It can be as simple as a misplaced mobile phone, a UBS drive that falls out of a pocket, a stolen laptop, or a system breach caused by a criminal. The common factor is data that is no longer in your firm’s control. You can have all the “best practices” in place to avert a cyber crime only to have it happen anyway.
Who ya gonna call: Ghostbusters?
New laws answer that question. State, federal and international laws govern your actions when your company faces a data breach. With the passage of California Assembly bill 1710 on Sept. 30, the list of “Who ya gonna call” includes a fraud alert service. The legislation requires that under certain circumstances an organization or person who experiences a data breach provide identity theft protection services to individuals whose personal information has been compromised. The statute requires a company that loses information to “offer affected individuals identity theft prevention and mitigation services … at no cost to the affected person for at least one year.” This requirement triggers ONLY when an individual’s name is tied to a social security number, a driver’s license number or a California ID number that has not been encrypted and has been acquired by an unauthorized person as the result of a data breach.
The new legislation also expanded the classification of California companies that fall under the statute: those who “maintain” personal information are legally required to implement reasonable security practices “appropriate to the nature of the information to protect data from unauthorized access, distribution, use, modification or disclosure.”
“Maintain” is defined as retention of personal information as part of the business’ “internal client or customer account for the purpose of using that information in business transactions to whom the information relates.”
While California residents need to be notified of a breach that compromises their financial account numbers, security codes, medical or health insurance information, the business that lost the data would not be required to provide identity theft services unless individual names are also associated with the data as part of the loss.
INCIDENT RESPONSE ACTIONS
One of the first steps that must be taken after a data breach is for a designated person to call the police, FBI, or the Department of Homeland Security depending on the nature of the information breached. You must do your homework to determine what your notice requirements are because there are other state, federal and even international statutes and regulations that may affect your firm depending on where your client lives or works as well as the type of information that is compromised. For example, if more than 500 client/customer names have been involved in a data breach YOU MUST file a notification form with the California Office of the Attorney General. For other state information notification laws, one of the best sources of information is the Intersections consumer notification guide (May 2014). Make sure you have the most up-to-date edition, and verify that the data is the most current available.
At the national level, the Federal Trade Commission has also increased its muscle regarding data protection and security. In recent years, the FTC has been using Section 5 of Act 15 USC Sec. 45(a) to go after companies that have inadequate privacy and security protection. The agency claims that failure to have “reasonable” data security constitutes an unfair deceptive practice.
If you have international clients/customers whose information is involved in your security breach, you will have to comply with the European Data Protection Regulation Proposal that will take effect in 2015.
Any questions concerning notification issues should of course be discussed with legal counsel that specializes in privacy law, as the laws and regulations regularly change.
If you experience a breach, there are other professionals who can help you mitigate the damages. The California Office of the Attorney General started an eCrime unit in 2011. The unit investigates and prosecutes large-scale identity theft and technology crimes with actual losses in excess of $50,000. Service professionals to notify would include a computer forensics team to fix whatever breach occurred and to aid in the investigative report, a public relations firm if needed, and lastly your insurance broker. Contact us at Narver so we can help determine what type of coverage you may have to help mitigate your business interruption and monetary damages.
So who ya gonna call?
Tags: Best Practices, Cyber Crime, Data Breach, Data Security, Privacy