Block on Trump's Asylum Ban Upheld by Supreme Court
Data and security breaches have become so common they're almost considered the cost of doing business these days. Even the most careful businesses may not be able to prevent a breach that compromises customers' private information. And as embarrassing as a data breach may be, it can be particularly harmful to customers if their information falls into the wrong hands.
Unless you're doing business solely in Alabama, New Mexico, or South Dakota, you're legally required to notify customers about a security breach, and you may need to take steps to mitigate or remediate injuries caused by the breach. But state laws can differ on the definition of applicable breaches, the level of harm that necessitates notice, and the notice required, among other things. Here's a look.
Golden State Statute
The National Conference of State Legislatures provides a comprehensive listing of state data breach notification statutes. A total of 47 states and the District of Columbia require private entities to notify individuals of security breaches involving personally identifiable information, but not every statute is the same.
California, for example, passed the first notification law in 2002, and it applies to any person or business that conducts business in the state and owns or has access to covered personal information, with a few exceptions. In the event of a breach, the business must notify customers "in the most expedient time possible and without unreasonable delay," and may need to provide credit reporting agency (CRA) information. The notice must include:
[N]ame and contact info of covered entity; types of covered info that were the subject of the breach; if available, the date, estimated date or date range of the breach; date of the notice; whether notice was delayed due to law enforcement; a general description of the breach; and toll-free numbers and addresses of the major CRAs if SSNs, drivers' license or state identification card numbers were exposed.
The notification can be delayed if law enforcement deems that it will impede a criminal investigation, and government notification is required if the breach involves more than 500 state residents. (Health care services should be aware that the notice requirements are different for breaches involving personal health information.)
To date, there is no federal notification law. But the Obama administration introduced a model statute last year that would require:
[a]ny business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period [to] notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.
For now, small businesses that maintain personal information on customers should familiarize themselves with their state laws on notification. You can hope for the best when it comes to data breaches, but you should also plan for the worst. And if your small biz has been breached, you may want to contact an attorney to make sure you're complying with state notification statutes.