Data breaches are becoming worryingly common. According to the Identify Theft Resource Center, there were 817 data breaches in the U.S. in the first half of 2022. Even if you have cyber security training for your employees and focus on securing your company’s network, breaches can happen. So, what do you do if you’ve had a breach?
Once you’ve secured your network, your work is not done. You may be required by law to let your customers know that their information was stolen. This is called a breach notification.
What is a Breach Notification?
Breach notification is when a business, government, or other entity notifies affected individuals that their personally identifiable information (PII) has been, or is reasonably thought to have been, obtained by an unauthorized party. A breach may occur through hacking, phishing, ransomware, malware, and other cyber-attacks. It could also happen if a device storing PII is lost or stolen.
PII comes in many different forms including identification numbers, account numbers, biometrics, and medical information. Some examples of PII are social security numbers, driver’s license numbers, credit card information, or even something like your date of birth and address.
If it is possible that an unauthorized user accessed any of these types of information, you may be required by law to let the affected customers know. Even if not required, it is better to let customers know to keep their trust. A breach notification will allow affected parties to mitigate the risks associated with stolen data. For example, they may change passwords, close credit cards, or enroll in credit monitoring.
Laws affecting Breach Notification:
How do you know if you need to send a breach notification? There are several laws that may mandate it, as well as provide specifics about who should be informed, when they should be informed, and how they should be notified.
Some U.S. federal laws affect breach notification requirements.
- HIPAA requires you to notify individuals if there has been a breach of their health information. If private health information is accessed, HIPAA requires written notice to be provided within 60 days of the discovery of the incident. For large breaches, it is sometimes required that the entity notify media outlets in the affected area. You must also notify the Health and Human Services Secretary.
- The Gramm-Leach Bliley Act makes breach notification a requirement for financial institutions.
- The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers requires FDIC banks to notify the FDIC of breaches.
Breach notification law is mainly set at the state level though. In 2002, California was the first state to require breach notification by law. Now, all 50 U.S. states require breach notification through their own state laws. Each state’s laws are different, so it’s important to know what laws you are required to follow. In some states, you are also required to notify the Attorneys General offices and Credit Reporting Agencies. It’s important to note you must follow the state law of the individual whose information has been compromised, not the state in which the company is. So, if you have customers in different parts of the U.S., you may have varying requirements.
Differences in state laws include:
- What is considered a breach.
- When notices need to be completed.
- What must be in the notice.
For those outside the United States, you may be required to send breach notifications under several other laws such as the EU’s General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).
Have you had a security breach that resulted in stolen customer data? Are you having trouble navigating the laws to determine your legal requirements? Let IPS know and we can help.
If you’ve already determined you need to send breach notifications, stay tuned for our next blog. We will go over tips for how to send breach notifications.
Stay informed with industry-relevant emails curated by our team of experts.
We send out emails once or twice a month relating to IP Services, industry news, and events we'll be attending so you can meet our experts in person.