As you are now all too well aware, on February 5th Anthem Blue Cross and Blue Shield disclosed that it had experienced a data breach in late December that it believes compromised the confidentiality of personal information. The breach affected not only Anthem clients but also clients of other Blues companies that partner with Anthem. Many of your employer clients are now asking – how does this affect our company? The answer – in classic lawyerly fashion – is: it depends.
Review Client Status/Contracts. The Anthem data breach impacts direct insureds (in both the individual and group markets) as well as self-insured plans where Anthem or one of its Blues partners acts as a service provider (generally as a third-party administrator (TPA)) to the employer. In the latter case, any employer that is self-insured and uses Anthem likely has independent data breach investigation, notification and remediation obligations to anyone currently insured under its self-insured plans unless Anthem was delegated those obligations by contract. Your self-insured clients therefore should review their contracts to determine the extent to which any of the breach-related obligations have been delegated.
Breach-Related Obligations. To the extent these obligations have not been delegated, your self-insured clients will have independent breach-related obligations under both federal and state law. It does not appear that any medical information was compromised. Anthem has acknowledged, however, that consumer names, addresses, social security numbers and health account numbers may have been compromised. Because this data all relates to health care coverage for the consumers, the protections and obligations imposed by the Health Insurance Portability and Accountability Act (“HIPAA”) likely apply. Penalties for non-compliance can be up to $100 per day but are capped at $1.5 million per incident.
In addition, forty-seven States (every State except Alabama, New Mexico and South Carolina), the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands also impose their own data breach notification requirements. Ten of those States – Arizona, Arkansas, California, Hawaii, Indiana, Kansas, Kentucky, Michigan, New Hampshire and Rhode Island – exempt an entity subject to HIPAA from their state disclosure (and penalty) regimes provided that the HIPAA data breach notification requirements are satisfied. State penalties for non-compliance range from hundreds of dollars to as much as $5,000 for each day of non-compliance. In addition, sixteen States – Alaska, California, Colorado, Hawaii, Illinois, Louisiana, Minnesota, Minnesota, Nevada, New Hampshire, North Carolina, Oregon, South Carolina, Tennessee, Virginia and Washington – and the District of Columbia, Puerto Rico and the U.S. Virgin Islands provide a private right of action for individuals to sue for non-compliance with their disclosure regimes.
HIPAA requires that the owner or licensor of the compromised data notify affected (or potentially affected) consumers within 60 days of discovering the breach. For self-insured plans, the employer or the plan itself will be the owner of the data. The notice generally must include information regarding:
- The types of data that were breached
- The steps the individual can take to protect him or herself going forward
- What is being done to eliminate the breach issues going forward
- Contact information for questions
Anthem has set up a site through which it provides all of the requisite information – www.anthemfacts.com.
State breach notification laws generally require providing the same types of information but they differ with respect to when the notifications need be provided; to whom (the exceptions to who is entitled to receive notice vary widely); and the method of providing notice. A survey of all of the applicable state breach notification laws and their requirements is included in Steptoe’s data breach response toolkit – www.steptoe.com/databreach.
Going Forward – What Next?
In retrospect, the Anthem breach undoubtedly will be viewed as just one in a long line of high profile data breaches – not the first and inevitably not the last. Although you and your clients cannot completely eliminate the cyber risk exposure (particularly with respect to third-party vendors like Anthem), you can minimize it to some extent and you can and should have a plan in place so that you are ready for the next inevitable data breach event. As we have written previously, you and your clients may want to consider:
- Identifying and mapping the data in your possession and data for which you may be responsible (like the Anthem beneficiary data for self-insured plans)
- Evaluating/updating your network security and access control measures and protocols
- Reviewing your contracts with vendors/business partners to ensure that they properly address the responsibility for data security (and that they include audit rights)
- Reviewing/updating your privacy notices and practices to ensure that you are actually doing what you say you are doing
- Ensuring that your insurance coverage is adequate to recover the potentially catastrophic costs of a breach – including response, remediation and litigation costs
- Focusing a component of any due diligence in M&A type transactions on your potential partner’s cybersecurity systems and protocols because when you buy another firm, you are buying its data and any data security problems it may have.
Finally, you and your clients should maintain an up-to-date incident response plan and regularly test that plan to ensure it works the way it was drawn up. The plan should make clear who will be called in to help when an incident occurs and – to minimize your potential liability – your lawyer should be your first call. As self-serving as that sounds (and, arguably, is), it is prudent advice because it allows a breach investigation to commence while maximizing the chance of availing yourself of the protections of the attorney-client privilege, which can be so critical if litigation ensues.
Scott Sinder and Michael Vatis are both Partners at Steptoe & Johnson LLP