When a data breach occurs and sensitive information is disclosed, the HIPAA Breach Notification Rule requires affected individuals to be notified. The FTC Health Breach Notification Rule also has breach reporting requirements, and all 50 states have enacted data breach notification laws. What is lacking in many of these regulations – at both the federal and state level – is what these notification letters must include.
Just a few years ago, the majority of breach notification letters contained reasonably detailed information about the breach, but it is now much more common for victims of data breaches to be provided with the bare minimum information to comply with federal and state regulations, which makes it difficult for the individuals affected to accurately gauge the level of risk they face.
While it was common for ransomware attacks to be reported as such, these are increasingly reported as hacking incidents with no mention of file encryption or data theft. Even when attacks involved the theft of sensitive data and the publication of that information on data leak sites, victims are often told that the attackers may have accessed or obtained their data.
The 2022 Data Breach Report from the Identity Theft Resource Center (ITRC) has confirmed this trend. In 2022, two-thirds of data breach notices lacked the necessary information to allow individuals and businesses affected by those data breaches to accurately assess potential risk. In 2022, only 34% of breach notices included victim and attack details, the lowest percentage in the past 5 years. To put that figure into perspective, in 2019, almost 100% of notices included attack details, and 72% of notices included both attack and victim details. This is a worrying trend.
According to the ITRC, for most of the past 20 years, data breach notices have included sufficient detail to allow breach victims to accurately gauge risk, but since Q4, 2021, the information included in data breach notices has been reducing and that trend accelerated throughout 2022. In 2022, 747 of the 1,802 data breaches for which ITRC had information did not specify the root cause of the event, even though 1,595 compromises were linked to cyberattacks.
“A sudden lack of transparency in the content of data breach notices created risk for victims and fueled uncertainty about the true scale and impact of data compromises,” said Eva Velasquez, CEO, ITRC. “The result is Individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic – a “scamdemic” – of identity fraud committed with stolen or compromised information.”
The reason for the sudden decline in transparency is unclear, although there are several theories. It is now far more common for lawsuits to be filed following data breaches, especially healthcare data breaches. While legal action was typically reserved for the largest data breaches, now it is common for multiple lawsuits to be filed in response to a data breach within days of the notification letters being sent, oftentimes even when there has been no misuse of stolen data.
There have been many rulings by federal courts dismissing lawsuits due to the failure to provide evidence of actual harm. In many states, it is not possible to sue for an increased risk of future harm due to the exposure of personal data. This could be one of the main reasons why breached entities are now reluctant to disclose detailed information about data breaches, as it could reveal information that could be used in a lawsuit against the company, even though the lack of information for breach victims increases the risk of actual harm being caused.
The ITRC draws attention to several data breaches at companies that made a conscious decision to withhold information about their data breaches, including Samsung, DoorDash, and LastPass. The information disclosed in the data breach notifications was sufficient to meet state requirements yet provided little in the way of information to help victims of the breaches assess risk. The LastPass data breach was a good case in point. Notifications were issued in August 2022 about a data breach involving source code and internal documentation. It took until December for it to be confirmed that the only customer information that had not been breached was the master password for password vaults and for it also to be confirmed that its parent company, GoTo, has also been breached. It is still unknown how many of its customers were affected.
ITRC also suggested that the large number of security incidents now occurring, and the sophistication of these attacks, can make it difficult to quickly determine the cause, the individuals affected, and the potential consequences of those breaches. The economic downturn has resulted in restructuring and reprioritization of budgets, so when forensic analyses of data breaches are undertaken, fewer resources can be devoted to the task, which can increase the time taken to determine what has happened. If data breach reporting requirements demand prompt notifications, those notifications could be issued before detailed information is available about the breach.
In 2022, 1,802 data breaches were tracked by ITRC, the second-highest total of any year since the ITRC started tracking and reporting on data breaches, and the records of at least 422 million individuals were compromised, which means millions of individuals have been left in the dark about the nature of the exposure of their sensitive data and are consequently unable to accurately assess the level of risk they face.
As well as helping consumers determine what actions they need to take to protect themselves against fraud, more accurate reporting would make it far easier to obtain accurate data breach statistics to determine trends. That information would help policymakers make better decisions about where to allocate resources to combat the root cause of these data breaches.
At the federal and state level, laws place the burden of assessing risk on the individuals affected by data breaches, yet compromised organizations are generally not required to provide the information that allows accurate risk assessments to be made. Updating state laws to require certain information about data breaches to be made public could help consumers make better choices about precautions to take to protect against fraud; however, it may not prove to be enough of an incentive to improve reporting, unless compliance was aggressively enforced.
There are federal laws requiring notifications about data breaches, but even these are not being actively enforced in their current form. The FTC has not enforced the Health Data Breach Notification Rule for years and it is rare for the HHS’ Office for Civil Rights (OCR) to impose financial penalties for Breach Notification Rule failures, even when notifications have been issued many months after a data breach was detected. It is difficult to imagine OCR imposing penalties due to the lack of information in breach notices.
The post Organizations Increasingly Opaque About Cause of Data Breaches appeared first on HIPAA Journal.