My company suffered a data breach. What does my state require?
Cybercrime is one of the biggest threats to modern businesses. Financial/banking, retail, hospitality, eCommerce, and healthcare may have greater risk, but every industry is vulnerable. The threat is not limited to large companies, either, as small and medium-sized businesses are frequent targets, and may not have the resources to cope with a breach.
What happens if your business suffers a data breach? How long do you have to notify victims and how should you contact them? The laws can be different in individual states—and what happens if you have offices in more than one state?
Let’s take a look at the risks and state-specific security breach notification requirements:
Cybercrime by the numbers
Why is cybercrime such a big issue? The financial impact, for one thing. Cyber Defense Magazine reports that the “global cost of online crime is expected to reach $6 trillion by 2021.”
There were 8,854 recorded data breaches between January 1, 2005 and April 18, 2018. Each breach affected hundreds, thousands, or even millions of people and exponentially more pieces of information. It’s also noteworthy to mention that 61% of breaches affected companies with less than 1,000 employees.
Then there are the victims who had their personal and financial information stolen, which was often used in ways that damaged their credit, finances, or privacy. Cybercrime is a serious issue that is only growing in scope—which is why various states have enacted laws that require notification of a breach.
State laws regarding data breach notification
Governments from the national level to local municipalities all recognize the serious consequences of cybercrime, and state legislators have put notification laws in place that businesses must follow. In 2018, The National Conference of State Legislatures (NCSL) enacted new laws which affect all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands.
The Security Breach Notification Laws require, “private or governmental entities to notify individuals of security breaches of information involving personally identifying information.”
Personally identifying information includes first and last name or first initial and last name, plus one of the following:
- Social Security number, tax ID number, or other unique ID number
- Username or email address combined with a password or security question
- Driver’s license or state ID card/number
- Credit/debit card numbers (along with required security access codes)
- Passwords, PIN numbers, or other financial account access numbers
- Medical information
- Unique biometric data used to authenticate someone, such as fingerprints, retina/iris images, or other unique digital or physical representation
The point of the legislation is to create a standard protocol regarding who should be notified about a data breach, when they should be notified, and the method of notification. All companies that become victims of a data breach must notify the individuals who have been affected.
The problem lies in the fact that there is still no “one-size-fits-all” response. Every state has its own laws and procedures.
Even with the new notification law, there is still no uniform standard across the country. Thus, you must be familiar with both federal regulations as well as individual state laws wherever you store, process, and collect data. If you do business in more than one state, you have to comply with the notification laws in all of those states.
Still, some states are stricter than others. For examples, stricter standards in terms of timing and the extent of notification exist in…
- New York
- South Carolina
- South Dakota
- Other states are much less strict, including:
Examples of differences between states
Here are some examples of how the laws are applied across the United States. Most states require “immediate notification without unreasonable delay” but what exactly that means can vary. For example:
States that require notification within 45 days:
- New Mexico
- Rhode Island
Notification within 60 days:
- South Dakota
Notification up to 90 days (as needed by law enforcement):
There are also different standards when it comes to how you should notify victims of a data breach. In most states, written notice is required. In some cases, states will allow you to call or send electronic notices.
If you would like a summary of the basic individual state notification requirements, you can download this State Data Breach Notification Laws Chart from Foley and Lardner, LLP. Of course, this “should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach vary depending on the specific facts and circumstances.”
It’s a good idea to consult with your company attorney, compliance officer, and IT or cyber security expert to ensure that you understand how the law applies to you—and comply with it fully.
It’s important that you are aware of state laws regarding notification in event of a data breach. It’s also vital that you take steps to guard against data breaches in the first place. CyberGuard360 can help. We offer state-of-the-art security systems to help monitor and protect against cyber attacks. We also provide a wide array of other services, including risk assessment, education, training, and disaster recovery. Call us at 844-315-9882 or reach us via our online contact form.