Breach Notification

Whenever a business collects data from its customers, that data is protected by the laws and regulations of whatever jurisdiction that customer is subject to.  All 50 states are covered by their own privacy laws. Most of these laws contain sections pertaining to what business need to inform their customers of in the event of a security breach where customers personally identifiable information may have been exposed.  

This post will analyze and compare two jurisdictions breach notification laws, Illinois’s Personal Information Protection Act (PIPA), and Articles 33 and 34 of Europe’s General Data Protection Regulation (GDPR).  PIPA is one of the United States strictest laws in terms of protections offered to its residents, and is thus a good proxy for similar states laws throughout the nation.  

Illinois’s Personal Information Protection Act

PIPA Outline

Signed into law in 2005, PIPA is applied to any public or private organization, or individual person within Illinois that collects and stores nonpublic personal information.  It is also applied to any entity who collects that information from an Illinois resident.  Information covered includes common forms of identification such as their social security number or driver’s license number.  Financial information is also covered, including account numbers, card numbers, or username and passwords that could access these accounts.  Email accounts are covered, as access to this can allow access to almost any account the user owns.  Medical information is also covered, which includes health insurance information, and biometric data. Covering biometric data such as fingerprints, iris scans, and facial recognition data is one area PIPA covers that make it more through than other jurisdictions within the United States. The law includes a financial penalty for non-compliance of $100 per individual affected in a breach, up to $50,000.

To be considered a breach, these data points must be coupled with that full name, or first initial and last name of the individual they belong to.  If a malicious actor were to gain a list of social security numbers or drivers licenses stored by the company and nothing else, this would not be considered a breach, as there is no way to effectively use this information.  Another instance where a breach does not require notification is if the protected data is encrypted.  If a name and an encrypted social security number were accessed, and there is no reason to believe the malicious actor had access to the cryptography keys for that encryption, notifications are not necessary.

PIPA Breach Notification Requirements

After a breach has occurred, the collector of that data must provide notice to impacted Illinois residents.  There is no absolute timeline that this must occur within, only that it be done expeditiously.  This timeline may be affected by law enforcement, which can delay the notifications while they carry out their investigations.  The notifications must include a telephone number and address for consumer reporting agencies and the Federal Trade Commission, as well information about the identity theft protections that they can receive from these agencies.  If the breach contains data related to online accounts, the notice must also encourage affected individuals to change usernames, passwords, and security questions.

Breach notifications must be provided either in the form of written or electronic notice. If the cost of providing the notice would be greater than $250,000 or over 500,000 individuals were affected, alternative forms of notification must be deployed.  These include emailing affected individuals (if email is known), Posting the breach notification to the home page of the breach entities website, and local media outlets that are likely to be available to all affected individuals.

An amendment to PIPA was added as of January 1st of 2020 if more than 500 residents of Illinois are affected by a breach, the data collector must inform the Attorney General of Illinois.  They must provide a description of the breach, the number of Illinois residents affected, and any steps taken to mitigate further risk of future breach.  It is interesting to note that the Attorney General must be informed of the number of people affected by the breach, yet it explicitly stated this information does not need to be provided to Illinois residents in their breach notifications.

Public institutions are subject to almost all the same requirements as private institutions, with a few additions.  The content and timelines of the notifications are all the same. In addition to notifying the public, the issue must be escalated within the state government as well.  The bar for notifying the Attorney General is lowered to 250 affected residents, and this level also triggers notifications to be sent to both the Chief Information Security Officers of the Attorney General and of the Illinois Department of Innovation and Technology.

PIPA Breach Notification Example

In January of 2020, Hospital Sisters Heath Systems, a heath care provider in Illinois, released a notice of a data breach.  They discovered that employee email accounts had been compromised in December of 2019. These email accounts contained information on patient names, date of birth, clinical information, health insurance information, social security numbers, and drivers license numbers.   

Written notice was provided to impacted individuals. This notification informed them that their data was compromised, and encouraged them to take preventive measures against identity theft such as monitoring credit accounts. Free identity theft protection services are offered to affected individuals. The Contact information was included for toll-free number that can provide additional information on the nature of the breach, as well as contact information to the FTC.

Europe’s General Data Protection Regulation

GLBA Outline

Implemented in May of 2018, the GDPR consolidated data privacy legislation across all countries within the European Union.  Protected classes of data are less explicitly laid out and are much broader than they are in PIPA, and include names, identification numbers, location data, online account information, or anything involving the physical, physiological, genetic, mental, economic, cultural or social identity of a person.  All breaches that expose this protected information to unauthorized entities must trigger breach notifications.  Interestingly, unauthorized destruction of protected data is also considered a breach. Penalties for serious instances of non-compliance can be up to twenty million euros or 4% of total global turnover of the preceding fiscal year, whichever is higher.

GLBA Breach Notification Requirements

Each member state of the EU has their own supervisory authority which oversee their own nation and report back to the General Assembly.  In the event of a breach, impacted organizations must notify their supervisory authority within 72 hours of a breach.  If the notification happens after 72 hours, an explanation of the delay must also be provided. All required information is not required to be sent at the same time, and can be submitted separately to prevent any delay.  This notification must include a description of the breach, what kinds of data were affected, the number of affected individuals, the amount of data that was compromised, and likely consequences of the breach.  It must also include contact information for the breached organizations Data Protection Officer, and what measures the organization is taking to mitigate associated risks of the breach.

Breached organizations must also inform individuals who’s data was compromised, or if the breached data is “likely to result in a high risk to the rights and freedoms”. The same information that was provided to the supervisory authority on the nature of the breach must be provided to affected persons. Similarly to PIPA, if the breached data was protected via encryption, a breach notification is not necessary.  Notification is also not necessary if steps are taken that would significantly reduce the risk of adverse effects on victims’ lives. Supervisory authorities are the regulating entities that ensure the compliance of these notifications.

GLBA Breach Notification Example

In 2018, British Airways was the victim of a data breach where customers personal and financial data were compromised. In response they created a webpage for customers containing information that is required to be disclosed under GDPR, as well as answers to commonly asked questions that follow data breaches, and assurances of business continuity.

The first section of the website details which customers were affected, which was only those who booked a ticket via the website or app over the few days the hack was in progress and used credit cards to do so. It also details what data was stolen, which were the names, billing address, email address, and bank card information.

The second section gives advice to affected individuals on what they should do to protect themselves. They suggest they contact their credit card provider and follow their recommendations. They also give advice and warnings about phishing attacks that affected users, explicitly saying that British Airways will not be contacting them to confirm financial information, which is a common phishing tactic used against individuals affected by a data breach.