Unfortunately, your business is never 100% protected from data breach crimes, so it’s important to be prepared to respond if you should become a victim. In the event of a data breach, businesses must comply with data breach notification laws. Although data breach notification laws vary by jurisdiction, generally businesses must notify consumers whose personal information has been compromised by a security breach.

Who is required to give notice?

The law applies to data collectors. This includes government agencies, public and private universities, privately and public held corporations, financial institutes, retail operators and any other entity that handles, collects and deals with non-public information. As a business handling Personally Identifiable Information (PII), you must give notice.

When must notice be given?

As soon as the owner or collector of the personal information discovers a security breach of their system, the notification must be made in the most expedient time possible and without unreasonable delay. This should be consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity, security and confidentiality of the system.

What notice must be given?

The notice of the breach must include, but is not limited to:

  • The toll-free numbers and addresses for consumer reporting agencies
  • The toll-free number, address, and website address for the Federal Trade Commissions
  • A statement that the affected individual can obtain information from these sources about fraud alerts and security freezes

How must notice be delivered?

Notice of an unauthorized acquisition of personal information must be given to the affected individual by at least one of the following methods:

  • Written notice
  • Electronic notice
  • Any other reasonable notification system maintained by the data collector as part of its information security policy (as long as it is made as soon as possible)
  • If the cost of provided notice exceeds $250,000 or if the number of people needing to be notified exceeds 500,000, substitute notice may be allowed by:
    • Email notice if available
    • Conspicuous posting of the notice and disclosing entity’s web page and
    • Notification to major statewide media

Again, it is important to verify the data breach notification laws in your jurisdiction. Find more information on our blog about data breach and what business owners need to know.

Are you covered? Society’s comprehensive cyber liability insurance provides data security and privacy coverage, expert claims handling, and data breach response services. Contact your local Society agent to discuss this extra layer of protection for your business.