Reporting Cyber Security Breaches
If your company is the victim of a cybersecurity data breach, it is essential you know the proper way to respond not only internally to contain and mitigate the damage, but what reporting responsibilities you have. There are both federal and state requirements on reporting data breaches and cyber-crime, not only to the authorities, but also to those clients and customers who may be affected by a breach.
There are few federal guidelines legislating what reporting is necessary in the event of a data breach, but there here are two main industries that are covered by federal legislation; health care and the banking and financial industries.
Health Insurance Portability and Accountability Act (HIPAA): HIPPA applies to the storing and maintenance of personally identifiable medical information. Entities that transmit any personal health information in electronic form are required to abide by HIPAA rules and regulations. Under HIPPA there is a Security Rule which requires organizations to maintain “reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI”. In addition, notification must be made to the following:
Individuals: Individuals must be notified without reasonable delay but no later than 60 days following the breach event. The notification should be by phone and/or email (if permission granted by individual). If contact information is out of date, a notice must be placed on the company website for at least 90 days and a toll-free number should also be provided.
Secretary of Health and Human Services: If a breach affects more than 500 individuals the Secretary of HHS must be notified without reasonable delay but no later than 60 days after the breach. If less than 500 individuals are affected the report can be made annually.
Media: If a breach affects more than 500 individuals, the local media should be notified in the form of a press release, again, with no reasonable delay, but no later than 60 days after the event.
The Gramm-Leach-Bliley Act: This act requires all financial institution to explain their information sharing practices to their customers and safeguard sensitive data. It also requires them to provide their customers with information about who they share their information with and also requires the institutions to safeguard that information. It suggests notifying customers of any breaches, but defers to state law and does not have any specific reporting requirements.
State laws vary so it is important to know the laws for the states where you conduct business.
Pennsylvania: Some key points from the Pennsylvania statute regarding cyber breach notifications (73 Pa. Stat. § 2301 et seq.):
Applies to any entity storing or managing personally identifiable information of PA residents.
In the event of a breach, the affected individuals must be notified without reasonable delay by mail, email, or telephone with no reasonable delay.
When that notice is provided to more than 1,000 persons at a time, all consumer reporting agencies shall be notified without unreasonable delay.
New Jersey: Some key points from the New Jersey statute regarding cyber breach notifications (N.J. Stat. § 56:8-163):
Applies to any entity storing or maintaining records that include personally identifiable information.
Prior to disclosure to customers/affected parties, the entity must report the breach to the Division of State Police in the Department of Law and Public Safety.
Customer notifications should be made with no reasonable delay and can be provided by written notice or electronic notice.
New York: Some key points from the New York statute regarding cyber breach notifications (N.Y. Gen. Bus. Law § 899-aa):
Applies to any entity conducting business in NY state and stores and maintains private information.
The entity is required to disclose the breach to any resident of NY whose private information was compromised by written notice, telephone, or electronic notice.
The state Attorney General, the consumer protection board, the division of state police, and the state Office of Information Technology Services are all to be notified as to the timing, content and distribution of notices and the approximate number of affected people.
Here at Zinman & Company we take the utmost care to protect our clients’ private information. Please contact us if you have any questions.