Data breaches are a serious threat to any organization that handles sensitive or personal information. Data breaches can result in financial losses, reputational damage, legal liability, and regulatory penalties. Therefore, it is essential for organizations to have a robust data breach response plan that includes notifying the affected parties and conducting forensic investigations.
However, different industries and jurisdictions may have different requirements for data breach notifications and forensic investigations. Below, we review some of the most common and relevant regulations that apply to various industries and regions, and highlight their key requirements for data breach notifications and forensic investigations.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy and security of health information in the United States. HIPAA applies to covered entities (such as health care providers, health plans, and health care clearinghouses) and their business associates (such as vendors, contractors, and service providers) that handle protected health information (PHI).
Under HIPAA, covered entities and business associates must notify the affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, of any breach of unsecured PHI. A breach is defined as an impermissible use or disclosure of PHI that compromises its security or privacy. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction.
The notification must be made without unreasonable delay and in no case later than 60 days after the discovery of the breach. The notification must include a brief description of the breach, the types of information involved, the steps taken to mitigate the harm, the steps individuals should take to protect themselves, and the contact information of the entity.
In addition to notifying the affected parties, covered entities and business associates should also conduct a thorough forensic investigation of the breach to determine its scope, impact, cause, and remediation. Any investigations must be documented and retained for at least six years.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that applies to any organization that processes, stores, or transmits cardholder data (such as credit card numbers, expiration dates, and security codes). PCI DSS is enforced by the payment card brands (such as Visa, Mastercard, American Express, and Discover) through their contractual agreements with merchants and service providers.
Under PCI DSS, merchants and service providers must report any suspected or confirmed breach of cardholder data to their payment card brand(s) within 24 hours of discovery. The report must include a description of the incident, the number of accounts affected, the actions taken to contain and eradicate the breach, and the contact information of the entity.
In addition to reporting the breach, merchants and service providers must also conduct a forensic investigation of the breach to determine its scope, impact, cause, and remediation. The investigation must be performed by a PCI Forensic Investigator (PFI), which is a qualified security assessor (QSA) that has been approved by the payment card brands to conduct forensic investigations.
GDPR
GDPR (General Data Protection Regulation) regulates the processing of personal data in the European Union. Data controllers must report a breach to their supervisory authority within 72 hours of discovery. In cases where the breach poses a high risk to individuals, the affected data subjects must also be notified.
Organizations must conduct an investigation to establish the scope and impact of the breach, as well as identify and remediate any vulnerabilities that led to the incident.
CCPA
Some states have enacted their own laws that impose such requirements. For example, the CCPA (California Consumer Privacy Act) is a comprehensive data privacy law that applies to businesses that collect, use, or share personal information of California residents. The CCPA grants California residents various rights over their personal information, such as the right to access, delete, opt-out, and sue for damages.
The CCPA also imposes data breach notification obligations on businesses that experience a breach of security safeguards involving personal information under their control.
The CCPA requires businesses to notify the affected individuals and the Attorney General of California of any breach of security safeguards that creates a reasonable likelihood of harm to consumers. The notification must be made in the most expedient time possible and without unreasonable delay, unless otherwise instructed by law enforcement.
The notification must be written in plain language and should include the following information :
- The name and contact information of the reporting business
- A list of the types of personal information that were or are reasonably believed to have been involved in the breach
- A general description of the incident
- The approximate date of the breach
- The remedial actions taken by the business
- Advice on steps that individuals may take to protect themselves from potential harm
Additionally, if more than 500 California residents are affected by a single breach, the business must submit an electronic copy of the notification to the Attorney General .
The CCPA also provides a private right of action for consumers whose personal information is subject to a breach of security safeguards due to a business's failure to implement reasonable security measures. Consumers can seek statutory damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater . Consumers can also seek injunctive or declaratory relief, or any other relief that the court deems proper.
While not explicitly required, organizations should conduct an investigation to determine the cause, scope, and impact of the breach to mitigate potential civil penalties.
PIPEDA
PIPEDA (Personal Information Protection and Electronic Documents Act) is a federal law that applies to private sector organizations that collect, use or disclose personal information in the course of commercial activities across Canada, as well as to federal works, undertakings and businesses. PIPEDA sets out rules for how organizations must handle personal information, including how they must protect it from unauthorized access, use or disclosure.
Under PIPEDA, organizations have a legal obligation to report data breaches that pose a real risk of significant harm to individuals to the Office of the Privacy Commissioner of Canada (OPC) and to notify affected individuals as soon as feasible. Significant harm can include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property.
Organizations must also keep a record of all data breaches that they become aware of and provide it to the OPC upon request. The record must contain sufficient information to enable the OPC to verify compliance with the reporting and notification requirements.
We’ve published detailed playbooks on how to respond to security incidents in both AWS and Azure.
Cloud Investigations
