Data Breach Response Requirements

I. PURPOSE

Various laws establish information security standards and mandate certain responses (e.g., notification) in the event of personally identifiable information (PII) or other sensitive information. This memo outlines the current requirements and standards applicable to responding to data breaches.

II. HISTORY

In 2016 alone, hundreds of millions of records were stolen from institutions as prominent as the U.S Department of Justice, Yahoo, and Verizon.1 The increase in electronic recordkeeping and occurrence of data breaches has led lawmakers to legislate data security standards for PII and other sensitive information. Numerous federal statutes and regulations address the privacy rights of individuals, security standards, and breach notification requirements. In addition, the laws of various states require entities that store or process PII to notify the owners of the information in the event of a security breach.

III. APPLICABILITY TO BYU–Hawaii

Like most universities, BYU–Hawaii maintains a large volume of PII and other sensitive information regarding students, faculty, staff, alumni, applicants, customers, and others. Inadvertent disclosure of this information or failure to respond properly to a data breach may violate state law, federal law, and/or industry standards, and may subject the university to adverse publicity, fines, and/or lawsuits.

Generally, BYU–Hawaii is subject in part to Hawaii Revised Statute (HRS) §487 Security Breach of Personal Information and to various federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and the Red Flag Rules under the Fair and Accurate Credit Transactions Act (FACTA), and the Gramm-Leach-Bliley Act (GLBA). BYU–Hawaii also has agreed to comply with certain standards, including the Payment Card Industry (PCI) Data Security Standard, and may be required in certain instances to comply with the security standards established by the National Institute of Standards and Technology (NIST). As outlined below, each of these laws and standards include requirements and/or guidelines relevant to BYU’s response to data breaches.

IV. REQUIREMENTS

A. Security Breach of Personal Information – HRS

HRS 487N Security Breach of Personal Information includes specific requirements for safeguarding personal information and responding to data breaches applicable to residents of Hawaii. Anyone who maintains data that qualifies as “personal information” and that contains names or data elements that are unencrypted or not otherwise rendered unreadable must comply with this HRS.

Under HRS §487N , [a]ny business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form. . . or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. A breach is defined as means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.

The notice shall include a description of the following:

1. The incident in general terms;
2. The type of personal information that was subject to the unauthorized access and acquisition;
3. The general acts of the business or government agency to protect the personal information from further unauthorized access;
4. A telephone number that the person may call for further information and assistance, if one exists; and
5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Notice may be provided in any of the following ways:

a) Written notice to the last available address;
b) Electronic mail notice;
c) Telephone notice;
d) Substitute notice consisting of electronic mail notice, conspicuous posting on the website, notification to major statewide media.

B. Health Insurance Portability and Accountability Act (HIPAA)

HIPAA regulates the disclosure of Protected Health Information (PHI) held by covered entities. Health information includes any information created or received by health care entities, including schools and universities, that relates to past, present or future physical or mental health, the provision of health care, and health care payments of individuals. Covered entities are required to ensure PHI remains confidential and is protected against reasonably anticipated security threats and unlawful disclosures. The university may use any security measures it deems appropriate to comply with HIPAA requirements. This includes administrative, physical, and technical safeguards as well as organizational requirements.

HIPAA requires covered entities, within a certain period after discovery of a breach of PHI, to provide notice of breaches to individuals, the Department of Health and Human Services (HHS), and even the media. A breach is considered to be “discovered” when an entity or any of its workers have knowledge of the breach or would have knowledge of it by exercising reasonable diligence.

1. Notification of Individuals

A covered entity must give adequate notice of the uses and disclosures of protected health information to the individual that the information concerns. If PHI is breached or inappropriately disclosed, the covered entity is required to notify each individual whose PHI has been accessed, acquired, used, or disclosed within 60 days of the breach being discovered. The notification must include, to the extent possible, the following:

1. a brief description of what happened, including the date of the breach and its discovery;
2. a description of the types of unsecured PHI that were involved in the breach;
3. any steps individuals should take to protect themselves from potential harm from the breach;
4. a brief description of what the covered entity involved is doing to investigate the breach, mitigate harm, and protect against further breaches; and
5. contact procedures for individuals to ask questions or learn additional information including a tollfree telephone number, an email address, web site, or postal address.

A written notification must be delivered in plain language to each individual whose PHI has been breached. This written notification must be delivered by first-class mail to the individual’s last known address, or by email if the individual has consented to receiving notifications electronically. If the covered entity knows that the individual whose PHI has been breached is deceased, the entity must send written notification via first-class mail to the next of kin or to a personal representative.

If the contact information for the individual is out-of-date or insufficient, the covered entity may deliver a substitute notice. If there is insufficient or our-of-date information for fewer then ten individuals, the substitute notice may be provided by an alternative form of written notice, telephone, or other means. If information is insufficient for ten or more individuals, the substitute notice must be posted conspicuously on the home page of the entity’s website for ninety days, or in major print or broadcast media near affected individuals. This notice must include a toll-free phone number that allows individuals to learn whether their PHI was compromised in the breach. A substitute notice does not need to be delivered to a next of kin or representative if a covered entity has insufficient contact information for an individual who is deceased.

If a covered entity decides that a security breach requires urgent notification due to PHI being imminently misused, the entity may provide information to individuals by telephone or other appropriate means in addition to the written notification that is required.

2. Notification to the Secretary of Health and Human Services

If a covered entity discovers a breach of unsecured PHI, the entity must notify the Secretary of the U.S. Department of Health and Human Services (HHS). If a breach involves 500 or more individuals, the covered entity must notify the Secretary of HHS contemporaneously with the individuals affected, except if delayed by law enforcement officials. This notice must be provided no later than sixty days from discovery of the breach and must be submitted electronically via the form provided on the HHS website.

If the breach involves less than 500 individuals, the covered entity must maintain record of the breach and notify the Secretary of HHS no later than sixty days after the end of the calendar year during which the breach occurred. Information about the breach must be reported online using the form descried above.

3. Notification to the Media

If a breach of unsecured PHI involves more than 500 residents of a State or jurisdiction, a covered entity must notify prominent media outlets serving the geographic area within sixty calendar days of the breach’s discovery, unless the notification is delayed due to needs of law enforcement officials. This notification must include all information necessary to notify the individual described above.

C. Family Educational Rights and Privacy Act of 1974 (FERPA)

The purpose of FERPA is to protect parent and student privacy and to limit disclosures of personal information without consent. FERPA applies to universities that receive funds under Title IV of the Higher Education Act of 1965, such as Pell Grant and Guaranteed Student Loan Program funds. Under FERPA, the university must allow students to inspect and review their education records, have an opportunity to amend their education records, and control disclosures of their education records.

FERPA itself does not specifically mandate that institutions notify individuals whose educational records have been breached. However, the U.S. Department of Education (DOE) strongly encourages institutions to safeguard student information and has published several best practices for safeguarding student privacy, including those relevant to responding to data breaches. For example, the DOE’s Privacy Technical Assistance Center has prepared a Data Breach Response Training Kit, which provides an interactive exercise aimed at improving institutions’ data breach response procedures.

D. Fair and Accurate Credit Transactions Act of 2023 (FACTA) – the Red Flag Rules

The Fair and Accurate Credit Transactions Act of 2023 (FACTA) is intended to ensure the confidentiality, accuracy, relevancy, and proper use of credit information by consumer reporting agencies as well as to ensure the detection, prevention, and mitigation of identity theft. FACTA requires creditors and financial institutions that handle covered accounts to establish and maintain an identity theft program that identifies, assesses, and responds to red flags. Red flags are patterns, practices, or specific activities that indicate the possibility of identity theft. Among other things, a financial institution’s identity theft program must “respond appropriately to any red flags that are detected … to prevent and mitigate identity theft.”

The regulations implementing FACTA include a list of interagency “guidelines” that an institution “must consider” and, if “appropriate”, must include as part of its identity theft program. According to these guidelines, in identifying red flags, institutions should consider the types of accounts if offers or maintains, the methods it provides to open and access those accounts, and its previous experiences with identity theft. Institutions also should incorporate relevant red flags from the following:

1. incidents of identity theft the institution has experienced;
2. possible methods of identity theft that the institution has identified as an identity theft risk;
3. applicable supervisory guidance;
4. alerts and other warnings from consumer reporting agencies and other service providers;
5. the presentation of suspicious documents or personally identifying information; and,
6. notifications from customers, victims of identity theft, and law enforcement agencies.

Under the same guidelines, an institution’s “policies and procedures should provide for appropriate responses to the Red Flags,” which “are commensurate with the degree of risk posed.” “In determining an appropriate response to [red flags, an institution] should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer’s account records.” Appropriate responses to red flags may include, among other possible steps, monitoring covered accounts; contacting consumers; notifying law enforcement agencies; changing passwords, security codes, or other security devices; not opening a new covered account; or closing existing covered accounts. Institutions also may determine that “no response is warranted under the particular circumstances.”

E. Gramm-Leach-Bliley Act (GLBA)

Universities that offer financial products or services (e.g., institutional student loans and other financial aid programs) are considered covered financial institutions regulated by the GLBA. Under GLBA regulations implemented by the Federal Trade Commission (FTC), financial institutions must safeguard and respect the privacy of consumer financial information. GLBA regulations provide that universities that are compliant with FERPA automatically meet the GLBA privacy rule but still must meet the separate GLBA safeguards rule.

While no specific security breach notification requirements currently exist under the GLBA or its regulations, the law does require entities to develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. In developing these safeguards, the FTC has indicated that institutions “should consider” a number of best practices, including taking the following specific steps to diagnose and respond to security incidents:

1. “take immediate action to secure any information that has or may have been compromised”;
2. “preserve and review files or programs that may reveal how the breach occurred”;
3. “if feasible and appropriate, bring in security professionals to help assess the breach”;
4. “notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm”;
5. “notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm”; and
6. “notify the credit bureaus and other businesses that may be affected by the breach”

The FTC also has published a Data Breach Response Guide for Business, which contains additional recommendations on how to respond to a data breach.

F. Additional Security Standards Relevant to Data Breaches

1. Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI Standard) was created to develop streamlined data security measures that could be implemented globally to enhance payment cardholder data security. The PCI Standard establishes minimum requirements for protecting account data. Merchants are encouraged, but not required, to comply with the PCI Standard because it improves a company’s reputation and makes a company more dependable due to its secure system. Additionally, violations may result in credit card company fines being passed on to vendors.

To comply with the PCI Standard, a merchant must “establish, publish, maintain, and disseminate a security policy.” In doing so, the merchant must create a risk-assessment process that identifies critical assets, threats, and provides risk-assessment results. Among other requirements, merchants must review logs and security events on a daily basis, and must maintain logs for at least a year, while making the most recent there months of logs immediately available for analysis in the event of a security breach.

A merchant also must have and implement an incident response plan and be prepared to responds immediately to a system breach. The incident response plan must address the following, at a minimum:

1. roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum;
2. specific incident response procedures;
3. business recovery and continuity procedures;
4. data backup processes;
5. analysis of legal requirements for reporting compromises;
6. coverage and responses of all critical system components; and
7. reference or inclusion of incident response procedures from the payment brands.

Merchants also must review and test each of these elements of its incident response plan at least annually.

2. National Institute of Standards and Technology (NIST) Standard

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has developed its own information security standards in NIST Special Publication 800-171 (NIST Standard). The NIST Standard contains recommended federal data security requirements for what is known as “controlled unclassified information” –generally any non-public information that is not considered classified. The U.S. Department of Education “strongly encourages” institutions of higher education to comply with the NIST Standard. Also, certain federal contractors who enter into agreement with the U.S. Department of Defense are required to comply with the NIST standard by no later than December 31, 2017.

The NIST standard includes specific requirements that fall within various data security categories, one of which is incident response. To comply with the incident response requirements of the NIST standard, organizations must do the following:

1. Establish an operational incident-handling capability for information systems, which includes adequate preparation, detection, analysis, containment, recovery, and user response activities;
2. Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization; and
3. Test the organizational incident response capability.

V. COMPLIANCE CALENDAR

Under Hawaii law, the university must conduct a prompt investigation upon becoming aware of a breach of system security and must notify affected Hawaii residents of security breaches immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.

Under HIPAA, no later than 60 calendar days after a breach of PHI is discovered, the university must provide notification to each individual whose information has been compromised and, if the breach involves more than 500 people, to the Secretary of HHS and the media. If the breach involves 500 people or less, the university must notify the Secretary of HHS within 60 days after the end of the calendar year in which the breach occurred.