Breach Notification , HIPAA/HITECH , Incident & Breach Response
International Student Health Insurer BreachedIncident at Canadian Firm Spotlights Complex Notification Issues
A data security incident involving a Canada-based insurer that provides comprehensive health coverage to students studying abroad shines a light on complex international regulatory issues companies can face in the wake of a data breach.
Guard.me International Insurance, which calls itself one the world's largest insurance providers in international education, says in a notice posted on its website that it has taken down the site's functionality "in an abundance of caution" after detecting recent suspicious activity directed at its website.
"Our information systems and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible," the notice says.
Guard.me did not immediately respond to Information Security Media Group's requests for additional information about the incident.
News site Bleeping Computer reported on Monday that a Guard.me breach notification letter being sent to affected students says that the company's IT team discovered "unusual activity" on its website May 12.
"The vulnerability has been addressed. Our experts are diligently investigating the matter further," the notification states, according to Bleeping Computer.
The vulnerability allowed an intruder to access students' dates of birth, genders and encrypted passwords. For some students, email addresses, mailing addresses and phone numbers were also exposed, according to the breach notification letter.
Guard.me also notes in the letter that it is implementing new policies for increased security, including database segmentation and two-factor authentication.
On its LinkedIn page, Guard.me notes that is has offices worldwide, including in North America, Australia, Europe, the Middle East, Africa and Latin America. Recently, Guard.me launched "the industry’s first and only mental health support program for international students," the company says.
Some regulatory attorneys say Guard.me faces a complicated patchwork of international and local breach reporting and notification mandates.
"The most important point to make about this type of breach incident, which even many attorneys and compliance personnel don’t realize, is that the location where any particular 'data subject' or individual affected by a breach incident resides is key to the analysis of data privacy and security requirements outside of U.S. federal laws, like HIPAA, Family Educational Rights and Privacy Act, and the Privacy Act," says privacy attorney Iliana Peters of the law firm Polsinelli.
An organization experiencing a data breach may have many obligations to many different countries, as well as states or territories within countries, if it holds the data of their residents, she notes.
"As such, it is crucial that entities understand what data they hold for what individuals, including where those individuals live, before a security incident occurs, so that those entities can develop and implement the correct policies and procedures to comply with the applicable state, federal, territorial and international legal requirements."
Careful Assessment Needed
Regulatory attorney Nancy Perkins of the law firm Arnold & Porter, stressed that Guard.me will need to look at a number of issues, including the country in which each affected student resided when they provided personal data to Guard.me.
The company will need to comply with the breach notification rules in each applicable country, state or territory, she adds. That likely includes breach notification requirements at the federal level in Canada and in any Canadian province and the breach notification laws in U.S. states in which students reside.
It's also very likely that the EU's General Data Protection Regulation will apply, Perkins says. That's because Guard.me apparently offers its insurance coverage to individuals in Europe, and the GDPR applies to entities outside the European Union that “offer goods or services” to individuals in the European Economic Area and collect their personal data, she notes.
"If no personal data was collected about those individuals except when they were outside the EEA, the GDPR would not apply because nationality is not the hook for GDPR jurisdiction," Perkins says.
In the U.S., HIPAA would not likely apply to the incident, she notes.
"Even though the HIPAA statute and regulations do not expressly address extraterritorial scope and thus potentially could apply to a Canadian health insurance provider, the likelihood that the Department of Health and Human Services would devote its enforcement efforts against a Canadian company seems very low, given that there would be significant jurisdictional obstacles to overcome as a practical enforcement matter," she says.
"Canadian privacy laws likely would apply because Guard.me is required under those laws to protect the personal data of all individuals, regardless of citizenship, that it processes."