A majority of states in the US have enacted legislation making it mandatory for businesses to notify law enforcement and other affected businesses and individuals whenever a business experiences a data breach. Responding to a data breach can be a complicated maze to navigate, with a large amount of information that needs to be turned over to different sources, each with their own requirements.
A business may also be hesitant to turn data breach information over when the worst happens and it is faced with exposing the damage done to potentially millions of people – people who may likely want to recover those damages through a lawsuit. However, these disclosures are required by the government, and it is crucial that a business has a plan in place to deal with the ever-present possibility of a data breach.
Violating data breach notification laws can result in civil penalties varying from a single fine for a failure to notify to a fine applied for each individual person who was not notified that their data had been made vulnerable by a breach. Each state has its own laws or notification mandates, and it is important to become familiar with the requirements in your operational locations so that a plan can be developed to help avoid potentially large penalties.
A Data Breach Notification Plan is a document that your company can create before a data breach happens to outline applicable requirements that you are obligated to follow, address how the specific information that your company collects is affected by those requirements, list other entities that will be helpful should a data breach occurs (i.e. cybersecurity firms that can address your vulnerabilities; insurance contacts that will help you recover from any loss) and set out a step-by-step plan of action. With this information incorporated, the Data Breach Notification Plan will then allow your company to identify what has happened, see what steps still need to be completed for compliance with state law, and quickly finish those remaining steps.
While each business will have its own issues to address, the following are some key materials that should be included in a Data Breach Notification Plan:
In addition to making the process of responding to a breach simpler and more efficient, it is vital that your business positions itself to be able to fulfill its data breach notification requirements quickly. Timing is critical in reporting a data breach and varies from state to state, with some states giving a period of days within which a business must contact law enforcement and affected entities, while others requiring that a breach be reported “as soon as possible” with room for interpretation. These small windows of opportunity will close quickly, particularly if you are unprepared and need to gather the necessary information and determine who to contact after the breach has happened. You may have some allowances of time depending on how law enforcement wants to deal with the situation, but on the whole, the law will have little consideration for your lack of preparation once your data is breached. Starting now ensures that you will be ready if the time comes, and you will know what deadlines you must meet after a data breach happens.
Set to take effect on January 1, 2020, the California Consumer Privacy Act (“CCPA”) is intended to give individuals more control over “personal data” that companies have been collecting in large quantities. (Note – Only some businesses qualify for compliance with the CCPA). It allows people whose data was affected by a breach to bring an action for statutory damages, which can range from $100 to $750 per incident, if a business did not reasonably protect that data. “Personal data” was also recently expanded from only including information such as a person’s first/last name, social security number, and driver’s license number, to a much larger swath of information including biometric data – like fingerprints and retina scans – and government identifiers – like passport numbers and tax identification numbers.
In a short span of time, legislation has vastly increased the tools available for individuals to take action against companies that suffer data breaches, and with it an increase in the number of incidents that will be counted as breaches requiring notification. If you are building a Data Breach Notification Plan, you must keep track of significant changes such as the CCPA that can drastically change the risks of not reporting and increase the number of incidents that create an obligation for notification.
If you need assistance developing a Data Breach Notification Plan – or have questions related to your obligations under data breach notification laws – contact Traverse Legal’s attorneys today.
This blog post contributed, in part, by Traverse Legal Virtual Law Clerk Scott Pehoushek.