Data breaches occur; it is a fact of life that we must live with. We can however prepare and minimize damage by following state laws that require data breach notifications. Currently, 46 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands require an organization to notify others when a breach has occurred. These state laws require not only companies that own a consumer’s personal information, but also organizations that maintain or control personal information they do not own.
While most notification laws have similar aspects, there are plenty of differences. A one-size-fits-all approach, often times, will not suffice. Below is a list of elements and questions that must be asked when examining your state’s breach notification laws to keep your data breach response plan up to date.
How does your state define personal data?
In the event of a data breach, it is often times ‘personal information’ that triggers a data breach notification. Most state laws use a common definition of personal information; Any information that consists of a consumer’s name, and at least one of the following: Social security number, driver’s license number, or any financial information.
What triggers a breach notification in your state?
Some states require notification if personal information “was or is reasonably believed to have been” lost, leaked, or accessed by unauthorized personnel, regardless of harm to the consumer. Other states allow organizations to evaluate the risk of harm to the consumer. A notification is triggered only if it is believed that the unauthorized access of personal information will lead to harm to the consumer.
How are you allowed to notify consumers of a possible breach?
There are many methods by which consumers can be notified of a personal information breach. Many states allow notification via telephone, while some permit email notification. The most commonly accepted form of notification is through a written letter. Depending on the size of the data breach, a public announcement must be made as well using various media outlets.
Contact us today to talk to a qualified individual and to learn more about state data breach notification requirements.