Businesses that experience data breaches affecting customer banking credit card, tax, social security or certain other personal financial or other sensitive information like those reported by like Chipotle, Target, Home Depot and a growing multitude of other businesses generally bear a legal duty quickly to notify affected individuals under state, if not federal law. Failing to promptly notify affected persons generally creates or enhances the potential exposure of the business to regulatory penalties for failing to comply with data security and breach notification rules as well as increases the practical likelihood thatched business will face damages arising from financial or other injuries suffered by subjects of the data as a result of misused of misappropriated data by identity thieves before the subject learns of or has an opportunity to mitigate their exposure.
Depending on the nature of the business and the data it collects, a business generally bears a duty to safeguard the confidentiality and security of wide range of electronic or other personal financial, tax and other data under various federal and state laws such as the Fair and Accurate Credit Transactions Act (FACTA), the Internal Revenue Code, the Health Insurance Portability & Accountability Act (HIPAA), state identity theft, and a host of other statutes and regulations, contractual agreements, or both.
While the particulars vary somewhat depending on the jurisdiction, nature of the business or other factors, the applicable state electronic confidentiality and data security requirements in most states and under some federal laws include express duties to notify subjects of the breached data and in some cases, regulators, or others when a breach happens as quickly as possible or otherwise within a narrow window of time following the breach or its discovery.
For instance, in addition to requiring businesses to secure and protect “sensitive personal information, the Identity Theft Enforcement and Protection Act generally requires businesses operating in Texas that experience an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information” (“breach of system security”) to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person as “quickly as possible.”
Where the breach impacts computerized data that includes sensitive personal information not owned by the business experiencing the breach, Texas law also generally requires the breached business “to notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person” in the time and manner required by the statute. While the law permits delayed notice under certain narrow circumstances to avoid impeding law enforcement efforts, these breach notifications generally apply in addition to any notice or disclosure obligations otherwise applicable to the business contractually or under federal law.
Failing to fulfill these duties can be an expensive mistake. In addition to any otherwise contractual or civil liability for damages sustained by the subjects or owners of the breached data and penalties applicable under federal law, the Texas law specifies that violation of its requirements:
- Is a deceptive trade practice that can render the business liable to injured subjects for civil judgements awarding actual and exemplary damages plus attorneys’ fees and other costs of enforcement;
- Subjects the business to liability for a civil penalty to the State of Texas:
- Genrrally of at least $2,000 but not more than $50,000 for each violation;”
- If the business fails to take reasonable action to comply with the notice requirements of the statute, liability for a civil penalty of up to $100 per day (not to exceed $250,000 for all individuals to whom notification is due after a single breach) for each individual to whom notification is due for each consecutive day that the person fails to take reasonable action to comply with the notice requirement;
- In some cases, equitable relief to (1) prevent any additional harm to a victim of identity theft or a further violation of this chapter; or (2) satisfy any judgment entered against the defendant, including issuing an order to appoint a receiver, sequester assets, correct a public or private record, or prevent the dissipation of a victim’s assets; plus attorneys’ fees and other costs of enforcement.
Where a business operates in multiple states, the business typically faces exposure under the laws of each jurisdiction where it operates with data impacted by the breach.
Given the potential magnitude of the liability, businesses generally not only need to take well documented steps properly to safeguard sensitive electronic sensitive personal information and systems holding or using it as well as be prepared to promptly provide notice in the event of any breach with the short time contemplated by law. When considering when to provide notice of a breach, business leaders should anticipate that the short deadline for providing notice to impacted subjects and owners if the compromised data typically will require notification before a full investigation of the breach can be completed. Given the potential sanctions for failing to provide timely notice, however, a business generally will want to consult with legal counsel knowledgeable about and experienced in counseling and assisting businesses to identify and provide the required notifications within the scope of attorney-client privilege. In deciding when and what legal counsel to seek, business leaders should be cautious about discussing sensitive information with it involving risk management or other consulting vendors or services not engaged within the scope of attorney-client privilege to help safeguard sensitive discussions and analysis from otherwise avoidable evidentiary discovery. Likewise, given the short time allowed for breach mitigation and notification, businesses should weigh carefully whether to engage regulatory counsel to assist with the initial breach notification and mitigation, separate and apart from cyber litigation defense counsel that might be available under applicable cyber insurance policies unless the proposed litigation defense counsel has proven regulatory knowledge, experience and qualifications handling breach mitigation and notification events.
About The Author
Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work on health, insurance, financial, retail, hospitality industry, manufacturing, service, energy, government and other privacy and data security and other legal and operationalconcerns as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.
Scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer is well-known for her extensive work and leadership throughout her career on HIPAA, FACTA, PCI, IRC and other tax, Social Security, GLB, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns. Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, drafting and negotiation of business associate, chain of custody, confidentiality, and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others; reporting known or suspected violations; commenting or obtaining other clarification of guidance and other regulatory affairs, training and enforcement, and a host of other related concerns.
Her clients include public and private health care providers, health insurers, health plans, employers, payroll, staffing, recruitment, insurance and financial services, health and other technology and other vendors, and others.
Author of a multitude of highly-regarded works and training programs on HIPAA and other data security, privacy and use published by BNA, the ABA and other premier legal industry publishers In addition to representing and advising these organizations, she also speaks extensively and conducts training on health care and other privacy and data security and many other matters Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others. For instance, Ms. Stamer has been a featured faculty member at the ISSA-LA information Security Summit for each of the past 9 years and has served as steering committee chair, faculty member and moderator its Medical Privacy Summit for the past 5 years.
Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.
For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer. Limited, non-exclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.