Cyber Security: Penalties Loom as Solutions Fall Behind

Cyber Security: Penalties Loom as Solutions Fall Behind

Cyber breach incidents are increasing at an alarming rate, affecting our personal privacy and national security. With denial of service, click fraud and cast phishing, among scores of other types of cyber attacks, the “cyber security problem is growing faster than the solution,” according to testimony this month presented by Melissa Hathaway, President, Hathaway Global Strategies, LLC, to the House Homeland Security Subcommittee on Cyber Security.

In the past several months alone there have been many high profile incidents. Sony® PlayStation® was breached with 100 million records exposed. Epsilon®, which processes 40 billion emails for 2,500 customers, was hacked. The Stuxnet worm invaded Iran’s nuclear facilities, shutting them down while sending shudders throughout the world. And, most recently, in June, 2010, Citigroup was compromised with the largest breach of a financial institution to date.

Although many think cyber criminals largely target financial institutions and healthcare organizations, most breaches occur in businesses. In the April 2010 issue of American Agent and Broker, it was reported by the Identity Theft Resource Center (ITRC), a nonprofit created to help prevent data breaches, that out of 222 million records collected in 2009, 58.9 percent of the breaches occurred in businesses, while the financial industry recorded less than one percent, and healthcare reported five percent. 

As a result, regulatory efforts to protect data are increasing. Legal and IT staffs are scrambling to comply with the new regulations while building technology platforms to protect against breaches, which are costly. Sony, as an example, spent $171 million in notification fees to customers whose data was breached, in addition to the cost of system changes to prevent future exposures.

The financial impact these breach occurrences are having on companies and their respective states has resulted in increased legislation. In 2010, cyber security legislation was enacted in Massachusetts and Nevada, creating responsibilities and potential liability for companies who do business or hold data on residents from their respective states, according to the BNA, Inc.’s, Privacy & Security Law Report, 9PVLR1, January 4, 2010.

Many predict that the Massachusetts and Nevada legislation could have far-reaching effects on future state regulations governing cyber breaches. Other states have enacted broad cyber legislation to maintain data security in step with Gramm-Leach-Bliley, which regulates the safeguarding of consumer personal financial information. The Massachusetts and Nevada regulations, however, have requirements that will increase the pressure to encrypt data—a process that alters data and makes it unreadable to outside intruders—and require businesses to adhere to guidelines to protect data as mandated by the statute.  

Other regulations, such as Health Insurance Portability and Accountability Act (HIPAA), through the Department of Health and Human Services (HHS), will now provide even more scrutiny over the health care industry, according to an article by Ellyn L. Sternfield and Stephanie D. Willis of Mintz Levin, in a recent post on the firm’s website. In March of 2011, HHS announced mandatory HIPAA training for state attorney generals and their staff which will bolster support for HIPAA, specifically the newer provision, the Health Information Technology for Economic and Clinical Health Act (HITECH), which adds teeth to HIPAA regulations.

In addition, the Office of Inspector General (OIG) has been granted the authority to screen Medicare claims data for fraud, providing additional support to state law enforcement agencies when prosecuting data privacy breaches.

As background, HIPAA’s Privacy Rule currently entitles an individual to receive a breach report if their PHI (Protected Health Information) is exposed, according to the Newstex web post of June 2011, by Ropes and Gray, LLP. Although this right has been broadly defined, there are also many exceptions that impede adequate reporting. In 2009, HITECH mandated broader reporting rights for individuals, including accounting through newer electronic health records. In February 2011, Cignet Health of Maryland was fined $4.3 million for violation of the HITECH Privacy and Security Rules, the first fine imposed under HITECH.

As part of the newer proposed rules by HHS, an individual’s breach notification rights will be expanded to include written notification outlining the details of the breach event as well as three years of data prior to their request. 

In addition, companies who do business internationally will need to understand data protection laws in Europe, which protect consumer rights by requiring detailed notification.  Minimally, these laws let consumers know how data is collected, used, and secured.  Europe has also established statutory requirements that outline stringent security measures.  Keeping compliant with state, federal and international rules for data protection may seem daunting, however common areas of concern include breach notification, data protection to restrict access and legally binding contracts that protect subscribers.  With the increase in data breach events and the corresponding increase in regulations, companies will no longer have the luxury of claiming ignorance.

"This is only the beginning, folks," said Chris Apgar, president and CEO of Oregon-based Apgar & Associates, LLC, a health data security firm.  It is the expectation, according to Apgar, that the Office for Civil Rights (OCR) will move on breach events quickly and forcefully, especially when it comes to penalties imposed.