2017 saw its fair share of data breaches (Equifax, UBER, Chipotle, Gmail) but the most notable cyber activity over the past year was a rise in regulatory action taken on both the state and federal level against organizations that fell victim to data breaches. It has become clear that regulatory bodies will be investigating (and often fining) affected organizations. Data breach regulatory actions brought by state attorney generals as well by government agencies are trending. This blog post focuses on those activities and what you can do to prepare your organization.
Action by State Attorney Generals
May of 2017 brought the relatively groundbreaking $18.5M Target settlement. The attorney generals of 47 states brought legal investigation against Target as a result of their 2013 data breach. This sets a precedent that every business organization should note. Up until this settlement, and despite larger public data breaches, state actions against organizations who suffer data breaches have been few and far between with much smaller monetary penalties and amounts.
It is important to note that since there is no federal regulation or oversight regarding data breach law, rather 48 individual state laws, each state can vary on the level of scrutiny they put on organizations that suffer data breaches and their desire to investigate, fine or penalize. The Target settlement is one of the first times that individual states banded together and jointly settled with an individual organization and sets the stage for future regulatory intervention in this area. At the date of this post, two notable 2017 data breaches, Equifax and UBER, both have open investigations with groups of state attorney generals.
Office of Civil Rights (OCR) Response to HIPAA Breaches
The OCR’s regulatory authority, as it relates to data breaches, comes from the HIPAA Breach Notification Rule and HITECH Act. Similar to the increase in actions taken by state attorney generals, there has been a steady rise with respect to investigations and penalties associated with HIPAA related breaches.
The OCR categorizes health information breaches into two class codes according to how many individual records are compromised – more than 500, or less than 500. Breaches impacting more than 500 records are more closely tracked as they will often result in investigations and potential penalties.
Fines and penalties issued in 2016 totaled $45,889,200 while fines and penalties issued in 2017 had already reached $72,929,182 by October 31. This dramatic rise in fines and penalties is part of the increased regulatory scrutiny that is surrounding companies that have been involved in data breaches.
Contact your M3 Account Executive for assistance in understanding your data breach reporting requirements.