As the world becomes more interconnected, data breaches and cyber-attacks are increasingly becoming an unfortunate reality for many organizations. The stakes are high: a data security breach can disrupt a company’s operations, damage the business’s reputation, cause its stock price to fall, lead to the loss of business, and attract government investigations, agency action, and class action lawsuits. Complicating matters is the fact that a patchwork of state and federal laws can apply to the same data security breach incident.
Many states have enacted data security laws that differ depending on the type of protected data. For example, California has enacted the Confidentiality of Medical Information Act, governing the dissemination of personal medical information from a healthcare provider or contractor, while Massachusetts has enacted a general data privacy statute and accompanying regulation. On the federal level, laws address the privacy of healthcare data (HIPPA and HITECH), financial data (Gramm-Leach-Bliley Act), and credit information (Fair Credit Reporting Act), among others. Many states have also implemented data breach notification laws requiring companies affected by a breach to notify consumers and (in some states) applicable state authorities of the breach. Similarly, the U.S. Department of Health and Human Services (“HHS”) requires that a breach of protected health information (“PHI”) be reported to the affected individuals, the HHS, and even the media, depending on the scope of the breach.
Consequences can be dire for those companies affected by a data breach, who face legal action from consumers, state attorney generals, and federal agencies. One demonstrative example is found in Health Net of Connecticut. In May 2009, Health Net discovered that it had lost a computer hard drive containing the PHI of 500,000 Connecticut residents. Health Net was sued in January 2010 by the Connecticut Attorney General, for violations of HIPPA, the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. This suit was settled after Health Net agreed to pay $250,000 in penalties and implement a corrective action plan. However, this was not the end of Health Net’s legal exposure. The Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of this settlement, Health Net agreed to pay $350,000 in penalties and to supply two years of credit monitoring protection to those affected by the data breach. Shortly after, in January 2011, Health Net settled a suit brought by the Vermont Attorney General arising out of the same incident, which had also affected 525 Vermont residents. That litigation alleged violations of HIPPA, Vermont’s Security Breach Notice Act, and Vermont’s Consumer Fraud Act. Under the terms of this settlement, Health Net paid $55,000 in penalties and agreed to submit to a data security audit and to file reports with the State of Vermont for two years.