As a business owner whose database includes confidential personal information on clientele, you have taken every precaution to secure this data to prevent a security breach. But even with the best security measures in place, occasionally companies find themselves in the unfortunate position of having unintentionally leaked this information to an unauthorized party. Since the Personal Data Privacy and Security Act which would enact a federal law regarding notification to individuals of a security breach is currently stalled in Congress, businesses that suffer security breaches must comply with state laws in over 34 different states. If your business should ever be subject to a security breach, do you know what must be done in order to minimize the legal compliance exposure and reputational risks for your company?
Determine what constitutes personal information.
In many states personal information is defined as an individual’s name in combination with any of the following: (i) social security number, (ii) driver’s license or state identification card number, and/or (iii) account, credit or debit card number in combination with any required security code. Note that some states include medical information, date of birth or mother’s maiden name to this list.
Verify the types of media covered by the law.
It is widely accepted that Security Breach Notification laws apply to non-encrypted computerized data, but be advised that a few states require notification if there has been unauthorized access to and acquisition of personal information in any form. Additionally, certain states have a harm threshold requiring notification only if there is reasonable likelihood that the information acquired by an unauthorized person will result in harm.
Confirm who must be notified.
Some states require that only the individual affected by the breach must be notified. Others require that you notify state regulators, consumer reporting agencies, and/or credit card issuers. In addition, New Jersey requires notification of the state police prior to notification of the individuals.
Satisfy the notification requirements in each state.
Depending upon state law, you may be required to deliver written, electronic or substitute (i.e., a notification posted on your website or distributed to major statewide media) notice to each affected individual. An adequate breach notice should include information such as (i) a description of what happened, (ii) a description of the steps taken by the company to protect personal information from further unauthorized use, (iii) a description of how the company will assist affected individuals, and (iv) information on how the individual can protect themselves from identification theft including contact information for three credit agencies.
If you believe that confidential personal information in your company’s possession has been acquired or accessed by an unauthorized person act quickly to restore integrity to the affected system and provide notice without delay. The laws in each state where the security breach occurred and where any affected individuals may reside must be carefully reviewed to assure that you have satisfied all requirements for proper notification. Until federal law is enacted, companies suffering a security breach will have to navigate through the complex web of individual state requirements to minimize their legal compliance exposure and reputational risks.
Check back to www.archerip.com for periodic updates on the pending federal Personal Data Privacy and Security Act.