What to Know about Data Breach Notification Rules
Cyber security and data breaches are a big deal and a big headache for companies. And breaches are on the rise — up 38 percent in the second quarter of 2021, according to the Identity Theft Resource Center. Additionally, the non-profit consumer group predicts breaches to reach a new all-time high by the end of this year.
Do you have a plan of attack or a to-do list should your company face a data breach?
You should, because, unfortunately, there is no clear-cut crisis plan that spells out
all the next steps for you. For one thing, consumer privacy and security breach notification laws vary from state to state. And then there is the matter of how different industries and different data all have different requirements.
While what businesses are required by law to do following a data security incident vary by state, generally speaking there are some steps that must be taken no matter what. One of those steps is to notify affected customers and regulatory agencies of the incident. Here’s a brief “Who, What, When, Where, How and Why” sort of guide to walk you through the notification process.
You will need to notify consumers and individuals impacted by the security breach – per the state laws where they reside.
In addition to those impacted, you likely will need to inform government officials and regulatory agencies. For example, some states require that you file a notification letter with the attorney general. Financial firms will need to inform agencies like the SEC and FINRA when consumer privacy is compromised.
There’s also the matter of who has the legal obligation to make the notification. There’s often confusion as to whether a company or its vendor, who might be responsible for the breach, is the one with the duty to notify. The answer: It’s the company that owns the information that was compromised, not the vendor, who is responsible for making the notification. The company might, however, have in its contract that the vendor must pay for such notification.
What constitutes a data breach? It depends on the definition of personally identifiable information – and that varies from state to state.
It’s often the usual suspects like Social Security numbers, driver license numbers and credit card numbers. But increasingly it’s also user names, passwords and even biometric information and health information. While HIPAA is the federal law covering how certain entities – like healthcare providers and insurance companies – handle patients’ private health information, other companies that don’t fall under HIPAA might still have such sensitive data. For example, employers might have employees’ health data, because those employees sign up for their health insurance through their employer.
If you have an incident, one of the first things you need to figure out is what sort of data was compromised and cross reference it with your duty to inform.
Most state laws simply say companies have a “reasonable time” to notify people — consumers, typically — that their personally identifying data was compromised. But some states give just 30 days from discovery of the incident for that notification to happen.
No matter what you must act swiftly, especially if you don’t even find out about the breach until well after the fact. Conduct your investigation and get out those notifications. I recommend having a process – and testing that process — before an incident occurs, even if such a process is not required. (FINRA, for example, requires the financial services companies it regulates to have a cyber security incident plan in place.)
Businesses often don’t know or misunderstand how a data security incident notification must be done. Most often it must be done via a physical letter that is mailed to those impacted individuals. But if the company and the breach are large enough, it could trigger more public notification, including a press release and a message on the company’s website.
Some states require that notification letters include information on how consumer can contact the various credit reporting agencies to check their credit reports. Other states require that companies include that they will provide and pay for credit monitoring for a year following the incident. And curiously one state – Massachusetts – will allow companies to tell consumers only that their information was compromised, not what happened or anything about the relative risk to them as a result. That’s bad for consumers and bad for businesses.
You need to take action following a data security incident because security breach notification laws — both where you do business and where your consumers live — require it. And other agencies with oversight of your industry might also require you take immediate action.
However, it’s about more than doing what is required by law or regulation. It’s about restoring consumer confidence and protecting your reputation in the market. For what it’s worth, I don’t think consumers are shocked or surprised by data security incidents anymore. There’s a certain level of understanding or acceptance.
Don’t take that for granted though.
You still need to do the work to show consumers you take safeguarding their information seriously and want them to feel good about continuing to give you their business.