Hacked? Make Sure to Notify Your Customers!
Your company will be hacked. It's as certain as death and taxes. In light of this, what the diligent in-house attorney can do is make sure all of the company's affairs and records are in order. If a government investigation takes place, you should be ready.
Below we cover data breach notification requirements along with some of the more important considerations that general counsel must be familiar with in the event of the inevitable data breach.
Containment, Tracking, Analysis, Compliance
Your company should already have in place a basic data breach response team on hand or have a running relationship with a data breach team of experts. Containment is absolutely expected of the company and failure to properly respond is grounds for increased penalties. Ensure that the teams collects and tracks all the data that has been compromised and ask for an electronic record of this.
At the same time, the team will analyze what particular weaknesses led to the breach. Increasingly, breaches have taken place because of employee neglect, non-use of VPNs, and non-use of multifactor authentication.
However, many companies falter with regards to compliance with local rules on breaches and compromises of personally identifiable information -- passwords, addresses, demographics, contact information, and the like.
Data Breach Notification
California has the distinction of being the first state to enact a data breach notification law in 2002. This law generally requires a business or governmental entity to notify customers when their sensitive information has been compromised by a hack. If your company's data is breached, it is up to you to notify your customers of the event pursuant to applicable local law.
Questions arise as to the proper timing of notification, but the general rule of thumb is "without undue delay." This is not universal, but notification must be swift and any delay must be justified before a government investigator. Keep in mind that some states mandate a bright-line deadline. In Florida, affected persons must be notified within 30 days of breach. Ohio and Wisconsin give the entity 45 days.
Be diligent and maintain records of all notifications. Again, check your local laws.
Manner of Notification
As with service, written physical notification is pretty much universally acceptable, but many companies would prefer the cheap and massive option of email. The bad news is that this is not universally accepted by statute. Phone calls are generally accepted, but these have the disadvantage of being plagued by bad records and that is the very last thing in-house counsel needs.
Check Your Jurisdiction's Laws
As you are now well aware, each state has its own data breach notification law. Most of them are modeled after the California statute. Refer to this list from the National Conference of State Legislatures to give you a head start in finding your jurisdiction's applicable laws. It's been updated for 2016 so it should be up to date. But as always, use due diligence.
- Does a Lawyer Have a Duty to Replace Hacked Funds? (FindLaw's Technologist)
- Cybersecurity Law Firms: You're Just Using Me for my Privilege (FindLaw's Technologist)
- In-House Counsel: Review Your Company's Security Check Process (FindLaw's Technologist)