As technology becomes more sophisticated, so do the many crimes associated with it. Whether you’re a large institution, a small retailer, or an individual, you are susceptible to data breaches. If your company data is breached, in most cases, you are required to provide notice. BLR, Holly Jones, guides us through state laws, and when you are required to provide notice.
What are you required to do once you discover that your company’s data has been breached? Nearly every state has a security breach law, under which you are required to provide notice. In this article, we discuss state laws and when you are generally required to provide notice about a data breach.
In this article, we cover topics such as who needs to be notified of a security breach and what the notice should include.
Security breach: Who needs to know?
If, for example, an employee record database is breached, certainly all affected individuals should be alerted. Keep in mind that this may not only include current employees, but also former employees whose information is still retained in the system.
In addition, depending on the severity of the breach and the type of information accessed, some state laws require notice be provided to local authorities, state consumer protection agencies, attorneys general, and the three major credit bureaus.
Some state laws do provide exceptions and safe harbors from the notice requirements in limited circumstances. For example, if the employer finds there is no reasonable likelihood of harm or identity theft as a result of the breach, then notice may not be required. Notice is also not required if the breach was restricted solely to encrypted data.
Beware of these exceptions, though, since it may be difficult to determine exactly what data an unauthorized third-party has accessed and what he or she plans to do with that data. In most cases, unless providing notice would be particularly burdensome or damaging, it may simply be preferable to provide notice as a courtesy.
What should you include in the notice?
Some states may provide a model form for providing notice; however, if no such form is available or if notice must be provided to multiple jurisdictions, a general notice template should include the following information:
- A plain-English explanation of how the breach occurred.
- Whether the breach has been secured and, if appropriate, steps that have been taken to eliminate the vulnerability and to prevent future breaches.
- A description of the type and scope of information believed to be accessed/obtained (e.g. payroll data collected between 2010-2011; medical leave certifications for employees with last names ending in A-H; usernames and passwords for company e-mails; etc.)
- A broad description of categories of sensitive information that were not compromised (e.g. “the breach was limited to collected e-mail addresses from active customers, no personal identification numbers, passwords, or financial data were accessed”).
- Any services or assistance the company will provide (free credit monitoring) and instructions for obtaining the service.
- Protective steps those affected should take (changing passwords or PINs, requesting replacement credit cards, reviewing free credit reports, etc.)
- Contact information and instructions for obtaining further information.
- Any additional requirements under applicable state law (e.g. right to a credit or police report, instructions for placing a security freeze on affected accounts).
Notice may always be provided in writing via mail. E-mail notices may also be acceptable; however, some states may require that employees have first given prior consent to receiving such notices via e-mail. In particularly large breaches, notice may also be provided to local news media, on the company website or intranet, and to state agencies as mentioned above.
Though the actual data breach may have occurred in one specific company location, be aware that your notice and response strategy may need to cross borders and comply with the laws of other jurisdictions.
For example, even though South Dakota employers may not be required to provide notice of a security breach, if a company has remote workers, vendors, or customers who reside or principally operate out of one of the states with notice requirements, then the employer may still be required to provide notice. Companies with international customers, clients, or employees may also need to consider reporting requirements in those other countries of operation.
Finally, consider whether any active collective bargaining agreements, employee contracts, or nondisclosure agreements with employees or vendors impose additional notification or remedies.