Do You Know Your Obligations in The Event Of a Data Breach?

data breach


A data breach is something no organization ever wants to deal with. They are usually costly to the organization, dangerous to the victim, and can be damaging to all parties. However the unfortunate reality is that not only do they happen, but they can happen to anyone at almost any time.

Modern technology, while improving workplace efficiencies and capabilities, has also improved the ability for hackers and data miners to find and steal sensitive information. This has become a common occurrence. The most common form of data breaches however continues to be the physical loss or theft of devices containing personal information. If your business has any employees or has done business with other organizations, you have sensitive information that must be reported if leaked. This issue concerns your business.

Typically when data breaches occur they make major news. The truth is that data breaches are so common that they don’t always get reported due to the frequency at which they occur. In 2016, roughly 36.6 million records were made public through some form of breach.

The possibility of a data breach isn’t all you should be concerned about however. Are you aware that there are laws stating the obligations businesses have following a breach? Furthermore, are you aware of these obligations? In the United States, each state (with the exceptions of Alabama, New Mexico & South Dakota) maintains laws with such provisions. These are known as Security Breach Notification Laws. The National Conference of State Legislatures maintains an active list of breach notification laws that can be found here. These laws also state how organizations may notify victims of data breaches, as well as who is obligated to comply by them. Below are a few key summarizing points of breach notification laws in the US.

  • Breach notification laws in the US only apply to enumerated types of data that are considered particularly sensitive (social security numbers, drivers’ license numbers, bank account numbers etc.).
  • Some US legislation require notification simply for material breaches. These are breaches which compromise security or privacy of a person.
  • The shortest time period to notify victims of a data breach is 10 days. Failure to meet these time periods will result in strict penalties against the information-holding party.
  • Penalties for failing to notify vary by state, and may include fines or further action against the party that fails to act.

The first such law was introduced in California in 2002, coming into effect in mid-2003. As a result, the laws enacted in most other states follow the basic structure of California’s law. The California bill can be viewed here. A list of the notification bills for other states can be found here.

Allstate Information Management offers data breach reporting services through CSR. These services report actual or suspected data breaches to authorities and customers as required, ensuring your business doesn’t fall on the wrong side of the law after an already-difficult situation.

Contact Allstate Information Management for more information. We are happy to assist you.

Call 1-800-225-1080

  • Categories