This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management brought to you by RADAR. Find earlier installments of this series here.
The privacy regulatory landscape grows more complex with each passing year. 2018 alone was a notable year, between new international regulations, all 50 U.S. states with their own flavor of data breach notification regulation and numerous amendments with increased stringency and greater specificity in breach notification obligations. Recent trends in changing data breach notification laws include an expanding scope of personal information, including health information and online credentials, increased specificity of timelines, more granularity in notification content requirements, and, in the U.S., increased notification requirements to state attorneys general.
With these additional and more extensive requirements comes yet another nuance: exceptions to notification obligations, or scenarios in which the law stipulates that — if certain criteria are met — no notification is required. Exceptions range from encryption or redaction to “good faith” acquisition of data where organizations can prove, using a compliant multi-factor incident risk assessment, that the risk to affected individuals has been sufficiently mitigated. But how often do these exceptions apply in the real world? This is the question we will explore in this month’s benchmarking article installment.
An exception to every rule? It’s complicated
As stringent as privacy regulations are, they all allow for notification obligation exceptions to varying degrees. Because each regulation differs in its exception allowances, it is essential that every incident involving regulated data undergo a compliant and consistent multi-factor risk of harm assessment that takes into account the nature of the personal data exposed, possible exceptions, and other nuances of the law to quantify and define risk, as well as notification obligations. This is the only way that an organization can guard against the risk of over- and under-notification, given that “breach presumption” is inherent in all data breach laws. Digging into the regulations a bit, let’s take a look at a few common notification exceptions.
Encryption and redaction
Given the media attention around high profile electronic breaches, encryption is often top of mind when we consider exceptions. Some jurisdictions also allow for redaction to be considered a sufficient means to mitigate risk of harm. The Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, U.S. states, and the EU General Data Protection Regulation are among the regulations that include an exception for encryption, though each regulation specifies the terms differently.
- The Health Information Technology for Economic and Clinical Health Act requires the disclosure of data breaches of unprotected (unencrypted) protected health information, including those by business associates, vendors and related entities.
- Many U.S. states include a general encryption mention, essentially stating that if data is encrypted it’s not considered personal information. A handful of states denote a higher encryption standard. Tennessee, for example, requires that data be encrypted in accordance with the current version of the Federal Information Processing Standard 140-2. We anticipate that U.S. states will continue to move toward specifying a minimum encryption standard for an exception to apply. Likewise, some U.S. states stipulate that data elements are not considered personal information when rendered unusable through certain methods, such as redaction. It is notable that a redaction exception is not exclusive to paper incidents; it can apply to electronic as well.
- While the GDPR does not explicitly provide for an encryption exception, it considers state--of-the-art encryption a data protection measure that would reduce risk to individuals, along with any measures that “render the data unintelligible to any person who is not authorized to access it.”
- In the case of GLBA, though it does not explicitly provide for any exceptions from notification obligations, it allows for the consideration of customer information protection measures, such as encryption, during investigation and a compliant multi-factor incident risk assessment.
"Good faith" acquisition
U.S. states generally include a “good faith” exception of some kind, though the individual provisions differ in definition and scope. In Idaho, for example: “Good faith acquisition of personal information by an employee or agent of an entity for the purposes of the entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.”
HIPAA includes two “good faith” exceptions that allow for notification exceptions to HHS and affected individuals.
- “HIPAA Good Faith” pertains to an unintentional acquisition, access, or use of protected health information by an authorized individual that is made in good faith and does not result in further use or disclosure in a manner not permitted.
- “HIPAA Good Faith Belief” applies if the covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Under HIPAA, an additional exception may apply if data is inadvertently disclosed by an authorized person to another person within the same covered entity or business associate who is authorized to access PHI, if the organization can demonstrate that the PHI received as a result of such inadvertent disclosure is not further used or disclosed in a manner not permitted, thus notification to affected individuals and HHS is not expected.
How often are exceptions applied?
Exceptions are by no means a “get-out-of-jail-free” card. If anything, their nuances create even more regulatory complexity for privacy officers and their teams to navigate. So how often do notification exceptions truly apply? Digging into the aggregated metadata of data privacy incidents, we sought to discover how frequently exceptions are applied when organizations leverage automation and incident response best practices.
Looking at aggregated and anonymized incident metadata, we see that of all incidents risk assessed in 2018, exceptions applied in 2.36 percent of cases, slightly up from 1.99 percent in 2017. Encryption is the most frequent exception applied across regulations, in both 2018 and 2017, which is not surprising given that it is common across jurisdictions.
Digging into incident metadata across specific regulations and jurisdictions:
- HIPAA: For incidents assessed under HIPAA, encryption was the most common exception applied in 2017, at 50 percent of all exceptions, followed by “good faith” at 33 percent, and HIPAA disclosure at 17 percent. In 2018, HIPAA disclosure exception was the most common at 45 percent, followed by “good faith” at 34 percent, and encryption the least common, at 21 percent.
- States: For incidents assessed across U.S. state regulations, when an exception applied it was most frequently the encryption exception. In 2018, 78 percent of exceptions were attributed to encryption, slightly down from 84 percent in 2017. “Good faith” applied much less frequently: 19 percent in 2018 and 13 percent in 2017, and redaction exceptions were rare.
- In the case of GLBA, encryption exceptions were slightly more common in 2018 (2.25 percent across all incidents) than in 2017 (1.01 percent across incidents).
Key takeaways for privacy officers
As the metadata illustrates, the rate of application of exceptions is rather low. The relevant question for privacy officers is to investigate whether the low rate is a true reflection of the profile of the incidents or due to the complexity and poor understanding of exceptions resulting in organizations not taking advantage of the permitted exceptions during their multi-factor incident risk assessment.
In addition, exceptions are but one nuance in data breach notification regulations. All nuances of the law must be taken into account as part of a required compliant multi-factor risk assessment, along with the nature of the incident and incident category; electronic, paper or verbal/visual. It is critical to determine the sensitivity of exposed data and the severity of each incident to determine the potential risk of harm and your obligation to notify. Not doing so can result in over- and under-reporting, both of which present potential financial, reputational and regulatory risks.