“BYOD” – Bring Your Own Device
Gloria, in the Benefits Department of your insurance brokerage and financial services company, informs you her personal computer has been stolen. Under the company’s “Bring Your Own Device (“BYOD”) Program, Gloria was using her personal laptop for company business. On her computer are the names, addresses, social security numbers, account numbers, and account balances, of plan participates for fifteen benefit plans for which you act as plan administrator and for several other plans as to which your clients serve in that role. The same information and health histories for the health plans your company administers and the company’s own health plan is all on her laptop.
All told, personal information of twenty-five hundred individuals, living in all fifty states potentially has been breached.
Your lawyer tells you that you will have to notify individuals whose health information is compromised under the Federal Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the regulations issued by the Department of Health and Human Services and the Federal Trade Commission.
As a financial institution, you will have reporting responsibilities under the Financial Services Modernization Act of 1999 (a/k/a Gramm-Leach-Bliley Act), and the regulations issued by the Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Deposit Insurance Corporation as well as the Office of Thrift Supervision. If any of the employees work for your affiliated radio station, the Federal Communication Act of 1934 and Regulations issued under that Act related to data breach notification will also apply.
You learn forty-six states have legislation dealing with the breach of personal information. Although your lawyer is familiar with the laws of your state, he and a team of associates will have to “blue sky” the other forty-five state laws. “Personal information” subject to the breach notification statutes includes social security numbers, driver licenses numbers, account numbers, credit card or debit card numbers, along with security and or access codes or passwords that permit access to an individual account, medical information, health insurance information, date of birth, mother’s maiden name, biometric data, DNA data, passport number, taxpayer identification numbers, and account numbers even disassociated from passwords or PIN numbers.
You ask your lawyer if he is certain that notification will be required. He responds that risk of harm thresholds require notification if the breach of personal information poses or is likely to pose a significant risk of harm to the affected individuals. While a password is required to open the files on the stolen laptop, the data is not encrypted. This probably rises to the level of a significant risk of harm, and triggers notification obligations.
You then ask your lawyer precisely what you have to tell your employees and what your clients will have to tell their employees as you are certain that your clients will be looking to you for guidance as to their obligations. The information you must provide depends on each state statute. What some states require you to put in employee notifications other states prohibit. Each letter will have to be tailored to each participant’s state of residence.
Some states require notification to state officials. Some states permit delaying notification if the investigative law enforcement agency requests. At least one state requires that you notify it before notifying plan participants or employees and have your notification letter approved. Eleven state statutes create a private right of action for individuals to sue you for any actual damages they sustain as a result of the data breach.
The risk of not giving notification in the hope that the information is never wrongly used could result in fines ranging from $10,000.00 to $150,000.00 per breach. Other jurisdictions impose civil penalties or fines up to $500,000.00. Your lawyer advises that, because there is health information on the laptop, you are subject to an enforcement action by Health and Human Services.
Under the Interagency Guidance Publication issued by the Comptroller of Currency, your company was required to have in place a risk based response program to address unauthorized access to private information because your business is a financial institution under the Financial Services Modernization Act of 1999. Your lawyer urges you to contact your Errors and Omissions carrier to determine whether you have coverage in the event your clients, their employees, or your own employees bring damage lawsuits.
Lesson: In an effort to save hardware costs and address concerns of a new generation of “techies” who want to do all their computing on a single device, many companies are adopting a BYOD policy that allows employees to use a device of their own choosing for both personal and company business. Before adopting a BYOD program companies would be wise to complete risk assessments, which might reveal that employees already are using their own devices for work related information. That assessment will help determine whether a BYOD program is technically or financially feasible and appropriate for your company. Such an assessment also will enable you to select the best technological means for implementing a security program and developing policies for governing BYOD administration and management.