Be Prepared with a Data Breach Notification Plan

Mallory King - December 31, 2019 - Internet Law, Privacy


What is a Data Breach Notification?

A majority of states in the US have enacted legislation making it mandatory for businesses to notify law enforcement and other affected businesses and individuals whenever a business experiences a data breach. Responding to a data breach can be a complicated maze to navigate, with a large amount of information that needs to be turned over to different sources, each with their own requirements.

A business may also be hesitant to turn data breach information over when the worst happens and it is faced with exposing the damage done to potentially millions of people – people who may likely want to recover those damages through a lawsuit. However, these disclosures are required by the government, and it is crucial that a business has a plan in place to deal with the ever-present possibility of a data breach.

Violating data breach notification laws can result in civil penalties varying from a single fine for a failure to notify to a fine applied for each individual person who was not notified that their data had been made vulnerable by a breach. Each state has its own laws or notification mandates, and it is important to become familiar with the requirements in your operational locations so that a plan can be developed to help avoid potentially large penalties.

What is a Data Breach Notification Plan?

A Data Breach Notification Plan is a document that your company can create before a data breach happens to outline applicable requirements that you are obligated to follow, address how the specific information that your company collects is affected by those requirements, list other entities that will be helpful should a data breach occurs (i.e.  cybersecurity firms that can address your vulnerabilities; insurance contacts that will help you recover from any loss) and set out a step-by-step plan of action.  With this information incorporated, the Data Breach Notification Plan will then allow your company to identify what has happened, see what steps still need to be completed for compliance with state law, and quickly finish those remaining steps.

What Should be Included in a Data Breach Notification Plan?

While each business will have its own issues to address, the following are some key materials that should be included in a Data Breach Notification Plan:

  • A mechanism, such as email, for notifying the owners of the information you have collected
  • Contact information for other businesses that may be affected, as well as agencies that state law requires you to notify
  • Clear definitions of what is protected information in your state and an explanation of what constitutes a data breach
  • A guide for identifying when a breach has occurred, what kind of breach occurred, and, if possible, who is responsible
  • A timeline with clear deadlines for the requirements of applicable laws
  • A step by step guide that meets each required action in the reporting process
  • Disciplinary action within your company for those who do not follow the Data Breach Notification Plan
  • Forms to facilitate quick collection of information and transmission to relevant parties
  • An outline of what security measures you have already taken
  • If your company has experienced a data breach before, an explanation of what happened and what lessons were learned from the previous experience

Why Should My Business Implement a Data Breach Notification Plan Now?

In addition to making the process of responding to a breach simpler and more efficient, it is vital that your business positions itself to be able to fulfill its data breach notification requirements quickly. Timing is critical in reporting a data breach and varies from state to state, with some states giving a period of days within which a business must contact law enforcement and affected entities, while others requiring that a breach be reported “as soon as possible” with room for interpretation. These small windows of opportunity will close quickly, particularly if you are unprepared and need to gather the necessary information and determine who to contact after the breach has happened. You may have some allowances of time depending on how law enforcement wants to deal with the situation, but on the whole, the law will have little consideration for your lack of preparation once your data is breached. Starting now ensures that you will be ready if the time comes, and you will know what deadlines you must meet after a data breach happens.

Changes to California Law

Set to take effect on January 1, 2020, the California Consumer Privacy Act (“CCPA”) is intended to give individuals more control over “personal data” that companies have been collecting in large quantities.  (Note – Only some businesses qualify for compliance with the CCPA). It allows people whose data was affected by a breach to bring an action for statutory damages, which can range from $100 to $750 per incident, if a business did not reasonably protect that data. “Personal data” was also recently expanded from only including information such as a person’s first/last name, social security number, and driver’s license number, to a much larger swath of information including biometric data – like fingerprints and retina scans – and government identifiers – like passport numbers and tax identification numbers.

In a short span of time, legislation has vastly increased the tools available for individuals to take action against companies that suffer data breaches, and with it an increase in the number of incidents that will be counted as breaches requiring notification. If you are building a Data Breach Notification Plan, you must keep track of significant changes such as the CCPA that can drastically change the risks of not reporting and increase the number of incidents that create an obligation for notification.

Need a Data Breach Notification Plan?

If you need assistance developing a Data Breach Notification Plan – or have questions related to your obligations under data breach notification laws – contact Traverse Legal’s attorneys today.

This blog post contributed, in part, by Traverse Legal Virtual Law Clerk Scott Pehoushek.

GET IN Touch

We’re here to field your questions and concerns. If you are a company able to pay a reasonable legal fee each month, please contact us today.