal analysis and coordination between a hospital's legal and security teams.
Preferably all of these legal defense considerations are proactively baked into a security program when it is built (instead of having to construct arguments reactively in the wake of a security breach). Preferably these legal positions are documented and preserved for use in case something goes wrong (instead of having to create them ad hoc in the heat of a breach situation). Having established positions is even more important for these California laws since hospitals only have five days before they are required to provide notice to the CDPH. Five days is likely not enough time to conduct a full investigation and analysis, and construct complex legal arguments.
Conclusion
It remains to be seen whether these fines are a one-time warning shot for deterrence purposes, or potentially the beginning of significant series of fines for California healthcare entiteis that have reported more than 3,400 patient confidentiality breaches since January 1, 2009. Either way these fines highlight the need for a legal defensibility approach when developing an information security program.
This is the reality in California for hospitals: you will need to report breaches to the CDPH within five days of detection, the CDPH has the potential to impose stiff fines if they believe you have violated various laws, and the hospital with have to establish that despite the breach it was doing the right thing and should not be fined. Hospitals that have not considered how to build security programs that provide solid legal arguments in favor of compliance with these laws may find themselves unable to dissuade regulators from imposing fines. They will be in a defensive and reactive posture under extreme time pressure instead of a proactive and prepared posture. Considering security and patient confidentiality for a legal defensibility standpoint may help to mitigate some of this risk.
Insurers Deny Coverage for Breach Notice Costs (and why companies should consider cyber insurance coverage and why brokers should offer it)
It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University’s hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage’s insurance broker (the broker that placed the insurance coverage with Colorado Casualty).
The parenthetical in the title of this blogpost may seem counter-intuitive perhaps, but it appears that this controversy and the pleadings that have been filed paint a picture of what can potentially go wrong when proper cyber or technology errors and omissions coverage is not in place. It will be interesting to see how this case shakes out (and I make no predictions on what will happen because I lack too much information to analyze the issue), but I guarantee that the players involved are probably wishing they purchased explicit cyber or technology errors and omissions coverage (again, it appears that they may not have, but I don’t have all the information to state that definitively). Instead, they will have to litigate with no guarantees of success (and large hurdles for the University). Ironically, the University may ultimately recover from insurance proceeds, but those proceeds may come from the insurer that provides errors and omissions coverage to Perpetual Storage's insurance broker.**
Background
The following background allegations were taken from the original compliant and the University’s complaint.
It appears that Perpetual Storage contracted with the University to provide data storage services. In June 2008, back-up tapes containing personal information of 1.7 million patients were stolen from a Perpetual Storage employee’s car. 1.1 million of the records included social security numbers. This employee allegedly parked his car while working at a second job, and later in his driveway at home overnight. The tapes were allegedly taken in the middle of the night approximately 8 to 12 hours after they had been picked up.
In response to this incident, as of May 25, 2010 the University had incurred about $3.35 million in costs broken down as follows: $2,483,057 related to credit monitoring expenses (one year for each impacted individual whose social security number had been exposed); $646,149 related to printing and mailing costs for notice to each of the 1.7 million impacted individuals; $81,389 related to phone bank costs (to field more than 11,000 phone calls); and an additional $144,158 in miscellaneous costs. In addition, the University allegedly expended 6,232 personnel hours responding to and mitigating the security breach (and it seeks compensation for that lost time as well).
Colorado Casualty appears to have issued two insurance policies to Perpetual Storage, one described as a “commercial package policy” and the other a “commercial liability umbrella policy.” None of the pleadings mention Perpetual Storage or the University having purchased cyber coverage (i.e. data security or privacy coverage) or errors or omissions coverage.
Procedurally, there is a fair amount going on with this case, including a motion to dismiss by Perpetual Motion. Most relevant, however is the University’s activity. It filed an answer and several claims against various players. First, it filed against Colorado Casualty and attempts to assert that coverage is available. It also filed against Perpetual Storage directly for its acts and errors, including allegations that Perpetual breached its contract with the University. Finally, it filed a claim against Perpetual Storage’s insurance broker, United Insurance Services, alleging that United failed to procure the insurance coverage needed by Perpetual.
Observations
This case is interesting for many reasons, some of them outlined below.
Do not rely on a commercial general liability policy or traditional property policy to get coverage for security or privacy breaches.
From experience, unless an endorsement was purchased, it would be unusual for a general commercial liability policy to provide first party coverage for breach notice costs (mailings, call center, credit monitoring) or professional liability coverage (coverage for liability due to an act, error or omission of a professional service provider like Perpetual). In fact, there are several cases that have found that commercial general liability policies and property policies do not cover certain data security and privacy risks. Of course, there may be arguments in favor of coverage under certain general commercial policies or property policies, but it may not be clear cut and it may require expensive litigation to obtain that coverage. It is also possible that these policies had endorsements providing more than the traditional coverage (and ultimately the specific wording is what will matter; for purposes of this blogpost I am assuming that the language is fairly similar to traditional policies I have worked with).
The moral of this story is that there is insurance out there, provided by many carriers (and more and more are providing it) that is specifically intended to provide coverage for information security and privacy breaches and technology professional liability. This insurance is specifically designed to provide coverage for damages and defense costs arising out of a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Moreover, coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring. Having purchased coverage for this specific purpose, companies can have a much much higher level of certainty that the type of data breach described in this case will be covered.
Insure your own company directly.
The University in this case does not appear to have its own cyber insurance coverage (if they did, I am assuming they would have tendered their expenses to their own carrier and this controversy would most likely not exist). Instead they are making the difficult argument that they should be the beneficiaries of insurance purchased by their service provider. All of this could have been avoided if the University had purchased a cyber policy directly insuring the University.
Most cyber insurance companies provide coverage for “breach notice costs,” including mailing costs, credit monitoring and call center expenses. In addition, most cyber policies provide coverage if the security breach happens to one of the insured’s service providers. That coverage would have addressed the vast majority of the expenses incurred by the University (most cyber policies, however, probably would not provide any coverage for the personnel hours expended internally to address the breach). The moral of this story is if you are an organization that handles a lot of personal information (or other sensitive information), regardless of how secure you think you are (and by now everybody knows that there is no such thing as perfect security; breaches are a matter of when and how bad at this point), you should seriously consider cyber insurance in your risk management mix.
Brokers beware.
It looks as if the University is exercising all its options to try to get reimbursed for the expenses it incurred to address this security breach – it even sued Perpetual Storage’s insurance broker. However, considering there is no direct contract between the University and that broker it may be difficult to recover. Rather, Perpetual Storage is likely in a better position to sue its own broker for breach of contract and/or negligence.
Nonetheless, there is also a moral here for brokers. Here is the reality in 2010: most companies of all shapes, sizes and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means they face potential direct losses due to a data breach (the biggest risk being having to provide notice under breach notice laws and provide credit monitoring/call centers). It also means that most organizations face potential lawsuits and liability arising out of data security and privacy breaches (e.g. consumer lawsuits, employee lawsuits, lawsuits by banks if credit cards are lost, and regulatory actions).
As such, brokers should be aware of the data security and privacy risk their clients face, understand where and how that risk might be covered. Where appropriate brokers should approach the market to obtain cyber insurance for their customers. Unfortunately, cyber policies (due to their technological nature) are often very complex and brokers dealing with general liability insurance may not have the training or expertise to understand where cyber insurance fits in and how it provides coverage. This problem needs to be overcome or we will see a lot more lawsuits against brokers after security breaches.
Last point to make, assuming the University does not have its own policy, I am wondering whether (or when) the University decides to name its own insurance broker as a defendant. I suppose it will depend on whether that broker raised the issue of cyber insurance, and whether the University turned it down or was unable to obtain coverage.
Conclusion
The bottom line is that practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it (and it is not cost-effective in most cases to even try). That leaves residual risk that can either be internalized (like the University did) or transferred. Companies that want to transfer that risk would be well-served to get piece of mind and relative predictability by purchasing a cyber policy actually designed to address the risk. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was). Of course this does not mean that cyber insurance is the proper decision for every company, cost is always a factor. Nonetheless, with dozens of carriers now offering the coverage on some level competition is fierce both on price and coverage scope, so now is the right time to explore the market.
Final note, many of my observations and much of my analysis above is based on assumptions I am making concerning the nature of the policy and the facts of this case. Depending on what is in that policy, and what really happened in this matter, some of my predictions could be off or not applicable. If the policies are filed in court, we will revisit this matter and dig a little deeper.
**DISCLOSURE: I have several cyber insurance company clients and have assisted with drafting some of the top-selling forms in the marketplace; independent of those relationships, however, I am a huge proponent of risk transfer when it comes to security, privacy and technology risk, and believe that no data security and privacy risk management process is complete without considering cyber insurance.
FAQ on Alberta's New Breach Notice Law
Earlier this month (May 1, 2010), Alberta became the first Canadian province to pass a broad breach notice law (“Bill 54”) as part of their comprehensive data privacy statute, the Personal Information Protection Act (“the Act”; technically, Alberta is the second province to pass a breach notice law in Canada, Ontario previously passed a breach notice law that focuses on health information custodians).
It will be interesting to see whether the Alberta law ushers in the passage of additional provincial laws similar to the way California's SB 1386 lead to breach notice laws in over forty U.S. states. There appear to be several breach notice initiatives at the provincial and federal level in Canada, some of which may be on the verge of passing. If a wave of breach notice laws do pass throughout Canada, it will be interesting to see if it will have the same impact as in the United States (e.g. frequent reporting of breaches, lawsuits, etc.). It will also be interesting to see whether the Canadian approach differs from the U.S. approach.
This blog post breaks down Alberta’s breach notice provisions in a “Frequently Asked Questions” format, and includes commentary and comparisons to existing U.S. law. Note that the Act also now includes obligations concerning collecting and transferring of personal information outside of Canada. That is also discussed briefly in this blog post.
Obligations Concerning Personal Information Collection and Transfer Outside of Canada
First, before diving into the FAQ on the breach notice provisions of Bill 54, let’s take a quick look an amendment in Bill 54 that addresses the use of service providers outside of Canada for purposes of collecting or transferring personal information. Bill 54 added the following provision to the Act:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of (a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and (b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
While this provision does not require an individual’s consent to use a service provider outside of Canada, it does require certain notice of certain information to the individual prior to collecting or transferring personal information to such service providers. This specific information referenced in the Act can probably be put into an organization’s privacy policy. However, for organizations that have existing non-Canadian service provider relationships, a process must be put in place to provide notice to individuals. This provision may also have implications with respect to Cloud computing. Some organizations in Canada using the Cloud may not know whether personal information is being transferred outside of the United States. As such, these organizations may have to examine their existing service provider relationships, including identifying subcontractors outside of Canada that service providers may be using.
FAQ on the Personal Information Protection Act’s Breach Notice Obligations.
What breach notification obligations are set forth in Alberta’s breach notice law?
There are actually two potential notification obligations in Alberta’s breach notice law. The primary obligation requires organizations to provide notice to Alberta’s Information and Privacy Commissioner (the “Commissioner”):
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
(emphasis supplied). In addition, organizations that suffer a breach may also have to provide notice to the impacted individuals:
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
(emphasis supplied). Two points jump out based on these duties. First, it appears that any notice obligation for individuals applies only to those individuals as to whom there is a “real risk of significant harm.” So with respect to a particular breach, this may involve only a subset of those individuals whose personal information was subject to loss or unauthorized access. Second, even if a real risk of significant harm does exist, there is no automatic mandatory reporting obligation to the impacted individuals. Rather, there is only a reporting obligation if the Commissioner requires reporting. At the end of the day however, depending on the regulations and procedures created by the Commissioner, this notification obligation may effectively become “mandatory.” In fact, subsection 37.1(3) requires the Commissioner to establish an “expedited process” for determining whether to require notification where the harm to the individual is “obvious and immediate.”
Differences against U.S. State breach notice laws:
- Regulator Involvement. The obvious difference between Alberta and most U.S. breach notice laws is that the primary notification obligation is to the regulators. In the U.S. the breach notice laws require notification to the impacted individuals, and some also require concurrent notification to the state regulators (e.g. state attorneys general). In addition, the U.S. breach notice laws typically do not give the regulators discretion as to whether to require notice to individuals.
- Harm Threshold. Like some state breach notice laws, Alberta’s law has a “harm” threshold built into it. While no U.S. breach notice law uses the “real risk of significant harm” terminology, some states do require a material risk of harm, a material compromise, a material risk of identity theft, or similar. While it is difficult to compare harm standards, and more research would be necessary to get a clearer picture, it appears that the real risk of significant harm threshold is relatively high. The term does not appear to be defined in the Act itself, but perhaps the Commissioner will get an opportunity to clarify its meaning as it develops regulations and processes for managing the notifications it receives.
What kind of information does the Alberta breach notice law apply to?
It applies to “personal information”, which is defined as follows:
“personal information” means information about an identifiable individual.
Differences against U.S. State breach notice laws:
- No residency requirement. Unlike U.S. state laws, the residency of the individual does not matter. Personal information could relate to any individual whether a resident of Alberta or not. This could serve to limit the Commissioner’s jurisdiction to some degree. In the U.S. states, a state breach notice law could apply to a company with little to no “presence” in that state simply if they held personal information of a resident. Under Alberta’s law, there may need to be more traditional “doing business” jurisdiction for this law to apply. However, this jurisdictional issue is outside of the scope of this article (Michael Power, please weigh in if you would like/have the time).
- Less precise definition than U.S. breach notice laws. In U.S. breach notice laws the definition of “personal information” or “personally identifiable information” is more precise: typically requiring first name/first initial and last name, in combination with some kind of a account number. The concept of “identifiable individual” is arguably a broader concept than PI or PII in the United States, and therefore there may be instances of reporting required under Alberta’s law that may not be required under U.S. law (on the argument that PI or PII was not at issue as defined under the U.S. breach notice law[s]).
How is a “security breach” defined that would trigger Alberta's breach notice law?
There is no formal definition for “security breach” or “breach of the security of the system.” Nonetheless, a security breach trigger is described in Alberta law as follows: “any incident involving the loss of or unauthorized access to or disclosure of the personal information.” However, a breach by itself does not trigger a reporting obligation unless “there [also] exists a real risk of significant harm to an individual.”
Differences against U.S. State breach notice laws:
- Actual Loss/Unauthorized Access/Disclosure. Under Alberta's law it appears that there must be an actual loss or unauthorized access to or disclosure of the personal information to activate the trigger. Many U.S. breach notice laws are triggered if there is a reasonable belief or suspicion of unauthorized access or acquisition. As anybody knows who has handled a breach, it is not entirely clear in some cases whether actual unauthorized access occurred (often there is circumstantial or tangential evidence of unauthorized access). If construed in this matter, the Alberta law may result in some breaches not being reported.
- Alberta's Loss Trigger. Second, the Alberta law includes “loss” as a trigger. The classic example is a lost laptop. Under many/most U.S. statutes, loss of personal information is not a explicit trigger. Depending on the circumstances, under U.S. state breach notice laws, some organizations may argue that a lost laptop with personal information does not amount to a reasonable belief of unauthorized access. Alberta’s law takes that argument away (however, the harm threshold must still be met).
What is the risk of harm threshold under Alberta’s breach notice law, and how does it operate in terms of the individuals who must be notified?
As discussed above the risk of harm threshold for notification is a “real risk of significant harm.” This harm threshold appears to apply in two different ways under the Alberta law. Under section 34.1 if there is a security breach where a reasonable person would consider that there exists a real risk of significant harm to an individual, the organization must report to the Commissioner. Notice of the entire security incident to the Commissioner is required if a real risk of significant harm exists for a single individual impacted by the incident.
However, under section 37.1, notification is required only to those individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. This standard takes out the “reasonable person” test and appears to require actual an actual risk of harm. Moreover, notice is only required to those individuals as to whom a real risk of harm exists. So, if the organization reports a breach involving 1 million people and one may have reasonable suffered significant harm, it must report the entire breach to the Commissioner. However, it appears that the only individual that the organization must provide notice to is the individual as to whom an actual real risk of significant harm exists.
What notification obligations does an organization have if its service provider suffers a breach involving personal information?
The Alberta law applies to an organization that has personal information “under its control.” On its face, this control standard appears ambiguous when a service provider breach has occurred. If personal information is stored offsite on a service provider’s computer, but is accessible to an organization, is it under the “control” of the organization or the service provider (or both)? Unlike U.S. breach notice laws, Alberta’s law does not distinguish between the “owner” or “licensee” of personal information and the “service provider” (whose typical breach notice obligation under U.S. laws is to report the breach to the owner/licensee). This of course begs the next question.
What notification obligations does a service provider have if it suffers a breach involving personal information of its customers?
This is the flip-side of the question posed above. Service providers may be hard pressed to argue that they were not in “control” of personal information provided by their customers, and therefore may have an independent duty to notify under the Commissioner and possibly the impacted data subjects. Again, this is less clear than U.S. laws that only require service providers to report the breaches to their customers (a.k.a data owners/licensees; although some have argued that ambiguity exists as to the meaning of data "licensee" under U.S. laws).
Under Alberta’s breach notice law, do the notification obligations apply to personal information that is encrypted?
Unlike most U.S. laws there is no specific reference to encryption under Alberta’s breach notice law, and therefore no explicit encryption safe harbor. However, practically speaking, the definitions and triggers in Alberta’s law may preclude notice obligations with respect to encrypted personal information. For example, organizations may argue that, with respect to encrypted personal information, a reasonable person would NOT consider that there exists a real risk of significant harm to an individual whose personal information was lost or subject to unauthorized access.
Conclusion
Alberta's breach notice provisions are very interesting, especially when compared and contrasted against the approach of U.S. states. It will be even more interesting to see if Alberta's law becomes the model for other provinces, and whether it will have a similar impact on Canadian organizations as it did in the United States.
Virginia Adds Medical Information Breach Notice Law
The state of Virginia has passed a breach notice law requiring notice of security breaches involving medical information.
UPDATE: Note, this law only applies to governmental entities, or other orgnizations "supported wholly or principally by public funds." The version we previously linked to was an older version of the Virginia House's bill and had a broader definition of "entity."
"Entity" means any authority, board, bureau, commission, district or agency of the Commonwealth or of any political subdivision of the Commonwealth, including cities, towns and counties, municipal councils, governing bodies of counties, school boards and planning commissions; boards of visitors of public institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds.
Medical information is defined in the Virginia law as follows:
"Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:
1. Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
2. An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public."Breach of the security of the system" means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity. Good faith acquisition of medical information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.
Breaches that trigger the notice obligations are defined as follows:
"Breach of the security of the system" means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity. Good faith acquisition of medical information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.
Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to affected individuals (residents of Virginia) as well as Virginia's Office of Attorney General. The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation). The law does not apply to persons or entities that must report the breach under the HITech Act.
FAQ on Washington State's PCI Law
On March 22, 2010, Washington state became the third state to incorporate the Payment Card Industry Data Security Standard ("PCI") into law (the other two are Nevada and Minnesota). The Washington House and Senate have passed HB 1149 by substantial margins, and it has now been signed into law by the governor. HB 1149 amends Washington’s breach notice law (and borrows some of its definitions). Similar to Minnesota’s Plastic Card Security Act, HB 1149 provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. This blogpost summarizes HB 1149 in "FAQ" format and looks at its potential impact.
What is the overall stated purpose of HB 1149?
The introduction paragraph frames the purpose of the law in terms of protection consumers from identity theft due and fraud to data breaches of credit card data. To achieve this lofty goal, the law provides issuing banks the ability to seek reimbursement of reissuance costs in the wake of payment card data security breach. By providing this remedy, the drafters of the bill hope to encourage issuing banks to reissue cards, thereby reducing the incidence of identity theft and associated costs to consumers.
What organizations does HB 1149 apply to?
Moving past the introduction, the law provides a series of definitions related to payment card processing and data breaches. The law applies to “business(es),” “processors” and “vendors” (herein referred to as “Regulated Entities”). Businesses essentially refer to merchants that process more than six million payment cards annually, and who provide, offer or sell goods or services to residents of Washington. Processors are companies that process or transmit “account information” on behalf of another. Vendors are entities that manufacture and sell software or equipment designed to process, transmit or store account information that the vendor does not own.
Analysis: For each of these categories it is not necessary for the organization to physically reside in Washington state. To qualify as a “business “ the organization must merely offer or sell goods or services to Washington residents. Companies with an Internet website would arguably fall into that category. The definitions of “processor” or “vendor” do not even mention Washington residency as a limitation. As such, HB 1149 is likely to have reach beyond the borders of Washington State.
What kind of information does HB 1149 regulate?
HB 1149 imposes certain obligations with respect to “account information,” which is defined as follows:
Account information" means: (i) The full, unencrypted 2 magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device as defined under RCW 19.300.010; or (iii) the unencrypted primary account number on a credit card or debit card or identification device, plus any of the following if not encrypted: Cardholder name, expiration date, or service code.
Analysis: Subsections (i) and (iii) mainly deal with various unencrypted cardholder data. Subsection (ii) however refers to unencrypted account information on “identification devices”, defined as "an item that uses radio frequency identification technology or facial recognition technology". An example might include a RFID tag. Identification devices are not obviously related to PCI and do not quite seem to fit into the overall theme of the law..
What data security obligations does HB 1149 impose on Regulated Entities?
Technically HB 1149 does not impose any obligations on Regulated Entities. Rather, the law works as a mechanism to transfer risk of loss between Regulated Entities and issuing banks in the event of a payment card breach involving Washington residents. Think of it as "sword and shield law": it gives issuing banks a sword to collect reissuance costs they otherwise might not be able to collect and provides companies a shield to avoid liability for such costs.
Section 2., paragraph (3)(a) indicates that if a processor or business fails to take reasonable care to guard against unauthorized access to account information, and that failure is the proximate cause of a breach, then the processor can be liable to issuing banks for costs to reissuing impacted payment cards. Section 2., paragraph (b) indicates that Vendors can be liable for damages caused by their negligence, but only if the claim is not limited or foreclosed by another provision of law or by contract to which the financial institution is party. However, as discussed further below, organizations that fall into HB 1149’s “safe harbor” will not be liable for reissuance costs (even if they did fail to take reasonable care or acted negligently).
Analysis: While there is no explicit/positive requirement for organizations to take reasonable care, companies that fail to do so may be liable to pay for reissuance costs after a breach. Contrast this against Nevada’s PCI law which imposed an affirmative obligation to be compliant with PCI for companies that accept payment cards.
What constitutes a “breach” under HB 1149?
HB 1149 borrows the definition for breach from Washington state’s breach notice law. As such breach has the same definition as “breach of the security of the system,” which is defined as follows:
unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.
As you can see this definition references the term “personal information,” which is also a defined term under Washington’s breach notice law. Without repeating the entire definition, for information to be considered “personal information” it must include the first name/first initial and last name in combination with other data such as social security number or Washington driver’s license number. In addition, personal information includes first name/first initial and last name in combination with “account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.”
Analysis. There may be a lack of consistency between the definition of “account information” and “personal information” such that it may be possible to have a compromise of “account information” without there being any "personal information" compromised. If that were the case then there would be no “breach” under HB 1149 and its provisions would not appear to apply. For example, the unencrypted PAN of a payment card plus an expiration date would constitute “account information” under HB 1149, but is not “personal information” as defined under Washington's breach notice law. As such, if there was unauthorized access to such account information it would not constitute a “breach” since no personal information was implicated, and therefore HB 1149 would not apply (even if card reissuance was necessary).
How does PCI come into play under HB 1149?
Under HB 1149 the certification of PCI compliance is part of HB 1149’s “safe harbor.” In other words, under certain circumstances, even if a company failed to take reasonable care or acted negligently in protecting “account information” (as referenced in Section 3. of HB 1149) issuing banks will not be able to recover their reissuance costs.
How does the HB 1149 “Safe Harbor” work?
It appears that if a Regulated Entity satisfies the requirements of Section 2.(2) it will not be liable if it runs afoul of the reasonable care/negligence aspects of Section 2.(3). There are two ways to achieve safe harbor. First, Regulated Entities shall not be liable under HB 1149 if the account information at issue was encrypted at the time of the breach. Second, a Regulated Entity shall not be liable if it was certified as PCI complaint at the time of the breach. Under HB 1149, a Regulated Entity is considered compliant if it was validated by an annual security assessment as long as an assessment took place no more than one year prior to the time of the breach.
Analysis of Encryption Safe Harbor: The encryption safe harbor option seems odd in light of the definition of “account information.” Account information as defined under HB 1149 is by definition “unencrypted.” Thus, if the information described in the definition of account information was encrypted at the time of the breach, it would not constiute “account information” as defined. In other words, this safe harbor is completely circular and redundant.
Analysis of the PCI Safe Harbor: The PCI Safe Harbor is very interesting because it plays into and recognizes the difference between “PCI compliance” and PCI validation/certification. To make a long story short, a company can certify or validate that it is PCI compliant simply by filling out some paperwork. However, that company could be completely wrong and not actually compliant with the PCI standard. The PCI Safe Harbor in HB 1149 does not appear to care whether a Regulated Entity is actually PCI compliant. It appears that the paperwork will do. In fact, Section 2.(2) specifically indicates the following:
For the purposes of this subsection (2), a processor, business, or vendor's security assessment of compliance is nonrevocable. The nonrevocability of a processor, business, or vendor's security assessment of compliance is only for the purpose of determining a processor, business, or vendor's liability under this subsection (2).
What this appears to state is that, as long as the Regulated Entity has done a security assessment and certified/validated it (e.g. filled out and turned in required PCI paperwork in the form of a self-assessment questionnaire or report on compliance), its assessment is “nonrevocable” even if it was incorrect. At least this is one reading of this language (and I would love to hear other theories on this reference).
What kind of encryption is required for the encryption safe harbor?
HB 1149 defines “encrypted” as follows:
(f) "Encrypted" means enciphered or encoded using standards reasonable for the breached business or processor taking into account the business or processor's size and the number of transactions processed annually.
Analysis: The “taking into account” language is extremely odd in the context of describing encryption. It is unclear how a processor’s size or transaction volume would impact its encryption requirements. Typically the key factors for encryption are the key length (e.g. number of bits), encryption algorithm and key management. What is unclear is whether companies of smaller size and lower transactions are allowed to use “weak encryption,” and if so, that would seem to undermine the purpose of the statute (again, I would love to hear from readers on what they think the “taking into account” qualification might mean to them).
When would this law come into effect?
HB 1149 takes effect on July 1, 2010. It would only apply to breaches taking place on or after July 1, 2010.
What happens if more than one entity was at fault for a breach?
According to Section 2.(6), the trier of fact (a judge or a jury) is responsible for determining the percentage of total fault that is attributable to every entity that was the proximate cause of a claimant’s damages.
Analysis: Again a strange provision. One wonders what percentage of fault would be applied to the person/entity that actually stole the payment card data (or whether that would even be part of the analysis).
SearchSecurity.com Interview on the Data Accountabilituy and Trust Act
For those interested, I was recently interviewed by SearchSecurity.com concerning the Data Accountability and Trust Act ("DATA") passed in the House in December 2009. While I might not be cut out for a career in broadcasting, hopefully the information I provided is useful. If you would like more information, the Information Law Group has written several times on DATA and similar legislation pending in the Senate.
The Breach Notification Obligations in the Data Accountability and Trust Act
The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate. In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House. I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA. The end result was my article entitled: "Potential changes to the US breach notice risk landscape".
In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law. DATA is interesting because it appears to create counter-opposing breach notice incentives. On the one had, there are mechanisms that could lead to less breach reporting, including:
- a "risk of harm" standard that is likely higher than many existing State laws;
- preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and
- mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)
On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation. Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.
How these factors would play out is unclear and up for debate. However, what is even more unclear is whether DATA will ever be made into a law. The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version. Consumer advocates will likely have concerns about the higher risk of harm threshold in the law. On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs. Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations. As such, should DATA become a law, it is likely to differ from this version.
