What’s your data breach notification plan?
Tech companies are required to notify affected customers after a data breach. Here are a few tips for complying with state laws and avoiding potentially bankrupting expenses.
State laws mandate customer notification after a data breach
Data breach security is increasingly important, with the growth of cloud operating systems, mobile device use, and other cloud-friendly platforms. Never before have we had greater data access.
Unfortunately, this also means that hackers and cybercriminals have more ways than ever to attack your business's data.
Currently, all 50 states require businesses to notify customers who may have been affected by a data breach.
So what is a data breach, exactly? It's when a hacker, cybercriminal, or any unauthorized third party accesses your business's network and your customers' private data.
Each state sets its own requirements for how businesses should respond to a data breach. That's why it's tricky to know what you're expected to do following a breach – especially if you serve clients in more than one state.
Questions to ask to determine your responsibility
Here are four basic questions to ask to determine your responsibility following a data breach:
1. Who do you have to notify? After a data breach, you'll be required to notify any affected customers, and sometimes other parties. Some states also mandate that you notify the attorney general or consumer reporting agencies.
For instance, Colorado, Wisconsin, and a few other states require that you report breaches to consumer reporting agencies if the breach includes private data for more than 1,000 individuals.
2. What constitutes a data breach? Each state law specifies which types of data count as "private information." This may include Social Security numbers, driver's license numbers, fingerprints, medical records, and even DNA information.
These data privacy laws consider data "breached" if it is illegally accessed, or if you suspect it has been.
3. How should you contact your customers? State laws may specify how you communicate breaches to affected parties. Some states limit the use of emails or phone calls, specifying you can only email customers about data breaches if you have their permission. Some states prohibit prerecorded phone calls.
However, all states allow you to use ordinary postal mail as an official contact method.
4. When do I need to contact them? Timing requirements can vary quite a bit. But it's important to know that you must contact your customers quickly, or you may face fines or lawsuits.
Why is it important to have a data breach notification plan?
Timing can be extremely important in data breach response. Your state laws may set a deadline, requiring you to contact your customers within 45 days of the breach. But some states set even higher standards.
In California, for instance, the law does not list a specific timeframe for companies to notify their customers. Instead, the law says notification must happen "in the most expedient time possible and without unreasonable delay." That translates to: notify your customers ASAP.
In one case, a California company was sued for taking 15 days to contact its customers.
Time matters in data breach incidents. When you're affected, you'll want to have a plan in place to respond quickly so you can avoid lawsuits and fines.
What should your data breach notification plan look like?
Let's say you come to work and your audit logs show there has been suspicious activity on your network overnight. It looks like someone was able to create an account and access your data.
When this happens, you'll want to enact your data breach notification plan. So what should that plan include?
State requirements. You should be familiar with data breach laws for your state. Will you have to contact consumer report agencies? Is there a timeline for your response? Can you save money by contacting your customers via email, or will you have to send them printed notices? Answer these questions ahead of time.
Insurance contact information. Your first-party cyber liability insurance will help you respond to a breach. Have your insurer's contact information handy along with the important details of your plan. (Learn more about cyber liability insurance and how first-party and third-party cyber coverage differ.)
A step-by-step action plan. Your data breach notification plan should be more than just information. It should tell you what to do and the order of actions you need to take.
Among the steps that you should include are: close security holes in your system, contact security firms to fix your network security issues if you're unable to, and list instructions for contacting customers or required government agencies.
One key benefit of creating a data breach notification plan is that as a result, you may qualify for a lower premium on your cyber liability insurance.
Data breach laws for companies that work in multiple states
If your business has customers in different states, you may have to notify each according to the rules of their state.
Given the fact that there is no standard law that governs all states (except for HIPAA, which governs medical data), you'll have to look up what each applicable state's consumer data protection laws. One website to bookmark is corporate law firm Perkins Coie's chart of state requirements for data breach notification.
All of these requirements and extra work are exactly why cyber liability insurance pays for extra personnel, crisis management professionals, and the cost of notifying your customers. This insurance can help you avoid lawsuits and fines, and take care of your data breach requirements correctly and efficiently.
A last word on data protection for IT businesses
So far we've only discussed how these plans protect you if your own business is hacked. But if your business provides data protection services for your customers, you should also consider putting together data breach notification plans for them as well as yourself.
Third-party cyber liability insurance, typically included in errors and omissions insurance, covers your business's liability in this situation.
Get free quotes and compare policies with TechInsurance
TechInsurance helps small business owners compare business insurance quotes with one easy online application. Start an application today to find the right policy at the most affordable price for your business.