Posted on October 14, 2011 by David Navetta

SEC Issues Guidance Concerning Cyber Security Incident Disclosure

(co-authored by Nicole Friess) Publicly traded businesses now have yet another set of guidelines to follow regarding security risks and incidents. On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that assists registrants in assessing what disclosures should be made in the face of cyber security risks and incidents. The guidance provides an overview of disclosure obligations under current securities laws – some of which, according to the guidance, may require a disclosure of cyber security risks and incidents in financial statements.

Drawing from certain SEC forms and regulations, the guidance emphasizes that registrants should disclose the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” Registrants are expected to evaluate security risks, and if a registrant determines that disclosure is required, the registrant is expected to “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.

The SEC indicated that in analyzing cyber security risks and whether those risk should be reported, registrants should take the following into account:

  • prior cyber incidents and the severity and frequency of those incidents;
  • the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
  • the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Additionally, the guidance advises registrants to address risks and incidents in their MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Other situations requiring disclosure include if one or more incidents has materially affected a registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” and if an incident is involved in a material pending legal proceeding to which a registrant or any of its subsidiaries is a party.  Registrants are also expected to disclose certain security incidents on financial statements, as well as the effectiveness of disclosure controls and procedures on filings with the SEC.

While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore. Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company. 

What the guidance document does stress, however, is process and risk assessment.  One read of this guidance is that companies internally are going to have to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security.  This analysis will go well beyond privacy-related security issues where most companies have focused (due to various privacy laws and regulator activity), and implicate key operational issues impacted by security breaches.  It will be interesting to see how this affects the internal corporate dynamics between CIOs and their business counter-parts.  This guidance may provide additional leverage for security risk managers to obtain bigger budgets, new technology and more personnel. 

This guidance may impact the traditional breach notification process as well.  Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financials statements.  This new guidance also raises the specter of directors and officers lawsuits.  We saw a D&O suit in the Heartland data breach that went nowhere, does this guidance provide more legs to plaintiffs?  Only time will tell.
Tags: , , , , , , , , ,
Posted on April 6, 2011 by Boris Segalis

FTC Takes a Big Step in Privacy Enforcement with Google Buzz Settlement

The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission’s numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents:

  • The first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ information; and

Let’s dive in (make sure to read the "Action Item" at the conclusion of the post!):

Factual Allegations

The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.

The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz.. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.

The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.

The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.

Violations of the FTC Act

The FTC alleged that that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:

  • By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;
  • By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and
  • By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public  in connection with Buzz – engaged in deceptive acts or practices.

U.S.-EU Safe Harbor Framework Violations

The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.

The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.

Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:

  • Notice of how the company uses their personal information (the Notice principle);
  • Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and
  • The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).

In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.

The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.  

Settlement

The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.

Prohibition Against Misrepresentations

The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.

Notice and Consent

The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices. 

Comprehensive Privacy Program

The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.

The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.

Specifically, the settlement requires Google to:

  • Designate staff responsible for the privacy program;
  • Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;
  • Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;
  • Require relevant service providers by contract to implement and maintain appropriate privacy protections; and
  • Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.

Compliance Requirements

In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:

  • Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and
  • Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment. 

The settlement also requires Google to:

  • Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;
  • Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;
  • Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;
  • Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and
  • Notify the FTC of changes in the company’s corporate status.

Action Item

As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.
Tags: , , , , , , , , , , , , , , , , , , , , , , ,
Posted on September 13, 2010 by Tanya Forsheit

Do Your Due Diligence-is the Forecast Cloudy or Clear?

Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements.  The article is reproduced here with permission from Daily Report for Executives, 168 DER C-1 (Sept. 1, 2010). Copyright 2010 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.  You can find the article, ‘Cloud’ Customers Facing Contracts With Huge Liability Risks, Attorneys Sayhere.

As you can probably tell, the attorneys of InfoLawGroup have been quite busy of late.  We promise to bring you new posts very soon on recent developments in breach notification, cloud, and even ethics.  Stay tuned.

 

Tags: , , , , , , ,
Posted on May 4, 2010 by David Navetta

The Legal Defensibility Era is Upon Us

The ISSA Journal was recently kind enough to provide me with the opportunity to publish an article entitled "The Legal Defensibility Era" (the cover article for its May 2010 publication, which focuses on legal issues impacting information security).  Here is the abstract for the article:

The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.

So, what does "legal defensibility" mean in the security context? 

While some security professionals have begun to address the concept from the security side, my article comes at it from an attorney's perspective.  In a nutshell legal defensibility is an integrated and holistic strategy for reducing legal risk with respect to an organization's information security program.  The goals are not only "good security" (which is paramount for both preventing a breach and for defending it in court), but also security that can be adequately defended in a legal context with the goal of reducing legal and liability risk:

The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements.  Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.

Employing a legal defensibility strategy goes beyond superficial "checklist-oriented" compliance and recognizes that ambiguities exist in the law, that if not properly addressed could adversely impact a company.  It recognizes the need for a close working relationship between legal and security that allows both roles to understand how the other operates.  It requires changing the security team's frame of reference slightly so enable them to understand how their decisions will be scrutinized in a legal realm.  Under a legal defensibility model, security decisions become legal positions to address issues like "reasonable security," risk and compliance with specific regulatory mandates. 

Even the communication mode is altered -- best practice is to establish attorney-client privilege to attempt to shield the "sausage making" (and related paper trail) that sometimes goes into developing a security program.  Documentation of decisions and rationales for decisions become important to create a historical artifact to be unearthed in the event of legal action.  This documentation will allow the organization to justify its processes and put itself in the best light in front of a legal decision maker.

For legally defensible security a key consideration is the process for making security decisions.  A an established decision-making process that takes into account accepted and relevant security standards, risk management and legal requirements is better than an ad hoc approach.  It provides for consistency across an organization and over time,  provides a basis for courts to analyze the adequacy of a company's security program, and is easier to defend if reasonable and followed.  Coupled with documentation, having a well-conceived and consistent process can assist an organization's position in a legal context and reduce risk.

Final thoughts.  As legal risk increases a legal defensibility approach will become more important and eventually commonplace.  Our data driven society, and the legal risks arising out of it, dictate that we work together.  Now is the time for legal, privacy and security professionals to break down arbitrary and antiquated walls that separate their professions.  The distinctions between security, privacy and compliance are becoming so blurred as to ultimately be meaningless.  Like it or not, it all must be dealt with holistically, at the same time, and with expertise from multiple fronts.  In this regard we must all develop thick skins and be not afraid to stop zealously guarding turf.  The reality is, the legal and security worlds have collided, and most lawyers don't know enough about security, and most security professionals don't know enough about the law.  Let's change that.  With the era of legal defensibility upon us, it is past time that this conversation went to the next level.  So please take a look at my article.   I sincerely look forward to your comments and constructive criticism on my thoughts. 
Tags: , , , , , , , , , , ,
Posted on October 5, 2009 by Tanya Forsheit

The New Health Care Breach Notification Landscape -- HHS Rules

On February 17, 2009, Congress signed into law the Health Information Technology for Economic and Clinical Health or “HITECH” Act (“HITECH” or the “Act”) as part of the American Recovery and Reinvestment Act. The HITECH Act requires entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to provide notification to affected individuals and to the Secretary of Health and Human Services (“HHS”) following the discovery of a breach of unsecured protected health information. HITECH also requires business associates of HIPAA-covered entities to notify the covered entity in the event of the breach.  The Act required HHS to issue interim final regulations with respect to the new breach notification requirements. On August 24, 2009, the HHS interim final regulations were published in the Federal Register.  This post addresses some of the requirements of the HHS rules -- it does not address the FTC's rules for personal health records.

The HHS Rule was effective, and compliance was required, for breaches occurring on or after September 23, 2009. However, HHS will not impose sanctions for failure to provide the required notification for breaches discovered before 180 calendar days from August 24, 2009 (publication in the Federal Register).

When Is Notification Required?

Organizations subject to the HHS Rule can follow three steps to determine whether there has been a breach requiring notification:

1. Has there been an impermissible use or disclosure of unsecured PHI under the Privacy Rule?

2. Has the impermissible use or disclosure compromised the security or privacy of the PHI? That is to say, is there a significant risk of financial, reputational, or other harm to the individual?

3. Does the incident fall under one of three exceptions?

Is There a Breach?

The Rule defines a breach as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information.

Is There a Significant Risk of Financial, Reputational, or Other Harm to the Individual?

Importantly, the HHS Rule incorporates a harm threshold into the definition of breach by requiring that the incident “[c]ompromise[] the security or privacy of” PHI. HHS interprets that language to mean that the incident “poses a significant risk of financial, reputational, or other harm to the individual.” Thus, covered entities and business associates facing a potential breach incident must perform a risk assessment to determine whether the breach triggers a notification obligation.

Risk assessments must be fact-specific inquiries. A risk assessment performed pursuant to the Rule should determine who impermissibly used the information and/or to whom the information was impermissibly disclosed, and should address the type and amount of PHI involved in the impermissible use or disclosure.

Covered entities and business associates bear the burden of proof of demonstrating that no breach occurred because the impermissible use or disclosure did not pose a significant risk of harm to the individual.

What Are the Three Exceptions?

There are three exceptions to the HHS Breach Rule. They are:

1. Certain unintentional acquisition, access, or use by workforce members or persons acting under the authority [i.e., on behalf] of a covered entity or business associate, if made in good faith, within the course and scope of employment or other professional relationship, and that does not result in further use or disclosure in violation of the Privacy Rule;

2. Certain inadvertent disclosures among similarly situated persons authorized to access PHI at the same covered entity, business associate, or organized health care arrangement, if the information is not further used or disclosed without authorization; or

3. Where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information.

Notice to Individuals

If notice is required, covered entities must provide notice to affected individuals in written form by first-class mail at the last known address of the individual without unreasonable delay and in no case later than 60 days following the discovery of a breach. Notice may be in the form of electronic mail, provided the individual agrees to receive electronic notice and such agreement has not been withdrawn.

If the covered entity lacks sufficient contact information for some or all of the individuals, or if some notices are returned as undeliverable, the covered entity must provide substitute notice as soon as reasonably possible after it becomes aware that it has insufficient or out-of-date contact information for one or more affected individuals.  Substitute notice must be reasonably calculated to reach the affected individuals. If there are fewer than 10 affected individuals, the covered entity can provide substitute notice through an alternative form of written notice, by telephone, or other means. If 10 or more individuals are affected, the covered entity must provide substitute notice by either (a) conspicuous posting for a period of 90 days on the home page of its website; or (b) conspicuous notice in major print or broadcast media in the geographic areas where the individuals affected by the breach likely reside. This notice must include a toll-free phone number active for 90 days where the individual can learn whether unsecured PHI may be included in the breach.

Content of the Notice

Notices must be in plain language. The notice must include the following:

1. a brief description of what happened, including the date of breach and date of discovery of the breach, if known;

2. a description of the types of unsecured PHI that were involved in the breach;

3. any steps the individuals should take to protect themselves from potential harm resulting from the breach;

4. a brief description of what the entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and

5. Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, web site, or postal address.
Notices must comply with any other applicable laws.

Notice to the Secretary of HHS

Covered entities must notify the Secretary of HHS immediately following the discovery of a breach of unsecured PHI involving 500 or more individuals. HHS must post a list identifying each such covered entity on its website.  For breaches involving less than 500 individuals, the covered entity must maintain a log and annually submit the log to the Secretary documenting the breaches occurring during the year involved. The log must be provided to HHS no later than 60 days after the end of each calendar year. These logs must be kept for six years (like other records subject to HIPAA records retention requirements). Covered entities must make the records available to the Secretary upon request.

Notification of the Media

Covered entities must notify prominent media outlets serving a State or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, if unsecured PHI of more than 500 residents of such State or jurisdiction is the subject of a breach. This notice should include the same information provided in notices to individuals. This can be done by a press release. “Jurisdiction” is defined as a geographic area smaller than a state, such as a county, city, or town.

Business Associate Notice Obligations

Following discovery of a breach of unsecured PHI, a business associate must notify the covered entity of the breach without unreasonable delay and in no case later than 60 days following the discovery of a breach.  As with covered entities, the breach is discovered as of first day on which it is known or, by exercising reasonable diligence, would have been known. The business associate is deemed to have knowledge if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer or other agent of the business associate, determined in accordance with the federal common law of agency. If the business associate is an agent, then the business associate’s discovery of the breach is imputed to the covered entity and the covered entity must provide notifications based on the time of the business associate’s discovery of the breach. However, if the business associate is an independent contractor, then the covered entity must provide notification based on the time the business associate notifies the covered entity. For this reason, it is important that covered entities and business associates address timing of notification in their contracts.

To the extent possible, the business associate must provide the identity of each individual whose unsecured PHI has been or is reasonably believed to have been breached. In addition, the business associate must provide the covered entity with any other available information that the covered entity is required to include in notification to the individual, either at the time it provides notice to the covered entity of the breach, or promptly thereafter as information becomes available.
Of course, covered entities and business associates can still set forth specific obligations in contracts, provided that all required notifications under the Rule are provided and that the other requirements of the interim final rule are met. Indeed, HHS encourages the parties to ensure that individuals do not receive notifications from both the covered entity and the business associate.

Law Enforcement Delay

Like some state breach notification laws, the HHS Rule requires covered entities to temporarily delay notification if instructed to do so by a law enforcement official. Such a request tolls the time within which notification is required.
Tags: , , , , , , , , , ,