Better planning and management can head off most but not all problems. Sometimes stuff happens even when you do everything right. Either way, better management usually minimizes the damage and makes it easier to clean up the mess. It’s never to late to start planning, preparing and doing better! Photo Credit.
Businesses that experience data breaches affecting customer banking credit card, tax, social security or certain other personal financial or other sensitive information like those reported by like Chipotle, Target, Home Depot and a growing multitude of other businesses generally bear a legal duty quickly to notify affected individuals under state, if not federal law. Failing to promptly notify affected persons generally creates or enhances the potential exposure of the business to regulatory penalties for failing to comply with data security and breach notification rules as well as increases the practical likelihood thatched business will face damages arising from financial or other injuries suffered by subjects of the data as a result of misused of misappropriated data by identity thieves before the subject learns of or has an opportunity to mitigate their exposure.
Depending on the nature of the business and the data it collects, a business generally bears a duty to safeguard the confidentiality and security of wide range of electronic or other personal financial, tax and other data under various federal and state laws such as the Fair and Accurate Credit Transactions Act (FACTA), the Internal Revenue Code, the Health Insurance Portability & Accountability Act (HIPAA), state identity theft, and a host of other statutes and regulations, contractual agreements, or both.
While the particulars vary somewhat depending on the jurisdiction, nature of the business or other factors, the applicable state electronic confidentiality and data security requirements in most states and under some federal laws include express duties to notify subjects of the breached data and in some cases, regulators, or others when a breach happens as quickly as possible or otherwise within a narrow window of time following the breach or its discovery.
For instance, in addition to requiring businesses to secure and protect “sensitive personal information, the Identity Theft Enforcement and Protection Act generally requires businesses operating in Texas that experience an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information” (“breach of system security”) to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person as “quickly as possible.”
Where the breach impacts computerized data that includes sensitive personal information not owned by the business experiencing the breach, Texas law also generally requires the breached business “to notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person” in the time and manner required by the statute. While the law permits delayed notice under certain narrow circumstances to avoid impeding law enforcement efforts, these breach notifications generally apply in addition to any notice or disclosure obligations otherwise applicable to the business contractually or under federal law.
Failing to fulfill these duties can be an expensive mistake. In addition to any otherwise contractual or civil liability for damages sustained by the subjects or owners of the breached data and penalties applicable under federal law, the Texas law specifies that violation of its requirements:
Is a deceptive trade practice that can render the business liable to injured subjects for civil judgements awarding actual and exemplary damages plus attorneys’ fees and other costs of enforcement;
Subjects the business to liability for a civil penalty to the State of Texas:
Genrrally of at least $2,000 but not more than $50,000 for each violation;”
If the business fails to take reasonable action to comply with the notice requirements of the statute, liability for a civil penalty of up to $100 per day (not to exceed $250,000 for all individuals to whom notification is due after a single breach) for each individual to whom notification is due for each consecutive day that the person fails to take reasonable action to comply with the notice requirement;
In some cases, equitable relief to (1) prevent any additional harm to a victim of identity theft or a further violation of this chapter; or (2) satisfy any judgment entered against the defendant, including issuing an order to appoint a receiver, sequester assets, correct a public or private record, or prevent the dissipation of a victim’s assets; plus attorneys’ fees and other costs of enforcement.
Where a business operates in multiple states, the business typically faces exposure under the laws of each jurisdiction where it operates with data impacted by the breach.
Given the potential magnitude of the liability, businesses generally not only need to take well documented steps properly to safeguard sensitive electronic sensitive personal information and systems holding or using it as well as be prepared to promptly provide notice in the event of any breach with the short time contemplated by law. When considering when to provide notice of a breach, business leaders should anticipate that the short deadline for providing notice to impacted subjects and owners if the compromised data typically will require notification before a full investigation of the breach can be completed. Given the potential sanctions for failing to provide timely notice, however, a business generally will want to consult with legal counsel knowledgeable about and experienced in counseling and assisting businesses to identify and provide the required notifications within the scope of attorney-client privilege. In deciding when and what legal counsel to seek, business leaders should be cautious about discussing sensitive information with it involving risk management or other consulting vendors or services not engaged within the scope of attorney-client privilege to help safeguard sensitive discussions and analysis from otherwise avoidable evidentiary discovery. Likewise, given the short time allowed for breach mitigation and notification, businesses should weigh carefully whether to engage regulatory counsel to assist with the initial breach notification and mitigation, separate and apart from cyber litigation defense counsel that might be available under applicable cyber insurance policies unless the proposed litigation defense counsel has proven regulatory knowledge, experience and qualifications handling breach mitigation and notification events.
About The Author
Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work with business and government clients and their leaders as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.
Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Ms. Stamer serves as outside general counsel and special counsel advice, representation and other legal and operations services on a real-time “on demand,” special project and ongoing basis tailored to the needs of the client. hroughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, drafting and negotiation of business associate, chain of custody, confidentiality, and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others; reporting known or suspected violations; commenting or obtaining other clarification of guidance and other regulatory affairs, training and enforcement, and a host of other related concerns.
Best recognized for her work on labor and employment, employee benefits and compensation, healthcare, insurance and risk management, technology and privacy and data security concerns, her experience encompasses work with management of a diverse array of clients and matters including domestic and multinational employers across many industries, health and other employee benefit plans, payroll, staffing, recruitment, technology, audit, training and coaching, consultin, and other outsourcing service providers, public and private health care providers, health and other insurers, banking and financial services, manufacturing, retail and other sales, hospitality, manufacturing, consulting, engineering bankruptcy, turnaround management restructuring and reengineering, and other change management, technology and other vendors, nonprofit, government and others domestically and internationally.
Author of a multitude of highly-regarded works and training programs on published by BNA, the ABA and other premier legal and other industry publishers, she also consults to and trains business and government and their leaders and speaks extensively about a wide range of general and special legal, business process and operations a and other concerns.
Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional, charitable and civic organizations. Through these and other involvements, she provides hands on leadership, consulting and other support to develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other operations and policies.
For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer. Limited, non-exclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.