It is an unfortunate fact that many companies will experience a data security breach at some point. In order to prepare, there are a few steps every company should take before a breach occurs, keeping in mind that breaches may trigger the differing notification laws of 46 states and the District of Columbia.
First, it is important to understand the various types of security breaches in order to anticipate how they may occur. The most common types of security breaches include:
• Internal breach: an employee or contractor may use data in a manner not permitted, may disclose data to third parties without authorization (whether intentionally or not) or may maliciously steal data with the intention of using it for illegal purposes.
• Loss of hardware or data: loss of a laptop or mobile device containing personal information is a common occurrence.
• Malicious breach: third parties with malicious intentions can hack into unsecure systems through various means, whether into a network, a server, or an individual computer or database.
• Oversight: unfortunately, companies often fail to take reasonable precautions to protect their data, which can easily lead to a breach via any of the above means, or others.
Second, companies should take reasonable steps to evaluate the data they have, who has access to the data, what are the risks of potential breaches, and ensure they have a reasonable level of security in place.
Third, before a breach occurs, have a response plan in place specifying what should be done if a breach of any type does occur. The plan should include the following:
• Contact information for individuals within the company to be notified in the event of a breach (senior executives, head of security, IT personnel, legal, PR, etc.);
• Contact information for a data forensics specialist (to evaluate the nature of the breach and attempt to determine whether it is possible to find the source of the breach, the potential culprit, and the data impacted);
• List of specific steps to take if a breach is suspected (e.g. terminate outside access to the network, remotely disable stolen hardware, etc., depending on the type of breach);
• Analysis of which state notification laws will be triggered, based on states from which personal information is collected, and the definition of personal information triggering notification laws in the various states (note that there are currently 46 different state notification laws, with different requirements);
• List of which law enforcement or government agencies must be notified pursuant to applicable state laws or industry requirements;
• Form notification letters prepared in accordance with applicable state laws, so the company can merely input the details of the breach and send the letters pursuant to the timing requirements of various states;
• Pre-negotiated rates for consumer fraud protection services if the company wishes to offer this service to impacted consumers (it is difficult to negotiate this in the aftermath of a breach when the service may be urgently needed);
• List of third parties or vendors to be notified if applicable.
It is important to review a company’s breach response plan on an annual basis to evaluate whether the company has begun to collect different types of information, or collect data from subjects in different states, such that different notification laws would be triggered.
This article should not be construed as legal advice, and no attorney-client relationship is formed by reading this article or contacting the author.