Practical Steps in Responding to a Data Breach

more+
less-

What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.

The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.

LOADING PDF: If there are any problems, click here to download the file.

Published In: Civil Remedies Updates, General Business Updates, Science, Computers & Technology Updates, Consumer Protection Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nick Akerman, Dorsey & Whitney LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »