Dealing With Data Breaches
The information on this page should not be construed as legal advice.Data breaches are a risk to any business collecting customer data. In the past decade, data breaches in the U.S. have compromised at least 900 million people’s records in the last decade (this constitutes the reported/tracked numbers according to the records kept by the Privacy Rights Clearinghouse, so actual numbers are presumably much higher).
Data breaches commonly arise out of
(a) human error, like coding errors, losing a device or laptop, or a misdirecting email, and
(b) illegal or malicious activity, like theft of records from insiders or third parties, physical theft, hacking and cyber attacks.
The costs of data breaches can be significant and include reputational harm as well as monetary expenses from responding to the breach, lost business revenue, exposure to regulatory penalties, and private lawsuits.
There is no overarching federal law that specifically applies to data breaches involving personally identifiable information, although there are federal laws that apply to certain sectors such as HIPPA, which covers health-related information.
Most states have laws requiring notification of affected individuals who reside in the state, and in some cases states also require providing notice to regulators or state authorities. The exact requirements vary from state to state. For example, some states have a specified timing and form of notice requirements, and some only require notice if the breach affects more than a certain number of individuals from that state. Ideally, a company with affected customers across multiple states will formulate a response and notify all customers in a way that treats customers equally.
Where notice is required, it must be in writing with certain states allowing notice by email. California’s statute includes a specific provisions allowing email notice when the breach only involves a user name or email address with a password or security question and answer that would permit access to an online account.
In general, notice typically must include at least some of the following pieces of information:
- Date of notice and date of breach
- Description of incident*
- Explanation of what the company is doing to address/remedy the breach
- Contact information for the company and/or state agencies
- Advice to the individual about how to protect themselves from fraud
*Note that Massachusetts actually specifies that notice not include the nature of the breach, and has some other particular requirements.
In addition to state and federal statutory requirements, companies may also have contracts or policies in place that contain requirements for notification or other obligations (such as indemnification obligations) in the case of a data breach.
Other legal issues that can arise are law enforcement investigations, litigation risks, and potential employee liability or employment related actions the company may take following the breach.
PR and communications around a data breach are often of utmost importance, particularly for mitigating reputational harm. Following a breach, the company’s communications both internally and externally should be strategic, consistent, transparent, timely, and of course should account for the different legal considerations and notice requirements discussed above.