Most states have data breach notification laws in place that require an organization to notify all potential victims when a data breach occurs. The notice provides the probable victims an opportunity to take action and to monitor their person, credit or health records as a measure to protect their good name. Unauthorized acquisition of sensitive information is the obvious definition of a breach. What if information is known to have been accessed or accessible by unauthorized persons but there is no evidence that the information was acquired?

There are many examples of breach notifications that have been made when the "data controller" was not certain that acquisition had occurred, yet they were aware that that the information was accessible. For example, access to databases through hacking, disclosure of sensitive information over unsecured Web sites, and lost, stolen and improperly disclosed computers, laptops, electronic storage devices and other paper/electronic records. The prudent and ethical approach has been to make the notification.

The Federal Trade Commission has recently taken the lead role in crafting a national breach notification law for health information technology as directed by The American Recovery and Reinvestment Act of 2009. An interim breach notification law is currently in effect for all health information technology vendors and business associates. Public input on the final law is being taken through June 1, 2009.

The law (see Federal Register Notice) is likely to set a precedent regarding what is and is not a data breach for all types of sensitive information, whether or not it is health related or other types of sensitive information. 

It proposed law states, "Unauthorized acquisition will be presumed to include unauthorized access to" . . ."information unless" . . . "reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information."    

The bottom line is that if you cannot prove that the information has not been acquired, then the incident is reportable as a data security breach.

---

Add this page to your favorite Social Bookmarking websites