How long should it take to issue a breach notification?
Notice of a new data breach is posted at least once a day. A frequent feature of many notices is the disclosure that the conduct giving rise to the breach happened months earlier, with the delay sometimes going into years in some instances.
The notices typically do not provide much insight into the reasoning for the delays, which gives rise to the question; when should notice of a data breach be provided?
The answer is seemingly straightforward. The HIPAA data breach notification rule states that, absent certain narrow exceptions, a covered entity needs to provide notice without unreasonable delay, which should be no more than 60 days following discovery of the breach.
The language “without unreasonable delay” is key. While the rule gives up to 60 days, that full 60-day period should not be used to avoid providing the notice. Instead, notice is supposed to go out as soon as possible. The breach notification rule goes on to set out the required contents of a breach notification, with detail being included as possible. The qualifying language suggests that notice could go out before all relevant details are finalized.
While notification should be provided without unreasonable delay, the timing runs from when the breach is “discovered.” As with any good regulation, the word discovered is specifically defined. For purposes of breach notification, a breach is treated as discovered on the first day that the breach is known or would have been known if reasonable diligence was exercised.
The breach is also discovered if any person, other than the person causing the breach, in an organization knows or using reasonable diligence would have known of the breach. The full scope of the definition of discovered underscores that it is very easy for a breach to be known and for the clock to start running to notification.
When implementing the definition of discovered, comments in the regulations emphasized that a broad range of people should be able to discover a breach and bind an entity to that discovery. The commentary offered slight clarity that reasonable care means the exercise of the business care and prudence expected of a person seeking to satisfy a legal requirement.
Arguably that statement raises more questions since the level of attention and care can vary greatly depending upon the legal requirement under consideration. At times, it can feel as though certain legal requirements do not receive the full scope of attention and energy deserved, which claim has been applied to HIPAA related compliance efforts.
The plain language of the breach notification rule and the commentary demonstrate the discovery is not intended to be a matter open to discretion or broad interpretation. The goal is to shorten the timeframe in which a breach should be detected, investigated and then revealed. The goal is not to hide the ball, but to get information out to impacted individuals.
While notification is the broad goal, the rule does include one limited exception for when notification must be delayed. The one exception arises when a law enforcement official requests delay in notification. The request should only be made when the law enforcement official states that notification would impede or investigation or cause damage to national security. Both elements are interesting in that either could be a vague standard and could potentially be invoked for a variety of reasons.
The first exception for not impeding an investigation is the one that could most likely be invoked. For example, many breaches arise from phishing, ransomware, malware or some other form of external attack on a system. If law enforcement want to pursue a breach in an attempt to track down the attacker, then it would reason that delay in notification would be requested.
Since most breach notifications result in some level of attention during a news cycle, any disclosure would draw attention and then reveal that the infiltration is known. Conversely, if a victimized healthcare entity notifies law enforcement and is instructed to keep the attack quiet, then it could be possible to track down the responsible party.
While the description and reasoning for a delay is plausible, the whole concept relies upon the impacted organization actually notifying law enforcement. It may not be possible to know exactly how many organizations tell law enforcement when a breach occurs, but a cursory review of notices does not reveal many instances when a delay is stated, much less than law enforcement has been contacted or involved.
While it is tempting to suggest that law enforcement requests are the reason so many notices do not come out quickly, the truth likely lies elsewhere. Another aspect of the common notice could provide a clue. So many times the notice states that a breach or intrusion happened months before and either was not found until recently or the organization needed to take months to determine who and how many individuals were impacted.
The first statement raises the question of whether the attack was so hard to find that it could not be discovered or if the organization was just not being diligent enough in reviewing activity. Either scenario is not comforting and arguably at odds with the definition of “discovered.”
The second statement is more troubling. As noted, the breach notification rule does require a fairly detailed notice to be issued, but at the same time only requires information to be included to the extent known. If not all of the details are known in the first 60 days or less, then should an organization send an initial notice with more detail to follow? While not preferable from the perspective of allaying worries, that approach could avoid allegations of delay and wanting to prevent notification.
Ultimately, the key is to get notice of a data breach out in a timely manner that aligns with the requirements of the breach notification rule. That means it should be within 60 days of discovering the breach without playing around with what it means to discover the breach. Such an interpretation would likely result in notices coming more quickly and requiring follow up as more detail and impact are determined, but then again conducting an investigation is not really necessary to actually discover the breach. While breaches are inevitable, the real attention should be on enhancing efforts to strengthen defenses and make it harder for the breach to occur in the first place.