What to do in the Event of a Security Breach

The federal government is also discussing and introducing bills regarding data security and breach notification requirements. In fact, the latest, known as the Data Security and Breach Notification Act of 2012, is one moving through government right now. So, the question becomes, what must a company do in the event that a security breach occurs? Now, there are many things that a company needs to do once they receive notice that a security breach has occurred.

Welcome to Internet Law Radio where we discuss the hottest topics in Internet law.  If you are facing an Internet law issue, cyber law complaint, web site or e-commerce issue, we have an Internet lawyer ready to help. 

This is Internet Law Attorney, Brian Hall, with Traverse Legal, PLC. Today, I'll be discussing what to do in the event of a security breach. Most states, and I believe it's approximately 46 out of 50 states, have passed security breach notification laws. The federal government is also discussing and introducing bills regarding data security and breach notification requirements. In fact, the latest, known as the Data Security and Breach Notification Act of 2012, is one moving through government right now. So, the question becomes, what must a company do in the event that a security breach occurs? Now, there are many things that a company needs to do once they receive notice that a security breach has occurred.

The first and the most important, is to act quickly and diligently. Most of the state laws regarding security breach notification allow for an investigation to occur before a notification is sent out. That investigation should determine what information was indeed accessed or used and also make a determination as to whether or not that information happened to be encrypted or redacted, or other protections in place that would keep others from using it in a way they shouldn't have. It's also critically important to find out what personal information if any, was accessed and acquired and if so, was it in encrypted form or some other form?

So again, the first step is to act quickly and diligently with an investigation to determine if personal information was accessed. All of the statutes set forth what personal information means. In its simplest form, it's information that links to an individual such as a Social Security Number, a driver license number or some other financial account number such as a credit card or a debit card number.

Once you've made a determination as to whether or not personal information was accessed and acquired, you need to determine whether or not access to that information may cause loss, injury or most importantly, identity theft to the person whose information was accessed. If you believe that that is to occur, that typically triggers the notice requirement under the law.

Now, the standard as to whether or not you believe the access or use of that information is likely to cause substantial loss, is that of a negligent standard. An internet law privacy attorney can advise you as to whether or not it has reached such a point that you are well off providing that notice.

So, what must the notice entail? Well, there are many things and the first thing that it must do is, be provided without delay. So, that means once that first step, that investigation is complete, you cannot sit on your hands, but instead must provide the notice to the recipients of the information that was stolen.

So, it must include, for example, what exactly happened. So, what was the security breach? It must identify what personal information was taken. It must also describe what you, as a company, have done now to protect further data from being subject to a breach. It must ultimately provide contact information and reminders to those whose information was breached about their duty to continue to monitor their own identity via credit reporting agencies and otherwise.

So again, just to recap, first a quick investigation and thorough investigation is the first step. The second step is to make a determination if notice is actually required under the data security breach laws. Finally, if notice is required, you must comply with what the notice requirements are of either the state statute or if this federal legislation is actually introduced, whatever that might say.

Your failure to do so does subject you to many types of liability. You can be sued by an individual or become the defendant in a class action lawsuit by those whose actual information and data was breached. You may also face exposure from an Attorney General of either the state or the federal government possibly. Ultimately you can be subject to fines under the state security breach notification laws and in a lawsuit by, like I said before, either an individual or a class action who may assert causes of action ranging from breach of contract to negligence, to other various violations of state trade practice and related statutes.

So, ultimately data breach law is a growing area of law and the reason being is because data breaches are a growing area of concern by those that provide information to others. With the onset of class actions in this area of law, companies are well served knowing what the laws are, having a privacy or related internet law attorney at their disposal to discuss these types of items, and acting quickly in the event of an actual security breach. So once again, this has been Brian Hall providing you with some guidance as to what you need to do in the event of a security breach.

You’ve been listening to Internet Law Radio.  Whether you are facing a domain name, intellectual property or a complex litigation issue, we have an Internet law attorney ready to answer your questions.