Facebook CEO Mark Zuckerberg testified before Congress in April about how a political consultancy had improperly accessed the personal data of nearly 90 million Facebook users. The Congressional hearings prompted by Cambridge Analytica’s misappropriation of personal data was not the social media company’s first brush with the federal government regarding the protection of user data. In 2011, the Federal Trade Commission (“FTC”) accused Facebook of breaking its promise to users that third-party applications had access only to user data required for the application to function. Facebook entered into a consent decree—an agreement resolving a legal dispute with the government not involving an admission of guilt or liability—that required Facebook to obtain user consent before sharing personal data with third parties. The FTC is now investigating whether the Cambridge Analytica data breach is a violation of 2011 consent decree, which could carry heavy fines.
Mr. Zuckerberg’s testimony and Facebook’s past and present travails highlight how even one of the largest, richest, and technologically sophisticated companies in the world can run afoul of consumer data privacy laws, and in particular, timely notifying both the government and its users of data breaches. Facebook is certainly not the first technology company to face criticism over its failure to timely notify of a breach. In November 2017, Uber disclosed a major data breach that occurred in 2016 during which hackers stole data on 57 million Uber customers. Uber paid the hackers $100,000 to destroy the data, but did not disclose the breach until a year later. A week after Uber disclosed the hack, three U.S. Senators introduced the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days and imprison for up to five years any employee or executive who knowingly conceals a breach.
While the proposed legislation is not likely to become law during the 115th Congress, its introduction signals not only the seriousness of data breach reporting but the fact that there currently is no single, federal law that governs how and when companies must report data breaches. But that is not to say that there are not laws or regulations governing breach reporting—quite the opposite, in fact.
Currently, 48 states plus the District of Columbia, Guam, Puerto Rico and Virgin Islands have breach notification laws that require notification of a breach to affected individuals. Twenty-seven states plus Puerto Rico also require notification of a breach to a state attorney general or regulator. Beyond individual state laws, certain industries, such as healthcare providers and defense contractors, are governed simultaneously by sector-specific federal laws and regulations that direct when and how a company’s customers and regulators must be notified. Even certain states have passed sector-specific laws governing, among other things, data breach reporting – for example, the New York Department of Financial Services (“DFS”) Cybersecurity Regulation, which requires regulated entities to notify DFS within 72 hours of an incident. Moreover, the FTC, which enjoys broad jurisdiction under its consumer protection mandate, has promulgated “guidance” against which it may assess the adequacy of a company’s data breach response. Last, but not least, as of the May 25, 2018 effective date, the EU General Data Protection Regulation (“GDPR”) requires even U.S. companies that collect, process, or retain data regarding European persons to notify those persons of a breach within 72 hours.
With so many overlapping laws and regulations regarding data breach and cybersecurity incident notification, it is no surprise that companies like Facebook and Uber are coming under scrutiny, let alone small and medium-sized enterprises in less technologically-focused sectors. The laws are not trivial. Federal regulators and states impose substantial costs and liabilities on companies that impermissibly delay notification. In January 2017, the U.S. Department of Health and Human Services (“HHS”) entered into a settlement with Presence Health for untimely reporting of a breach of unsecured patient information. Under HIPAA’s Breach Notification Rule, breaches involving over 500 individuals require the company to report the breach to the individuals, media and HHS without “unreasonable delay” or in any event no later than 60 days. Presence Health paid nearly half a million dollars in penalties for delaying notification approximately 100 days following the breach.
Setting aside all the other business challenges and liabilities associated with a cybersecurity event, some might ask, how hard is it to timely notify customers of a breach? Well, it is. Imagine your system is subject to ransomware attack and your customers’ data is viewed by a hacker. Your company may be based in New York, but you have customers across 15 states. You must comply not only with New York’s data breach notification law, but also the laws of those 15 states. Your company’s ability to respond is based, in part, on knowing the geographic location of all your customers, where all your customers’ data resides on your systems (to determine if the data itself was breached), and the substantive legal nuances of what must be contained in each notification letter. Let’s say that your company is also a defense industry supplier, so you must also meet a 72-hour reporting deadline to the Department of Defense pursuant to the Defense Federal Acquisition Regulations Supplement (“DFARS”). Meanwhile, you are simultaneously responding to a hacker, attempting to preserve and back-up data, restore your security posture, and then ensure such an attack never happens again.
Companies across sectors are rightly focused on investments in cybersecurity defense, insurance, internal policies, and employee training; however, they must also have in place an incident response plan that outlines how the company will meet its data breach notification requirements. Advance planning and cybersecurity “fire drills” designed to simulate and test how a company will respond to a cyberattack go a long way to reducing cost, stress, reputational harm, and legal liability.