Know Your Liabilities in the Case of a Data Breach

Most of the applicable laws apply to businesses or individuals who maintain or otherwise possess consumer information for a business purpose – that’s a pretty broad definition.  Entities subject to these laws are usually well-informed at the top but they should insure that an understanding of the applicable law is communicated to those employees charged with carrying out the enterprise’s day-to-day business.  Entities should also have an understanding of what disclosure requirements they are subject to, and have procedures and template notices for unauthorized disclosures in place to respond with quick action in the event of a data breach.  A quick and compliant response shows good faith that may be useful in any investigation or ensuing litigation.

The Gramm-Leach-Bliley Safeguard (GLBA) Rule is enforced by eight federal agencies and applies to any organization that maintains personal financial information regarding clients or customers.  Under this rule, all financial institutions are required to set-up and maintain safeguards to protect your personal financial information.  GLBA violations can result in fines of up to $100,000 per violation; officers and directors of the financial institution can be fined up to $10,000 for each violation; criminal penalties include imprisonment for up to 5 years, a fine, or both.

Examples of businesses or entities affected include financial institutions, credit card companies, insurance companies, lenders, brokers, automobile dealers, accountants, financial planners, real estate agents or schools.

The Fair and Accurate Credit Transactions Act (FACTA) applies to consumer information maintained by a company.  Violations include fines of up to $2500 per occurrence, statutory damages up to $1,000 for each consumer affected by a violation of this rule, and class actions with no statutory limitation that could expose the company to liability for actual damages sustained by individuals as well as possible punitive damages.

The Health Information Portability and Accountability Act (HIPAA) applies to any entity that retains or collects health information.  HIPAA has criminal and civil penalties.  The Criminal Penalties are:

1. Covered entities and specified individuals whom “knowingly” obtain or disclose individually identifiable health information face a fine of up to $50,000 as well as imprisonment up to one year;
2. Offenses committed under false pretenses face a fine of up to $50,000, with up to five years in prison;
3. [The 3^rd level of criminal penalties is what was already listed….offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm face fines of $250,000, and imprisonment up to ten years].

The Civil Penalties are:

1. Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA – Minimum penalty = $100 per violation, with an annual maximum of $25,000 for repeat violations & Maximum penalty = $50,000 per violation, with an annual maximum of $1.5 million;
2. HIPAA violation due to reasonable cause and not due to willful neglect – Minimum penalty = $1,000 per violation, with an annual maximum of $100,000 for repeat violations & Maximum penalty = $50,000 per violation, with an annual maximum of $1.5 million;
3. HIPAA violation due to willful neglect but violation is corrected within the required time period – Minimum penalty = $10,000 per violation, with an annual maximum of $250,000 for repeat violations & Maximum penalty = $50,000 per violation, with an annual maximum of $1.5 million;
4. HIPAA violation is due to willful neglect5 and is not corrected – Minimum and Maximum Penalties are the same = $50,000 per violation, with an annual maximum of $1.5 million.

Besides being subject to a federal or state agency investigation and hefty fines, the bad will in the eye of the public brought about by a violation is so great that it cannot be quantified.  Suffice it to say, it reminds me of sound advice my green roommate and I received from an older brother figure before entering college: “It takes two weeks to get a bad reputation and two years to overcome one.” (He had no cause to worry about either of us, but was sagely reporting on what he had observed as part of the vast experience that comes from being a 20 year old.)

Employers subject to these laws should audit their practices regularly to insure compliance and implement mitigating efforts such as performing the mandatory training for employees as to their responsibilities with regard to protected information and having them sign confidentiality agreements that outline those requirements.  Document the training and keep a file with the signed agreements in case of a breach and/or audit by any of the federal agencies charged with enforcement.  These measures could also provide the entity with an affirmative defense to litigation instituted by individuals when an unfortunate breach occurs.

Effective human resource professionals are, by their nature, good organizers and used to implementing training and documentation with an eye towards federal compliance.  An easy way to insure this training and documentation occurs as it should would be to include it with the other annual personnel training on safety, harassment and discrimination, and other applicable laws and personnel policies. Annual personnel audits are something I recommend to human resource professionals and these audits could include analysis of efforts made to ensure employee compliance with the identity theft laws.

For more information about the companies impacted by these actions, click here to read the guide.