Previous article in series – Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor
There are various regulatory requirements regarding data transparency and requirements that stem from data breaches. The definition of what entails a breach is as varied as the regulations and includes but is not limited to impermissible use, disclosure, probability of compromise, unauthorized use, and risk to an individual’s rights and freedoms. It is paramount to understand the regulatory requirements associated with your business practice.
Health Insurance Portability and Accountability Act
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.
Individual Notice
Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
Media Notice
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Resource: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
An example of HIPPA-related breaches is currently located at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Sarbanes–Oxley Act (SOX)
The Sarbanes–Oxley Act of 2002 (often shortened to SOX) is legislation enacted in the United States to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes–Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. There is nothing specified in the act itself, but the broad statements of legal requirements related to executives maintaining “internal controls” over financial data could be used to legally redress any breach of those controls.
The General Data Protection Regulation (GDPR)
If your company/organization has evidence of a breach, it must notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company/organization is a data processor it must report every data breach to the data controller.
If the data breach poses a high risk to those individuals affected, then they should all also be informed, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize.
As an organization it is vital to implement appropriate technical and organizational measures to avoid possible data breaches.