How Much Do Data Breaches Cost Businesses?
Data breaches cost businesses millions in fines, lawsuits, and lost customers. Learn the true financial impact and how to reduce your risk.
Read more about How Much Do Data Breaches Cost Businesses?
Breach Notification Laws Impose High Penalties
When there is a data security breach, there are state and federal data breach notification laws that places time limits on when those who are affected must be notified. A failure to make a timely notification of the data breach can be quite costly. Several state data breach notification laws and some federal data breach notification laws, such as the Health Insurance Portability and Accountability Act (HIPAA), impose civil fines for untimely notification.
It is important for data breaches to be reported to those who may have been affected in a timely manner, so that those with exposed personal data can take steps to protect themselves from further harm. The sooner a person with compromised data learns about a privacy breach, the sooner steps can be taken to mitigate any possible repercussions of the data exposure, such as checking credit reports and obtaining credit or identify theft monitoring services.
An Illinois Health System Slammed With Settlement for Slow Notification
According to a recent article on Bloomberg BNA, an Illinois Health System was recently saddled with a hefty settlement after taking too long to report a data breach to the proper entities under the breach notification laws of HIPAA. Presence Health learned that it had been subject to a data breach involving paper records in October of 2013, but waited until early February 2014 before reporting the data breach to those who were affected. This nearly four-month delay well exceeded the 60-day window to make notifications under the breach notification laws of HIPAA.
Data breaches are not to be taken lightly in Illinois, particularly when the data breach involves confidential patient information. Presence Health claims that the notification delay was due to a miscommunication and made no admission of liability when it agreed to pay $475,000 in its recent HIPPA settlement. In addition to the money, Presence Health also agreed to provide a two-year corrective action plan.
The HIPAA Breach Notification Rule, codified as 45 CFR §§ 164.400–414, requires HIPAA covered entities and their business associates to issue notifications to those affected by a data breach within 60 days of the discovery of the data breach. The notification must further include:
- An explanation of the breach, identification of the type of data that was compromised in the breach,
- Information on how those affected by the breach can take steps to protect themselves,
- An explanation of what the HIPAA covered entities or the business associates is doing to address and correct the data breach, and
- Contact information so that those who are affected by the breach can learn more information.
Consult With a Data Breach Lawyer
There is no time to lose once a data security breach has been identified. A majority of states have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously.
A State-by-State Overview of Breach Notification Deadlines
All 50 states have enacted data breach notification laws, but the deadlines and requirements vary significantly. Understanding which states’ laws apply — and which imposes the shortest deadline — is the first task for any business responding to a breach that affected residents in multiple states.
- Florida (Fla. Stat. § 501.171): 30 days from determination that a breach occurred. Among the shortest deadlines in the country.
- Colorado (Colo. Rev. Stat. § 6-1-716): 30 days after determining a breach occurred. Also requires notification to the Colorado AG when more than 500 Colorado residents are affected.
- New York (N.Y. Gen. Bus. Law § 899-aa): In the most expedient time possible and without unreasonable delay. The SHIELD Act extended the definition of private information and broadened security program requirements.
- California (Cal. Civ. Code § 1798.29): In the most expedient time possible, without unreasonable delay. CPRA amendments provide specific 72-hour windows in certain regulatory contexts.
- Texas (Tex. Bus. & Com. Code § 521.053): As quickly as possible, no later than 60 days after discovery.
- HIPAA (45 CFR § 164.410): 60 days from discovery for covered entities and business associates. If a breach affects 500 or more residents of a state, concurrent media notification is required in addition to individual notification.
When a breach affects residents of multiple states, the business must simultaneously comply with each affected state’s law. In practice, this means identifying the state with the shortest notification deadline and using that as the controlling deadline for all notifications — because no state’s deadline can be missed, and the only way to comply with all of them is to comply with the fastest.
What Constitutes “Discovery” Under Notification Statutes?
The notification clock starts at “discovery” — but discovery is often not a single moment. Courts and regulators have generally held that discovery occurs when the business has sufficient information to reasonably determine that a breach has occurred, even if the full scope of the breach is not yet known. A business cannot toll the notification deadline by conducting an extended forensic investigation before formally declaring that a breach has been discovered.
This means that businesses must often begin the notification process while the forensic investigation is still underway, supplementing initial notifications with follow-on communications as additional facts become known. Some state statutes expressly permit phased notification — an initial notice within the deadline followed by a supplemental notice once more information is available. Others require a single notice containing all required elements, making it essential to move the forensic investigation quickly.
The Penalties: What’s Actually at Stake
Civil fines for untimely or non-compliant breach notification are real and have been growing. HIPAA fines are tiered based on culpability, ranging from $100 per violation (for violations where the entity was unaware) to $50,000 per violation (for willful neglect not corrected within 30 days), with annual caps of $1.5 million per violation category. The Presence Health settlement of $475,000 for a 120-day notification delay is one of dozens of HIPAA enforcement actions HHS OCR has resolved through settlement or civil money penalty.
State attorneys general are also active enforcement authorities. California’s AG can impose civil penalties of $100 to $750 per consumer per incident for CCPA violations. Florida’s AG can seek civil penalties of $1,000 per day up to a maximum of $50,000 for failure to notify within 30 days, and $50,000 per day up to $500,000 for knowing and willful violations. In addition to regulatory penalties, untimely notification significantly increases the plaintiff class’s damages claim in breach class action litigation, as courts have found that delayed notice extends the period of consumer harm.
The attorneys at Revision Legal have extensive experience helping businesses of all sizes manage data breach notification obligations across all 50 states and under federal law. If your business has experienced a breach, or if you want to build a notification compliance program before one occurs, contact us using the form on this page or call us at 855-473-8474.
Coordinating Multi-State Notification: A Practical Framework
When a breach affects residents across multiple states, the operational challenge of simultaneous multi-state notification is substantial. A business must identify the residential location of every affected individual, map each state’s specific notification requirements and deadlines, draft notification letters that satisfy the most demanding requirements of every applicable state simultaneously, engage notification vendors capable of meeting print and mail deadlines, and prepare regulatory notifications to state attorneys general in the required format and timeframe.
Businesses that attempt to manage multi-state breach notification without specialized legal counsel frequently make costly errors — sending notifications that omit required content elements, missing notification deadlines for individual states, or failing to notify state regulators in states that require concurrent government notification alongside individual notice. Each such error can independently give rise to regulatory enforcement action and can support class action plaintiffs’ claims that the notification program was inadequate.
The experienced data breach notification attorneys at Revision Legal have guided businesses through multi-state notifications involving residents of all 50 states simultaneously, and have developed streamlined protocols for meeting even the most compressed notification deadlines. If your business has experienced a breach, do not attempt to navigate multi-state notification without counsel. Contact us using the form on this page or call us at 855-473-8474.
Extra, Extra!
Related Posts
Top Data Breaches of 2020: Ransomware on the Rise
Ransomware dominated 2020’s biggest data breaches. A look at the most damaging incidents and the cybersecurity lessons every business should learn.
Read more about Top Data Breaches of 2020: Ransomware on the Rise
Repurposing Pandemic Data: Legal Risks Businesses Face
Data collected during the COVID pandemic for one purpose cannot simply be repurposed. Here’s what businesses need to know about the legal risks.
Read more about Repurposing Pandemic Data: Legal Risks Businesses Face