New Bill Would Make Lab Employees Criminally Liable for Concealing Data Breaches

While massive data breaches have existed as long as massive data itself, legal accountability for organizations that commit them is a relatively recent phenomenon.

Breach Liability of Labs
Because so many data breaches involve health care, it's not surprising that the industry was among the earliest targeted for liability in the form of 2013 HIPAA amendments requiring labs and other covered entities to report breaches affecting 500 or more people immediately and smaller breaches by the end of the calendar year. In January 2017, Illinois health system Presence Health became the first provider penalized for failing to meet HIPAA breach notification requirements. (See GCA, Jan. 26, 2017, for the details.)

Potential data breach liability may include not just HIPAA fines but risks of private litigation. A notable example with national ramifications is the pending lawsuit against CareFirstBlueCross Blue Shield by members whose personal data was compromised in a 2014 data breach. The case, which involves the rights of individual victims to sue for money damages under the Fair Credit Reporting Act may be the first data breach case ever decided by the U.S. Supreme Court. (See NIR, Nov. 21, 2017, for the details.)

Extending Breach Liability to All Sectors
Even though data breaches also happen outside health care, most other industries have managed to fly under the radar. But recent high profile breach cases like Uber and Equifax have underlined the need for companies to respond more swiftly and effectively to breaches. So on Dec. 1, a trio of Democratic Senators introduced a bill to make breach notification an obligation of all companies. Under the so called Data Security and Breach Notification Act, a company would have to notify its consumers of data breaches within 30 days.

"Only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised," U.S. Sen. Richard Blumenthal (D-CT), a member of the committee on a sponsor of the bill, said. "Uber's stunning announcement of a data breach— made public a year after the fact—is yet another example of corporate carelessness in the face of a cyber intrusion that put their customers and employees' personal and financial information at risk. Our legislation will give the FTC real teeth to hold accountable businesses that refuse to implement reasonable security practices."

Future Growth Opportunities
The key strategic takeaway from the report is the finding that the physician office business is the most profitable market segment for outreach and its most promising opportunity for future growth.

Takeaway: The Impact on Labs
The bill would also affect labs and other providers even though these entities are already required to provide breach notification under HIPAA.

1. New Liability Risks for Lab Employees
In addition to HIPAA penalties imposed on the lab, the bill would expose lab employees to the risk of criminal penalties for concealing data breaches. Specifically, employees that "intentionally and willfully conceal" a data breach causing any person $1,000 or more in harm would be subject to criminal fines and/or up to five years in prison.

2. Potential for New Data Security Requirements
The bill also directs the Federal Trade Commission to create security standards to help companies protect the personal and financial information of their customers. Result: The new FTC standards may impose new regulatory burdens on labs that go beyond their current HIPAA obligations.