[BreachExchange] Do You Have to Tell Customers About a Data Breach?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 13 20:34:04 EDT 2016


http://blogs.findlaw.com/free_enterprise/2016/10/do-you-
have-to-tell-customers-about-a-data-breach.html

Data and security breaches have become so common they're almost considered
the cost of doing business these days. Even the most careful businesses may
not be able to prevent a breach that compromises customers' private
information. And as embarrassing as a data breach may be, it can be
particularly harmful to customers if their information falls into the wrong
hands.

Unless you're doing business solely in Alabama, New Mexico, or South
Dakota, you're legally required to notify customers about a security
breach, and you may need to take steps to mitigate or remediate injuries
caused by the breach. But state laws can differ on the definition of
applicable breaches, the level of harm that necessitates notice, and the
notice required, among other things. Here's a look.

Golden State Statute

The National Conference of State Legislatures provides a comprehensive
listing of state data breach notification statutes. A total of 47 states
and the District of Columbia require private entities to notify individuals
of security breaches involving personally identifiable information, but not
every statute is the same.

California, for example, passed the first notification law in 2002, and it
applies to any person or business that conducts business in the state and
owns or has access to covered personal information, with a few exceptions.
In the event of a breach, the business must notify customers "in the most
expedient time possible and without unreasonable delay," and may need to
provide credit reporting agency (CRA) information. The notice must include:

[N]ame and contact info of covered entity; types of covered info that were
the subject of the breach; if available, the date, estimated date or date
range of the breach; date of the notice; whether notice was delayed due to
law enforcement; a general description of the breach; and toll-free numbers
and addresses of the major CRAs if SSNs, drivers' license or state
identification card numbers were exposed.

The notification can be delayed if law enforcement deems that it will
impede a criminal investigation, and government notification is required if
the breach involves more than 500 state residents. (Health care services
should be aware that the notice requirements are different for breaches
involving personal health information.)

Federal Heads-Up

To date, there is no federal notification law. But the Obama administration
introduced a model statute last year that would require:

[a]ny business entity engaged in or affecting interstate commerce, that
uses, accesses, transmits, stores, disposes of or collects sensitive
personally identifiable information about more than 10,000 individuals
during any 12-month period [to] notify any individual whose sensitive
personally identifiable information has been, or is reasonably believed to
have been, accessed or acquired, unless there is no reasonable risk of harm
or fraud to such individual.

For now, small businesses that maintain personal information on customers
should familiarize themselves with their state laws on notification. You
can hope for the best when it comes to data breaches, but you should also
plan for the worst. And if your small biz has been breached, you may want
to contact an attorney to make sure you're complying with state
notification statutes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161013/4832465d/attachment.html>


More information about the BreachExchange mailing list