April 12, 2016 You’ve Been Hacked. Now What?
Silence is far from golden when it comes to sharing bad news about computer network incidents. It’s not enough to suffer the indignity or productivity and financial losses resulting from having your IT system hacked: depending on where you do business, you must also inform your clients and employees — the other affected parties — of the cyberbreach.
Now, let’s clarify: a cyberbreach notification is not a cyberbreach disclosure. In 2011, the Securities and Exchange Commission made a significant foray into breach disclosures with its Disclosure Topic No. 2: Cybersecurity, requiring publicly traded companies to inform investors of cyberbreaches by reporting incidents in SEC filings. The SEC mandate is a federal (therefore national) requirement on publicly traded companies doing business anywhere in the United States.
A state cyberbreach notification law, however, must be followed only in that state — the one in which you do business. But that’s little comfort for many businesses that operate in more than one: wherever a business operates, it must comply with respective state laws and responsibilities. Although there are many similarities among such laws, cyberbreach notification laws and subsequent responsibilities are unique to each state.
Numerous businesses operate in numerous states, making compliance a hydra-headed beast to tame. Just how many state laws must you be aware of? Lots — 47 states, in fact. And the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have statutes mandating that businesses inform people that the security of their personally identifiable information (PII) is at risk. Only Alabama, New Mexico, and South Dakota do not have data breach notification laws on the books.
This is not a business-only requirement: state statutes require notification from nonprofit entities as well — think tanks, charities, associations, and more.
More than 895,886,345 records have been breached since 2005, the year that the Privacy Rights Clearinghouse (PRC) began tracking data breaches. That number does not equate to the number of people affected, since numerous folks have been hit by more than one breach. Too many are unlucky members of a “triple crown club” — that is, victimized by the Target breach, the Home Depot breach, and the Office of Personnel Management breach, or any other trio of the 1,883 breaches tallied by the PRC from 2012 to March 29, 2016.
What is a data breach? Also known as information security breaches, they typically are incidents in which the PII for a person (or, usually, people) is released without the approval or authorization of that person. PII is defined differently in each state but typically includes:
- Names and addresses.
- Social security and drivers’ license numbers.
- Credit or debit card account numbers.
- Date of birth.
- Biometric data, such as fingerprints.
- Passwords and codes.
So, if you find that your business is the unfortunate victim of a data breach, what must you do to comply with your state’s notification laws?
In all cases, consult with your legal counsel about the breach at the same time as you consult with your IT department. And do not delay — procrastination is not your friend.
One hopes that your legal counsel has already researched and analyzed the notification responsibilities facing your business in each state in which it operates. If not, find out the following immediately:
- Notification periods — some states require it within 45 days, others even sooner.
- Method of notification — does email suffice, or must it be sent by USPS?
- Notification language — just what do you tell your customers, employees, and users?
Develop a list of contact information for every single person and entity that may be at risk.
Draft your notification letter.
While you may want to qualify the risk, simply alerting people to the possibility that their information may be, perhaps, possibly at risk — an alert, rather than a warning, so as not to scare them that hackers are indeed making use of their personal info — don’t be misguided into downplaying the incident. Your job is to inform — not assure, not commiserate, not comfort.
Stick to the facts and forget the excuses. Full disclosure of what is known at the time will serve you better than softening the potential seriousness of the incident.
Learn more about data breach notification laws and the sheer volume of data breaches: