In 2011, we saw some of the most significant data breaches in U.S. history. There are a plethora of causes—ranging from hackers to employee error to criminals using sophisticated malware. Notification letters are being sent so frequently, consumers are almost becoming immune to the daily announcements that personal information has been breached. Still, corporations facing data breaches need to navigate a maze of state laws that have varying requirements governing timeliness of notification, contents of notification, and what constitutes a data breach. The time and expense involved in responding to a data breach is significant, but the risks to a company’s reputation are far greater if the breach is not handled appropriately.
We learned several breach response lessons this year—some may not seem so new:
- Transparency is key to maintaining relationships with customers and regulators, be certain you understand the scope of the breach before making an announcement;
- An IT policy should be implemented to ensure that patches and updates are implemented in a timely fashion;
- Ensure that firewalls have been installed, configured and are tested on a regular basis;
- A breach of a large email database may trigger notification;
- Education of employees is critical to the success of any data breach prevention plan;
- Old data is dangerous data—make sure you need to keep it;
- Do not collect more data than you need to—e.g., do you need to request a social security number on the initial submission by an applicant for employment?;
- Social engineering tools are being used creatively to gain access to personal information;
- Social media policies need to be monitored, enforced, and updated regularly without encroaching on employee rights;
- It isn’t just personal information we are concerned about—disclosure of trade secrets and other confidential information puts organizations at risk;
- Encryption is not only a safe harbor, it is expected by customers and regulators.
In 2012, we will be seeing amendments to current laws that will expand an organization’s obligations when responding to a data breach. Remember, it is not the state in which the organization is located that dictates which laws need to be followed; rather, it is the residency of the individual’s information who has been breached.
Effective, January 1, 2012, California will require more information be contained in breach notification letters following a breach of personal information, including what happened, how it may affect the recipient of the letter, and how the recipient can protect themselves. The letters must be written in plain language and there is a requirement to notify the Attorney General when the breach affects over 500 people.
A new Texas law becomes effective on September 1, 2012 that will: (1) increase the scope of training required by covered entities of employees who handle protected health information; (2) increase penalties for disclosure of protected health information; and (3) require entities doing business in Texas to notify anyone in any state in the case of a breach.
Compliance with laws is not the only reason that breach response preparation and strategy are critical. An organization’s goodwill is at risk. The number 1 New Year’s Resolution still needs to be—encrypt your electronic devices.