American companies have been slow to realize that they are a potential target of a cyber-attack. Last year, FBI Director, James Comey remarked that “there are two kinds of big companies in the United States. There are those who’ve been hacked….and those who don’t know they’ve been hacked…”
But the risk of cyber-attack is not exclusive to large retailers like Target, or media giants such as Sony. There is a growing trend of cyber-attacks on insurance companies, third party administrators and healthcare providers. The bottom line is, companies of all sizes that possess personal information are at risk of a cyber-attack.
Disclosing Cyber-Attacks
Just ten years ago, when cyber-attacks first occurred companies could dictate the timing of disclosure of the attack to those affected or the general public. Over the last decade, however, state legislatures have passed notification laws that mandate both the content and timing of disclosure. To complicate matters, almost every state and U.S. Territory has developed its own notification law. At present, there are at least 51 distinct statutes.
Significantly, many of these statutes hold companies accountable by subjecting them to consumer fraud or deceptive business practices claims for the failure to timely disclose a data breach. In California, for example, the attorney general’s office sued a healthcare provider for allegedly failing to notify more than 20,000 current and former employees that their personal information had been compromised in a 2011 security breach. The case eventually settled with the healthcare provider agreeing to an injunction preventing it from subsequent delays in providing notification and paying $150,000 in damages and attorney fees.¹
“Data Collectors” Cast a Large Net
Illinois companies faced with a data breach should act quickly and consult with counsel to ensure that the company does not run afoul of the Illinois Personal Information Protection Act. The act applies to any data collector, including privately or publicly held corporations who possess personal information. 815 ILCS 530/5. The definition of data collector under the Statute is broad enough to apply to almost any company operating in the state, including law firms. The statute defines “data breach” as any unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the data collector. 815 ILCS 530/5. Here, personal information means the first name or first initial and the last name of any individual in combination with either their social security number, driver’s license number, state I.D. number or credit card information.
Under the statute, the data collector is obligated to notify any person affected by the breach at no charge. The notice may be provided by either written notice or, under certain circumstances, electronic notice. The notice is also required to include the toll free numbers and addresses for consumer reporting agencies, the toll free number address and website address for the Federal Trade Commission and a statement that the affected individual can obtain information from these sources about fraud alerts and security freezes.
Rapid Notification is Critical, but Complicated.
The most important aspect of the statute, however, is the timing of the notification. The Illinois Personal Information Protection Act requires that notification be made in the “most expedient time possible and without unreasonable delay, consistent with any measures to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.” 815 ILCS 530/10. Though the statute itself offers little guidance as to what “the most expedient time possible” means, it is imperative that any company affected by such a breach begin planning for its notification process before the breach even occurs. Assuming the company does not have a notification plan in place prior to the breach, then the company must begin its notification process as soon as it determines whose data has been compromised. As a guide, the settlement agreement in the Kaiser Foundation case, required the defendant to begin its notification to customers on a rolling basis even before it knew the full extent of which customers were affected. In other words, as soon as the Kaiser Foundation could determine a discernable list of customers affected by the breach, it was required to begin the notification process. Early response, therefore, is key to avoiding liability.
The process for notification is further complicated by the fact that very often the data breach affects individuals residing in several states. Under such circumstances, counsel for the company will have to ensure that the notification follows the law of each applicable state. The failure to rapidly control the data breach information and determine the extent of required notification to affected individuals can result in significant liability to clients and law firms alike.
¹See, The People of the State of California v. Kaiser Foundation Healthplan, Inc., Case No. RG14711370 (Superior Court of the State of California, County of Elameda).