Category Archives: Risk Management

Recent HIPAA settlements are wake up calls

On March 16, 2016, the Office for Civil Rights (“OCR”) announced its $1.55 million Resolution Agreement and Corrective Action Plan with North Memorial Health Care of Minnesota.  North Memorial  agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

OCR initiated its investigation of North Memorial following receipt of a report on September 27, 2011, which indicated that “an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.”

The investigation indicated that North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. OCR further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – “including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”

In addition to the $1,550,000 payment, North Memorial is required to develop “an organization-wide risk analysis and risk management plan, as required under the Security Rule.”  North Memorial will also train appropriate workforce members on “all policies and procedures newly developed or revised pursuant to this corrective action plan.”

In by now typical fashion, OCR announced another settlement right after the North Memorial settlement.

On March 17, 2016, the OCR announced its $3.9 million HIPAA settlement with the biomedical research institute, Feinstein Institute for Medical Research.  Feinstein settled potential HIPAA violations by agreeing to undertake a substantial corrective action plan.  OCR’s investigation began after Feinstein filed a report indicating that on September 2, 2012, a laptop computer containing ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included “names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”

OCR’s investigation discovered that Feinstein’s security management process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” Further, Feinstein lacked “policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.”

The Feinstein and North Memorial settlements are obvious wake-up calls.

First, OCR apparently has no problem whatsoever finding that research institutions are covered entities even though such organizations may not squarely fit into the provider, health plan or clearinghouse bucket for all their activities.  See 45 C.F.R. § 160.103.   As set forth by the OCR Director Jocelyn Samuels in the press release, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Second, it is much preferable to hire legal counsel and spend several thousand dollars on a good business associate agreement and perhaps $20,000 on a comprehensive risk analysis than it is to pay $1.55 million on an OCR settlement.

And finally, train employees on proper handling of laptops and make sure your laptops are encrypted just in case they are ever lost or stolen.  In both cases, the actual trigger leading to these seven figure settlements was a breach report sent to OCR because of a laptop stolen from a car.

Apple Ordered to Disable Auto-Erase Feature

Pursuant to the All Writs Act, 28 U.S.C. § 1651, Magistrate Judge Sheri Pym ordered on February 16, 2016 that Apple assist in the investigation of the San Bernardino shooting by disabling a feature that would auto-erase one of the shooter’s phone after ten password attempts.  According to the government’s ex parte application, unless the auto-erase feature is disabled, “iOS will instantly, irrecoverably, and without warning erase the encryption keys necessary for accessing stored data.”  Declaration of Christopher Pluhar at 5.  Although the media is reporting that Apple is being forced to unlock the phone, that is not the case.

Even though Judge Pym ordered that Apple provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE,” what was actually ordered would only allow investigators to “brute force” determine the password for the phone without the possibility of any data deletion.  The software ordered to be provided by Apple would have “a unique identifier of the phone so that the SIF [software image file] would only load and execute on the SUBJECT DEVICE.”  In other words, the software would purportedly not be used by the authorities for other devices.

The Order concludes with the following:  “To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.”  Given that the Order also anticipates that Apple would be compensated given it requires that Apple “shall advise the government of the reasonable cost of providing this service” it may be the case the Judge anticipates objections based on the expense or efforts related to the request – and not the significant precedent set by this equitable relief.

In an open letter to customers, Apple’s CEO has publicly challenged the request and set up the stakes as follows:

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

According to Mr. Cook, “[o]nce created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Judge Pym gave Apple five days to respond to the Order so a major battle is about to unfold — with various privacy groups already sharpening their amicus pencils.  Given it was prior US government mass surveillance that caused the Court of Justice of the European Union to strike down the EU Safe Harbor framework for data transfer emanating from the EU, this Order obviously holds more significance than the brute force unlocking of a single phone.  Depending on how this case unfolds it will have a direct impact far removed from Judge Pym’s courtroom and may even cause the EU-US Privacy Shield to fail before it really even got off the ground.

Replacement Safe Harbor Reached

First announced today by Bloomberg BNA, the U.S. and the European Union reached agreement on a new data transfer framework to replace the invalidated Safe Harbor program.  The European Commission press release provides details of this agreement and the new EU-US Privacy Shield:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

By way of background, the U.S./EU Safe Harbor Program allowed U.S. companies to transfer EU citizens’ data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive.  The program was invalidated by the Court of Justice of the European Union based on a claim the U.S. government’s surveillance programs necessarily showed a lack of compliance given the lack of adequate restrictions on this data gathering.  The result was widespread confusion among multi-nationals given the invalidation of Safe Harbor affected thousands of U.S. companies certified in the program as well as many more companies relying on the certification to transfer personal data to those companies.

One key takeaway of this agreement is that it continues to place enforcement power with the FTC regarding the “robust obligations on how personal data is processed and individual rights are guaranteed.”  Moreover, according to the Press Release, the U.S. “has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”  And, with regards complaints on possible access by national intelligence authorities, the new Ombudsperson will take charge.

It remains to be seen whether the NSA is on board or whether this agreement was a huge temporary fix simply so that all sides could save face.  What is certain, however, is that multi-nationals should have very little comfort that this fix is permanent and will be left unchanged after its inevitable challenge in the court system.

Wyndham Settles with FTC

Ending its epic battle with the FTC, Wyndham entered into a settlement agreement with the FTC.  Under the terms of the Stipulated Order that was filed on December 9, 2015 with Judge Salas, Wyndham will establish a “comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.”  In addition, the company is required to “conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”

These safeguards have a shelf-life of 20 years — common for FTC stipulated agreements involving data breaches.  What is noteworthy and distinct from other settlements, however, is that there is no money changing hands — Wyndham pays no fines, investigative costs or any amount for that matter.   This overall result — especially in light of the Third Circuit ruling, can only be considered a solid victory for Wyndham.

Franchise operators also scored somewhat of a victory given the FTC finally gives some guidance as to what it considers to be a reasonable security program for franchise operators.  First, the FTC alerts future companies that if they conform to the most current Payment Card Industry Data Security Standard (PCI DSS) for certification of a company’s security program, they are in the right direction towards implementing a satisfactory program.  Indeed, the settlement specifically defines its terms as per PCI DSS Version 3.1.  Not surprisingly, the second aspect of a suitable program requires the implementation of a risk-based approach to threat assessment.  As set forth in I.C of the Stipulated Order, Wyndham’s program must include “the design and implementation of reasonable safeguards to control the risks identified through risk assessment (including any risks emanating from the Wyndham-branded Hotels), and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedure.”

The agreed-upon requirements also apply to any “entity that that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order.”  And overall compliance features of the Stipulated Order mimic discovery process available under the Federal Rules of Evidence and will certainly be tested over the twenty-year term.  Such future testing — coupled with potential new breaches, may lead to future stipulated Orders.  For the moment, however, Wyndham should be relieved with the results of its FTC skirmish — as well as happy with the work done by its counsel.

California Rakes in $25 Million from Comcast

On September 17, 2015, a California Judge approved a final stipulated judgment between media giant Comcast and the California Public Utilities Commission.  In Paragraph 17 of the Complaint filed the same day, Comcast was not exactly accused of heinous conduct:  “for varying periods of time between July 2010 to December 2012, and for many customers the entire period, approximately 75,000 Comcast residential subscribers in California who had paid Comcast the monthly fee for a non-published or non-listed phone number nevertheless had their subscriber listing information published on Ecolisting, and (in some cases) in phone books, and/or made available by a directory assistance provider.”

In other words, Comcast customers who paid to avoid potentially being listed on sites such a whitepages.com were inadvertently deprived of that purchased service.  Specifically, because “the ‘privacy flag’ was not attached to the listings of approximately 75 ,000 non-published/non-listed subscribers, Neustar provided those listings to Comcast’s vendor, Microsoft FAST, who then published them for Comcast on the Ecolisting website.”  Complaint at ¶ 15.

No financial data was exposed.  No transaction or business data was exposed.  No medical data was exposed.  No emails or passwords were compromised.  Indeed, the only information exposed was the very same information that could be obtained by anyone doing a few sophisticated Google searches – names, addresses, and phone numbers.   For most people, such information exists online independently of any Comcast action or inaction.   In other words, whether or not Comcast properly withheld such information would not likely prevent someone from finding it online.

As part of the settlement, Comcast must pay $25 million in penalties and investigative costs to the California Department of Justice and the California Public Utilities Commission.   The 75,000 customers who were “compromised” ended up with refunds and $100 more in restitution added to their Comcast bills.

And, as part of the stipulated judgment, Comcast also agreed to a permanent injunction that requires the company to strengthen the restrictions it places on its vendors’ use of personal information about customers.  The injunction also requires Comcast to provide a new disclosure form to all customers that explains the ways in which it uses unlisted phone numbers and other personal information.  Such restrictions and added duties have little to do with the actual transgression in question — they represent added gimmes obtained by the California AG’s office given the leverage it had over Comcast.

This case is yet another wake-up call to companies maintaining or processing large amounts of customer data.  Even though the Comcast settlement is somewhat unique given the nature of the information as well as the “unlisting service” provided, other companies also safeguard what may otherwise be publicly available information.  When there are assurances made that such information will be safeguarded, does that automatically elevate the value of the information?

The larger question is how can a transgression with no ostensible harm mushroom into a $25 million payment to a governmental agency?  Until a General Counsel can answer that question with definite certainty, the only course of action is to treat all customer data equally and ensure the requisite reasonable precautions undertaken to safeguard such information matches or exceeds what is considered state-of-the-art for that company’s industry sector.

Third Circuit Affirms Judge Salas in FTC v. Wyndham

In a 47-page ruling, the United States Court of Appeals for the Third Circuit affirmed today an April 7, 2014 ruling of Judge Esther Salas against Wyndham Worldwide.  In affirming the district court ruling, the Third Circuit left intact Judge Salas’s decision that the FTC has power to regulate “unfair trade practices” based on the alleged failed data security of Wyndham.

The Third Circuit recast Wyndham’s argument and ultimately rejected what was potentially viable on appeal as “[t]oo little and too late.”  As recognized by the Court:

Wyndham repeatedly argued there is no FTC interpretation of § 45(a) or (n) to which the federal courts must defer in this case, and, as a result, the courts must interpret the meaning of the statute as it applies to Wyndham’s conduct in the first instance. Thus, Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform. Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself – a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case..

In what was a sua sponte rejection of Wyndham’s “implied” argument that it was not provided with sufficient statutory notice of the century-old Federal Trade Commission Act, the Court of Appeals recognized:

Moreover, Wyndham is entitled to a relatively low level of statutory notice for several reasons. Subsection 45(a) does not implicate any constitutional rights here. [citation omitted] It is a civil rather than criminal statute. [citation omitted] And statutes regulating economic activity receive a “less strict” test because their “subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action.” [citation omitted]

In other words, one of Wyndham’s arguments deemed potentially viable, i.e., that it should not be held to a standard never actually put forth by the FTC in any prior ruling, will likely be rejected on summary judgment.    According to the Court, the relevant standard “considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”  It is this applicable standard that the Court found Wyndham should have been on notice of prior to the FTC Complaint being filed against it.

In a section of the opinion that may come back to haunt Wyndham – as well as future victims of a major data incident, the Court was quite blunt in its assessment as to whether this statutory standard was potentially satisfied.  Id. at 41 (“Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.”).

The import of this decision obviously reaches well beyond the Third Circuit.  As the only appellate court to affirm the FTC’s authority to enforce what it considers applicable cybersecurity standards — “standards” that no other governmental body uses as aggressively as the FTC, the FTC will have even greater leverage in future settlement agreements.  Given the scorched earth tactics taken during this litigation, it is possible the United States Supreme Court will be asked by Wyndham to weigh in.   There is certainly an argument to be made that Wyndham’s time and money would be better spent mending fences with the FTC.

UPDATE:   On the heels of this victory, the FTC announced on August 28, 2015 that it was going to hold a free “PrivacyCon” conference on January 14, 2016 at its Constitution Center offices.  According to the event description, PrivacyCon will “bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.”  Given that there is a call for “presentations seeking original research on new vulnerabilities and how they might be exploited to harm consumers” hopefully the attendee list to this free event does not have too many “John Smiths” listed.

NJDC Affirms FTC Regulatory Power Regarding Data Security Practices

Judge Esther Salas of the United States District Court of New Jersey ruled today that a Section 5 action brought by the FTC was sustainable against Wyndham Worldwide Corporation (“Wyndham Worldwide”) as well as various corporate affiliates primarily involved in the franchise side of its business.  This decision re-affirmed the FTC ‘s power to regulate “unfair trade practices” based on the failed data security of companies.   Judge Salas denied a motion to dismiss a FTC action based on the alleged violation of both the deception and unfairness prongs of Section 5(a) “in connection with Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”  Wyndham Worldwide also looked to dismiss the action given the consumer representations made by some corporate affiliates were not intended to be applicable to all corporate affiliates.

In what Wyndham Worldwide considered a matter of first impression, the Court rejected Wyndham Worldwide’s position that the FTC does not have authority to bring an unfairness claim involving lax data security.  Another allegedly unique aspect of this case turns on the fact the corporate affiliate who initially sustained the data incident and also made most of the representations in question (Wyndham Hotels and Resorts, LLC) was able to implicate its corporate parent.

This decision is a rare judicial affirmation of the FTC’s broad power to assert itself in the data protection activities of companies. Typically, the FTC simply obtains consent as a byproduct of a settlement agreement.  Hacked companies routinely acknowledge the FTC’s power in this regard.

Although this decision merely resolves a motion to dismiss — with liability issues left unresolved, privacy practitioners who visit with the FTC should review Judge Salas’ opinion and continue to track this matter.  Given the hard public positions taken by Wyndham and the FTC,  this case may very well end up in the Third Circuit or even the Supreme Court — eventually leading to an appellate court potentially defining the exact contours of the FTC’s authority to regulate hacked companies.

October is National Cyber Security Awareness Month

National Cyber Security Awareness Month is being sponsored by the Department of Homeland Defense as well as the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.   In a Presidential Proclamation, President Obama called “upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.”  Many of the same corporations and universities who promote Privacy Day in January also promote NCSAM in October.

According to the FBI, since the first NCSAM was celebrated nine years ago the network security threat has continued to grow even more complex and sophisticated — “Just 12 days ago, in fact, FBI Director Robert Mueller said that ‘cyber security may well become our highest priority in the years to come.'”

There is no denying the obvious good in promoting security awareness and diligence.  It is hoped, however, that a month devoted to “cyber security awareness” does not inadvertently dilute the more important message that security diligence is something that should be done every day of the year.   On the other hand, to the extent NCSAM’s “Stop.Think.Connect.” message touches even one small business owner in Des Moines and makes her less likely to fall victim to a phishing exploit in the future, NCSAM will be a success.

Basketball, Julius Caesar, and Privacy

March Madness and murdered dictators aside, next month may be memorable for significant new privacy polices and obligations coming online — especially those for vendors holding sensitive information of a Massachusetts resident.  Given the expiration of a two-year grace period, Massachusetts will require effective March 1, 2012 that all service provider contracts include provisions requiring that the service provider  implement and maintain security measures for personal information that is consistent with the Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00.

A service provider must comply with this regulation if it “receives, stores, maintains, processes, or otherwise has access to personal information” of Massachusetts residents, e.g., social security numbers, driver license numbers, and financial account information,  in connection with the provision of goods or services or in connection with employment.  For compliance purposes, it does not matter whether the service provider actually maintains a place of business in Massachusetts.    In addition, those companies who are subject to the regulation must oversee service providers by taking reasonable steps to select and retain service providers who are compliant.  Penalties for non-compliance can be enforced through the Massachusetts Consumer Protection Statute and include penalties under that law as well as possible civil penalty of up to $5,000 for each violation, plus reasonable costs of investigation and attorney’s fees.

On the consumer side, starting March 1, 2012, Google’s new privacy policy will bring together its various privacy documents into a single umbrella privacy policy.  After being implemented, logged in users will be treated as a single user across  all Google products.   Concern over the way Google’s new policy would grant the data aggregator control over user data and allegedly “hold hostage” consumer personal information has caused attorney generals from around the country to reach out to Google.    Not one to miss out on the fun, one EU regulator has chimed in claiming that it is “deeply concerned” about the new Google policy.  And, EPIC even filed suit to enforce a FTC settlement in its effort to stop the March privacy change — a lawsuit that was dismissed on February 24, 2012.   Given it will likely be implemented in a few days, consumers wanting to avoid some of the potential privacy sting of these changes can heed some advice from the EFF.

Finally, on March 7, 2012, HHS is scheduled to publish in the Federal Register its final proposed rule regarding what constitutes “meaningful use” of EHR sufficient to trigger incentive payments under the HIITECH Act.  A draft of the proposed rule is currently  available.   It remains to be seen whether this push for EHR usage will ultimately add or subtract to healthcare data breaches.  

As it stands, a HIPAA covered entity must provide notice to the HHS Secretary “without unreasonable delay and in no case later than 60 days from discovery of the breach” impacting 500 or more individuals.  To assist in reporting, there is even an online means of disclosing breaches.  The current list of all such disclosed breaches is publicly available; and not surprisingly, incidents have been steadily increasing as per an analysis done by OCR of breaches occurring in 2009 and 2010. 

The annual OCR report indicates that larger breaches occurred “as a result of theft, error, or a failure to take adequate care of protected health information.”  OCR Report at 9.  It is not difficult to imagine efforts to obtain governmental incentive payments by achieving meaningful EHR usage — as the term will be further refined in March — may actually  cause an uptick in breaches.    Despite having a requirement that every EHR Module be certified to a “privacy and security” certification criteria — which will ultimately be determined by the HHS Secretary, these incentive payments will continue to be tied to usage and not necessarily verifiable compliance with a security standard.   Given that HITECH’s financial incentives remain based on usage and not protection, “sticks” such as reductions in Medicare payments and stiff HITECH fines will continue to be the only real governmental incentive to maintain adequate protection.   It would be nice if HHS, instead, developed a financial incentive or reward program for those firms who go the extra distance (as per NIST standards) when providing security.  Maybe such a program will make the agenda after the OCR releases a few more breach reports.

EU Data Breach Notification in 24 Hours?

On January 25, 2012, the European Union will announce a comprehensive reform of its data protection rules.  This proposed shift will likely toughen existing data-protection requirements and, according to one published report, will include a new rule requiring companies to disclose data breaches within 24 hours of the breach – in effect leapfrogging the toughest existing breach notification laws of the United States.   The EU’s initial Data Protection Directive does not even have a breach notification requirement.

The proposed retooling of the 1995 Directive will also likely prod national data-protection authorities within the 27-member EU to assess administrative sanctions and fines.  Interestingly, an EU conference will be held in Washington, D.C. on March 19, 2012 to obtain feedback from US stakeholders.  One issue that will likely be aired at this D.C. conference is a potential new EU privacy right “to be forgotten” — a hot topic at the most recent International Conference of Data Protection and Privacy Commissioners.   Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, has recently publicly called for such a right:  “I also want to create a right to be forgotten, which will build on existing rules to better cope with privacy risks online. If an individual no longer wants their personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”

Although the proposed new directive framework to be announced on January 25, 2012 will take some time to be implemented by EU member countries and then enforced by the respective member Data Protection and Privacy Commissioners, it is clear that the EU privacy world will soon be changing in a dramatic way.  Those firms processing personal data within the EU are well advised to take notice and prepare for potential new obligations and privacy requirements.

Update:  January 25, 2012
The new proposed set of rules will indeed morph into “big news” if ultimately passed.  First of all, the 1995 Directive will be repealed in favor of a consistent approach for all member states.   In fact, these new rules might also  impact US businesses to the extent they process EU protected data and have a EU presence.  In a nod to harmonization hawks, only one member state would have authority to regulate a particular business even if the data was processed among several member states — jurisdiction will ultimately be determined by domicile or where the bulk of processing takes place.

As reported, the proposed new rules do, indeed, have a proposed notification provision that requires notification “without undue delay and, where feasible, not later than 24 hours of becoming aware of [the breach]”.   And, there is also a new “right to be forgotten” that is created via these new rules.  Top fines that can be levied for non-compliance of these rules can reach up to 2% of a firm’s gross worldwide turnover (“revenue”).

There are other noteworthy changes so it is definitely worth taking the time to fully review this proposed comprehensive reform of EU data protection rules found at the European Commission website.