Practical Steps in Responding to a Data Breach


What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.

The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nick Akerman, Dorsey & Whitney LLP | Attorney Advertising

Written by:


Dorsey & Whitney LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.