Standard: Data Security Breach Notice

Department of Health and Human Services has issued the most significant advancement in data breach notification law since California adopted the original Senate Bill 1386 in 2002.

First Standard Was Vague

SB 1386 said the data holder must give notice if it had reason to believe the security of sensitive data had been compromised.

Technologically speaking, SB 1386's standard was vague.  It caused many organizations to issue confusing, unnecessary notices that are of no value to the recipients (data subjects).

New Standard Calls for Intelligent Risk Assessment

HHS’s new Omnibus HIPAA Rule states a more realistic and sophisticated standard for whether a healthcare data holder must give notice of a breach.

To paraphrase revised 45 CFR § 164.402, the data holder must:

1.  presume that a security incident requires delivery of notice . . .

2.  unless a risk assessment shows low probability of data compromise considering the following four factors (in addition to any other relevant factors):

(A) Nature of the data and likelihood it can be used to identify the data subject;

information assurance
Data Risk
(B) Who accessed the data;

(C) Whether data was "actually acquired or viewed”;

(D) Whether risk to the data has been mitigated.

§ 164.402 motivates the data holder – before giving notice – rigorously to gather all the facts about an incident and then to analyze and evaluate those facts.  That process of gathering, analyzing and evaluating is a “risk assessment.”  For that risk assessment, § 164.402 gives the data holder four useful factors to consider.

But, rationally, § 164.402 reminds the data holder that there can be other factors to consider.

Does Prior Warning of Risk Reduce the Need to Give Notice?

I argue that another relevant factor is whether the data subject had been warned in advance of the risk of compromise and therefore accepted the risk. If the data subject knew of the risk before-hand, then either

  • the subject has determined that the harm from compromise would be insignificant (Example: patient thinks, "I don't care if other people know I broke my arm, and I don't care if they see the x-ray of my broken arm."), or 
  • the subject has determined that the harm is acceptable in the light of the circumstances (Example: patient thinks, "I know that when I go to the free clinic the security procedures are probably lower than the procedures at the hospital. But I'd rather get free care and potentially compromise my privacy than to pay the high cost of the hospital.").

Sony Case Teaches the Value of Advance Warning to Customers.

A recent lawsuit shows that when a corporation warns customers in advance about the risk of computer security, the corporation reduces its legal risk. In 2011 attackers had compromised the Sony Play Station Network. A class action lawsuit was filed against Sony, seeking compensation to customers for the compromise of security.

However, in the lawsuit Sony persuaded the court to dismiss many of the charges against Sony and to substantially reduce the true cash value of the remaining charges. Sony successfully argued to the court that Sony had published an effective advance warning in the privacy policy associated with the Play Station Network. The policy told customers the truth. The policy said that computer security can never to absolutely assured.

In effect the advance warning in the policy showed that customers had accepted the risk a breach of security.

No Knee-Jerk Reaction

Historically, many organizations have treated breach notification as a knee-jerk reaction to security incidents and vulnerabilities.

HHS is now teaching that before sending breach notices, the data holder should engage an intelligent investigation and assessment.

In effect, HHS is -- commendably -- refining the definition of data security breach.

By: 

Mr. Wright teaches the law of data security and investigations at the SANS Institute.