On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification. Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 hour data breach notification requirement. So, as we have been predicting for some time, it seems that regulators are starting to step up enforcement and expectations in breach notification cases.
Hilton became aware of cyber breaches in February and July of 2015 but did not report them to consumers until November 2015. Under the terms of the settlement, Hilton must provide notice of future cyber incidents in accordance with the New York and Vermont statutes. Tellingly, although the NY statute provides that notice must be given in the “most expedient time possible and without unreasonable delay,” the New York Attorney General characterized Hilton’s obligation going forward as “immediate notice” in the press release describing the settlement.
The Hilton settlement is also interesting because, like with Equifax, it is another example of state attorneys general claiming that weak cybersecurity practices violate state deceptive practices laws by way of false representations that a company can securely maintain personal information.
One clear implication of these recent cases is that regulators are expecting companies to disclose cyber events more quickly. The New York Department of Financial Services requires covered entities to report certain data breaches within 72 hours. The insurance industry is poised to adopt a 72-hour notification rule, and the European Union’s General Data Protection Regulation will impose a similarly tight deadline for breach notice when it becomes effective in May 2018. And some companies are demonstrating that they can disclose quickly. For example, last month, it was reported that Disqus was able to provide notice within 24 hours of learning of a breach. So, we will not be surprised if state regulators start interpreting phrases like “most expedient time possible,” “without unreasonable delay,” and “as soon as possible” in the applicable cyber breach statutes to mean days, rather than weeks.
The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help clients with notification statutes, including a simple, query-based tool that assists clients in quickly assessing their cyber breach notification obligations in 48 states and under HIPAA and the Gramm-Leach-Bliley Act. The Portal is currently being beta tested by a select group of clients.