Standard: Data Security Breach Notice

Department of Health and Human Services has issued the most significant advancement in data breach notification law since California adopted the original Senate Bill 1386 in 2002.

First Standard Was Vague

SB 1386 said the data holder must give notice if it had reason to believe the security of sensitive data had been compromised.

Technologically speaking, SB 1386's standard was vague.  It caused many organizations to issue confusing, unnecessary notices that are of no value to the recipients (data subjects).

New Standard Calls for Intelligent Risk Assessment

HHS’s new Omnibus HIPAA Rule states a more realistic and sophisticated standard for whether a healthcare data holder must give notice of a breach.

To paraphrase revised 45 CFR § 164.402, the data holder must:

1.  presume that a security incident requires delivery of notice . . .

2.  unless a risk assessment shows low probability of data compromise considering the following four factors (in addition to any other relevant factors):

(A) Nature of the data and likelihood it can be used to identify the data subject;

Data Risk
(B) Who accessed the data;

(C) Whether data was "actually acquired or viewed”;

(D) Whether risk to the data has been mitigated.

§ 164.402 motivates the data holder – before giving notice – rigorously to gather all the facts about an incident and then to analyze and evaluate those facts.  That process of gathering, analyzing and evaluating is a “risk assessment.”  For that risk assessment, § 164.402 gives the data holder four useful factors to consider.

But, rationally, § 164.402 reminds the data holder that there can be other factors to consider.

Does Prior Warning of Risk Reduce the Need to Give Notice?

I argue that another relevant factor is whether the data subject had been warned of the risk of compromise and therefore accepted the risk.

No Knee-Jerk Reaction

Historically, many organizations have treated breach notification as a knee-jerk reaction to security incidents and vulnerabilities.

HHS is now teaching that before sending breach notices, the data holder should engage an intelligent investigation and assessment.

In effect, HHS is -- commendably -- refining the definition of data security breach.

Mr. Wright teaches the law of data security and investigations at the SANS Institute.