On June 24, 2013, the European Commission (EC) issued new rules requiring telecom operators and Internet Service Providers (ISPs) to provide data breach notification to regulators within 24 hours of detection. In the U.S., the Department of Health and Human Services (HHS) issued a proposed rule on June 19, 2013 that would require certain entities to report privacy and security incidents within one hour of discovery. Although these are hardly the only two examples where immediate notification is required, these developments highlight the recent trend by regulators to require breach reporting more quickly.
In the EU, telecoms and ISPs have been required to report breaches to national authorities and subscribers since 2011. The new rule, however, clarifies that telecoms and ISPs must provide such notification to national authorities within 24 hours of detection. If full disclosure is not possible within 24 hours, the entity must still provide an initial set of information within 24 hours and follow up within three days. The notification must outline what information was affected and the remediation efforts that are being undertaken. To incentivize companies to encrypt data, the EC also intends to publish a list of technological protection measures, such as encryption, which would provide a safe harbor from individual notification obligations if implemented. This development aligns the EU with certain laws in the U.S. (such as the Health Insurance Portability and Accountability Act (HIPAA) and some state laws) as well as other countries, which provide exemptions from notification obligations if a breach only involves information that has been rendered unintelligible through encryption or comparable means.
In the U.S., HHS has continued to issue rules regarding the health exchanges that will begin operating later this year pursuant to the Patient Protection and Affordable Care Act (ACA). Under the proposed rule, HHS intends to require federally-facilitated exchanges (FFE), non-Exchange entities associated with FFEs, and State Exchanges to “report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach.” Non-Exchange entities associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated. HHS considered, but declined to adopt breach reporting standards set forth in HIPAA and implementing regulations because HIPAA covers a narrower set of information. Specifically, HIPAA covers “protected health information” (PHI), which refers to information about health status, treatment, or payment that can be used to identify an individual. PHI, however, is merely a subset of the broader category of “personally identifiable information” (PII) that is the subject of the proposed rule. Moreover, HHS concluded that HIPAA would not provide broad enough protection to satisfy the requirements under other laws to which HHS is subject, such as the Privacy Act and the e-Government Act. HHS instead adopted definitions that mimic those set forth in OMB Memorandum M–07–16. Comments are due regarding this proposed rule by July 19, 2013.
These recent developments continue the trend to require entities to report breaches faster and more often, and further emphasize the need for affected organizations to have breach notification policies and procedures established in advance.