Jeff Neuburger

We got hacked! What do we do next?

It seems that every week, another government or company laptop containing important information is lost, or another business finds that hackers have accessed its computer network, putting valuable company information, including customer and employee personal information, at risk.

But what happens when the “company” that is a victim of data theft is you?

If your laptop loss or hacking incident involves the compromise of personal identifying information (“PII”), such as customer or employee names, e-mail addresses, credit card or drivers’ license numbers or similar identifiers, what you might have to do next is notify those individuals whose PII may have been accessed, as well as consumer protection and law enforcement officials, that a data security breach has taken place.

Computer data security breach notification laws

A few years ago, a number of highly publicized incidents involving unauthorized access to PII brought widespread attention to the issue of identity theft. The California Legislature responded with the enactment of the California data security breach notification law.

In broad outline, the California law requires individuals and companies doing business in California to notify California residents whose data may have been accessed in a data security breach incident. The California law also provides that certain state officials that must be notified, and specifies when, how, and under what circumstances notification must be given. (The California Office of Privacy Protection makes available a Recommended Practices document on the California law.)

The California law was quickly copied, and now at least 35 states have similar laws. (A list of state data security breach laws is maintained by the National Conference of State Legislatures.)

How do I know if I have to give notice of a data security breach?

This is a complicated question, made more difficult by the fact that the state data security breach laws are not uniform. While they generally follow the model of the California law, they vary on significant issues:

• The standard for determining when notice must be given;
• The definition of “personal identifying information”;
• The timetable for giving notice;
• The state officials who must also receive notice;
• The manner in which notice can be given;
• Applicability to all forms of data, not just computerized data.

What law applies to my company?

The California law is limited to individuals and companies doing business in California, and to the PII of California residents. Other state laws are not so limited. For example, the North Carolina law appears to apply to any business that owns or licenses personal information on residents of North Carolina, regardless of whether the company does business in North Carolina. Thus, a company that does business with customers throughout the country may be faced with complying with numerous, and different, state laws as a result of a single data security breach.

The U.S. Congress is currently considering legislation that would enact a national data security breach notification requirement, and would give a uniform answer to these questions.

What do I do in the meantime?

First and foremost, robust data security procedures are the first line of defense against a data security breach incident. In a subsequent post, we will discuss that topic in detail. But here’s one important tip: many data security breach laws apply a different standard if the compromised data is encrypted; in some cases, encryption of data may save a company from having to give notice at all. So talking with your IT professionals about encryption of important business data is a conversation that is definitely worth having.

Second, should a data breach occur, in the present climate of multiple, overlapping state laws, a competent attorney with experience handling data security breach matters and complying with notification requirements should be consulted immediately.

Third, in anticipation of a possible data security breach, companies that maintain significant amounts of customer and employee data should consider adopting in advance a comprehensive response plan outlining compliance procedures in detail.

Posted by Jeff Neuburger on May 14, 2007 | Comments (7)