At the time of the writing of this article, Alabama is one step closer to having a law on the books related to cybersecurity. As one of only two states without a state data breach law, Alabama is considering legislation that requires certain entities, “covered entities,” to report to state agencies and affected individuals when there has been an unauthorized acquisition of “electronic, sensitive personally identifying information.”
On March 1, 2018, the Alabama Senate passed SB318, and if passed by the House and signed by the Governor, it would require “covered entities” to notify Alabama’s Attorney General, Alabama residents whose information has been compromised, and consumer credit-reporting agencies of a data breach. For health care providers covered by the Health Insurance Portability and Accountability Act (“HIPAA”), federal law already requires notification when they experience unauthorized disclosures of protected health information. In addition to HIPAA’s breach notification requirements, the new Alabama law would require reporting at the state level for healthcare providers who experience a data breach. It is important to note that the term “covered entities” in the proposed legislation is much broader and applies to persons or business entities that acquire or use personally identifiable information.
Investigation and Reporting
Under SB318, a covered entity is required to investigate any data breach and in some instances report the breach. The investigation must include:
- an assessment of the nature and scope of the breach,
- identification of any sensitive personally identifying information involved and the individuals involved,
- a determination as to whether the information was acquired by an unauthorized individual and could result in substantial harm, and
- identify and implement measures to restore security and confidentiality of the system involved in the breach.
It is the second factor that determines whether the breach is reportable: Is the sensitive information reasonably believed to have been acquired by an unauthorized person? And is the unauthorized acquisition reasonably likely to cause substantial harm to the individuals?
The law sets forth four factors to consider when evaluating whether the information is “reasonably believed” to have been acquired by an unauthorized individual. In making this determination, the covered entity must evaluate “indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; indications that the information has been downloaded or copied; indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and whether the information has been made public.” Unfortunately, the law does not provide guidance on whether the breach is reasonably likely to cause substantial harm to the affected individual.
Even if a breach is not a reportable event, the covered entity must maintain relevant records for at least five years. For instance, if the covered entity determines the breach is not reasonably likely to cause substantial harm then no notification is required, but the entity should keep all records related to the breach and their determination that notification was not necessary for five years following the incident.
Required Security Measures
The proposed legislation also requires covered entities to implement “reasonable security measures” to protect an individual’s data. Similar to HIPAA, the bill requires the covered entity to designate an employee to coordinate security measures (i.e. HIPAA Security Officer) and to identify risks of data breaches. In recognizing that not all covered entities face the same risks or have the same resources, the required “reasonable” security measures should take into account the size of the covered entity, the amount of data maintained and stored by the covered entity and the cost to implement security measures. Good news for healthcare providers, if a healthcare provider has performed the necessary security and risk assessments required under HIPAA, it should easily meet the standards required in SB318.
Information that Triggers Notification
Not all information qualifies as “sensitive personally identifiable information.” To meet this definition, the accessed information must consist of the individual’s first name or initial and last name in combination with any one of these data elements:
- A non-truncated (or shortened) Social Security or tax identification number;
- Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity;
- A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
- Individual medical or mental history or treatment information;
- A health insurance policy or identification number; and
- A username or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.
Elements and Method of Notification
If the investigation concludes that notification must be made, the covered entity must provide notification as “expeditiously as possible but no more than 45 days after the determination of the breach. The notification may be made by mail or email and must include the following elements:
- The date, estimated date, or estimated date range of the breach;
- A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
- A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
- A general description of steps a consumer can take to protect himself or herself from identity theft; and
- Information that the individual can use to contact the covered entity to inquire about the breach.
Penalties
The legislation also includes penalties for failing to provide the required notifications, including a potential violation of the Alabama Deceptive Trade Practices Act (“ADTPA”). The Deceptive Trade Practice Act penalties would apply for willful or reckless disregard of the notification requirements. Civil money penalties are capped at $5,000 per day for each consecutive day the covered entity fails to comply with the notice provisions and there is a $500,000 cap for violations under the ADTPA. A violation does not constitute a criminal offense and does not provide for a private right of action. In other words, a patient/consumer cannot sue the covered entity for the breach.
The bill is currently pending before the Alabama House of Representatives, bill number HB410.
Article contributed by Burr & Forman, LLP. Burr & Forman, LLP, is a partner with the Medical Association. Please read other articles from Burr & Forman, LLP, here.