Any business that assumes its data security is beyond question only has to read the news to dispel that notion. First Target had its mammoth breach during holiday shopping. Then Neiman Marcus had a breach last year that ran from July to December.
A complete PR debacle, of course. And people in the industry are wondering how to prevent or at least mitigate a similar problem, maybe by using smartcards to make credit card cloning tough. But entrepreneurs that store customer personal information need to consider something else: if it happened to you, how would you handle notifying customers?
Here's where it gets thorny...
Because data security and privacy laws are enacted by state, there is no one single standard of when a company has to notify customers about data loss. Instead, you come under the laws of each and every state in which people have done business with you.
Breach notifications are the rule rather than the exception, as two attorneys from law firm Jenner & Block write on Bloomberg Law:
Currently, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have notification requirements for breaches of "personal information." The only four states without a data breach notification law are Alabama, Kentucky, New Mexico, and South Dakota.
These state notification laws cover not only the companies that own or license a consumer's personal information, but also companies that maintain or control personal information they do not own, such as a vendor that manages a database of subscription information for a magazine. In the event that a company that maintains, but does not own, personal information suffers a breach, the company that actually owns or licenses the information is still responsible for proper notification to consumers.
And the rules can vary wildly by jurisdiction. Another law firm, BakerHostetler, put together a compendium of laws, with sections on which states had broader definitions of personal information, which states require notification triggered by information access, which set an electronic and/or security breach alone as the trigger, the states that insist on a harm analysis, the ones that mandate customer notification within a given period of time, and the governments that require notification of the attorney general. Whew.
For example, the general definition of "personal information" would include an account number along with a security or access code needed to access the account. In Massachusetts, financial account information without the password or security code is considered personal. Other areas have different definitions. North Carolina includes fingerprints or biometric data.
Such states as Alaska, Connecticut, Idaho, and Missouri only require notification if there is a sufficient degree of material harm or risk that could happen to consumers. Seven areas impose specific time frames for notification, although they can depend on law enforcement agreeing that disclosure would not compromise an investigation.
If you're a smaller company, trying to follow the array of requirements will be tough. Maybe the only sane approach will be to find the most stringent rules and, as much as possible, apply them to all states.
But now is the time to do it, especially as 17 areas in total allow injured consumers to sue the company.