Data breach security is becoming more and more important with the growth of cloud operating systems, mobile device use, and other cloud-friendly platforms. Never before have we had more access to our data. Unfortunately, this also means that the bad guys (aka hackers and cyber criminals) have more and more ways of attacking your business's data.
Currently, 46 states require businesses to notify any customers who may have been affected by a data breach. So what is a data breach, exactly? It's when a hacker, cyber criminal, or any unauthorized third party accesses your business's network and your customers' private data.
Each state sets its own requirements for how businesses should respond to a data breach, which makes it tricky to know what you're expected to do following a breach - especially if you serve clients in more than one state. Here are four basic questions to ask to determine your responsibility following a breach:
- Whom do you have to notify? You'll be required to notify any affected customers and sometimes other parties after a data breach. Some states also mandate that you notify the attorney general and / or consumer reporting agencies. For instance: in Colorado, Wisconsin, and a few other states, if the data breach includes private data for more than 1,000 individuals, you have to report this to several consumer reporting agencies.
- What constitutes a data breach? Each state law specifies which data counts as "Private Information." This can include SSNs, driver's license numbers, fingerprints, medical records, and even DNA information. These data privacy laws consider data "breached" if it is illegally accessed OR you have reason to believe it may have been illegally accessed.
- How should you contact your customers? State laws may specify that you can only use certain methods of communication to contact your customers. Some states limit the use of emails or phone calls, specifying you can only email customers about data breaches if you have their permission. Some states prohibit prerecorded phone calls. All states allow you to use snail-mail as an official contact method.
- When do I need to contact them? I'll go over timing requirements in more detail in the next section. These vary quite a bit. But it's important to know that you have to contact your customers quickly and can face fines or lawsuits for your failure to do so.
Why Is it Important to Have a Data Breach Notification Plan?
Timing can be extremely important in data breach response. Your state laws may set a deadline, requiring you to contact your customers within 45 days of the breach. But some states set even higher standards.
In California, for instance, the law does not list a specific timeframe for companies to notify their customers. Instead, the law says notification must happen "in the most expedient time possible and without unreasonable delay," which translates to: notify your customers ASAP. And California takes this seriously. One California company was sued for taking 15 days to contact its customers.
Bottom line: time matters in data breach incidents. When you're affected, you'll want to have a plan in place to respond quickly so you can avoid lawsuits and fines.
What Should Your Data Breach Notification Plan Look Like?
Let's say you come to work and your audit logs show there has been suspicious activity on your network overnight. It looks like someone was able to create an account and access your data. When this happens, you'll want to enact your Data Breach Notification Plan. So what should that plan include?
- State requirements. You should be familiar with data breach laws for your state. Will you have to contact consumer report agencies? Is there a timeline for your response? Can you save money by contacting your customers via email, or will you have to send them hardcopy notices? Answer these questions ahead of time.
- Insurance contact information. Your First Party Cyber Liability Insurance will help you respond to a breach. Have your insurer's contact information handy and list the important details of your plan. (Read more about Cyber Risk Insurance in "Third Party vs. First Party Cyber Risk Insurance: Protect Your IT Firm Right").
- A step-by-step action plan. Your Data Breach Notification Plan should be more than just information-it should tell you what to do and the order of things you need to do. Among the steps that you should include are: close security holes in your system, contact security firms to fix your network security issues if you're unable to, and list instructions for contacting customers or required government agencies.
Keep in mind that one bonus of writing a Data Breach Notification Plan is that you may qualify for a lower premium on your Cyber Liability Insurance.
Data Breach Laws for Companies that Work in Multiple States
If your business has customers in different states, you may have to notify each according to the rules of their state. Is your head spinning yet?
Given the fact that there is no standard law that governs all states (except for HIPAA, which only governs medical data), you'll have to look up what each state law requires to protect its consumers. One handy website to bookmark is corporate law firm Perkins Coie's chart of state requirements for data breach notification.
All of these confusing requirements and extra work are exactly why First Party Cyber Liability Insurance pays for extra personnel, crisis management professionals, and the cost of notifying your customers. This insurance can help you avoid lawsuits and fines, and take care of your data breach requirements correctly and efficiently.
A Last Word on Data Protection for IT Businesses
So far we've only discussed how these plans protect you if your own business is hacked. But if your business provides data protection services for your customers, you should also consider putting together Data Breach Notification Plans for them as well as yourself.