So, Your Business Has Suffered A Data Breach. Now What?
Co-Authored By: Stacey Shadden and Micah Carlson (Graduate Clerk)
If you feel like you can hardly go a week without hearing about a major consumer data breach in the news, you should know that it’s not just you. After a record-setting year for data breaches in 2021, signs indicate that 2022 is set to be the worst year on record for data breaches. According to the Identity Theft Resource Center, data breaches in Q1 2022 were up 14% over Q1 2021, with a total of 404 publicly reported data breaches between January and March of this year.
It should be noted that these numbers only include publicly reported data breaches, and do not include data breaches that went undisclosed by the suffering entity. Consequently, the actual number of data breaches that have occurred thus far in 2022 is almost certainly higher. If your business is the victim of a data breach, you should take several steps to instill customer confidence in your business and avoid legal liability to the greatest extent possible. One of the most significant decisions you can make in the wake of a data breach is to properly disclose the occurrence and facts of the breach.
State Law Requirements
If your business suffers a data breach, your business is almost certainly subject to several different legal obligations. Firstly, applicable state laws likely require you to inform affected individuals of the breach. Although all 50 states have enacted data breach notification laws, they generally follow the same basic structure. Most of these laws require notification to affected individuals when there is an “unauthorized” access of “personal information”. Personal information is generally defined by a set list of categories of information. Usually, state laws consider an individual’s first name or first initial and last name in combination with another individual identifier (e.g., social security number, driver’s license number, financial account number, or credit card information) to be “personal information”.
However, not every unauthorized access of personal information requires consumer notification. Most state laws do not compel businesses to inform affected individuals of a breach if such a breach is not reasonably likely to cause substantial harm to the affected individuals. This analysis requires a careful analysis of the facts surrounding each unique breach. It should also be noted that many states have been actively looking to amend or replace their current data breach notification statutes. Consequently, businesses should be vigilant and remain updated on the latest happenings regarding state law requirements for data breaches.
Businesses should be aware that they may be subject to other legal requirements, even if they are not compelled to disclose a breach under applicable state law. Most notably, the Federal Trade Commission (FTC) imposes certain obligations upon all businesses operating within the United States. For example, Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Generally, a practice will be considered unfair where it causes or is likely to cause substantial injury to consumers, the injury cannot be reasonably avoided by consumers, and the practice is not outweighed by countervailing benefits to consumers or to competition. Additionally, a practice will be considered deceptive where a representation, omission, or practice misleads or is likely to mislead the consumer; a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and the misleading misrepresentation, omission, or practice is material. Finally, businesses are required to implement “reasonable” security measures to protect consumers’ personal information. The FTC recommends that such reasonable security measures include limiting access to data on a “need to know basis”, using separate user accounts to access the internal business network, and using physical protections such as locking sensitive files in a file cabinet.
Liability under the FTC Act has proven to not be merely theoretical. For example, Uber suffered a data breach in 2016 but failed to inform affected users of the breach until more than a year later. During this time, Uber continued to provide assurances to customers about the security of their data, claiming that the data is “kept secure and encrypted to the highest security standards available.” The FTC brought an action against Uber, asserting that Uber’s assurances of the safety of their data were misleading.
So, what does this mean for your business?
If your business’s held data is compromised, there are several steps you can take to protect your business and tackle the problem head-on:
- Implement a breach detection framework
- Certain software and hardware products can be used to detect certain potential weaknesses such as suspicious user behavior, a vulnerability in the internal network, and downloaded threats.
- Mitigate and remediate the breach
- Have a plan to deal with the immediate aftermath of a data breach. This may include isolating infected software or hardware, closing backdoors, and patching the relevant vulnerability.
- Comply with law enforcement
- Depending upon the size of the breach and the origin of the attack, law enforcement agencies may want to conduct their own investigation into the breach.
- Understand your obligations under state law
- Although there are common themes among most state data breach laws, you should take steps to familiarize yourself with your state’s obligations and take steps to achieve compliance.
- Be aware that many states are looking to update their data breach notification laws. Your obligations may be affected.
- Comply with FTC obligations
- Be aware that the acts and communications you make in the wake of a data breach may be scrutinized as being potentially misleading or deceptive. Communication is important, but ensure that all communications are accurate, truthful, and factual.
- The FTC requires that businesses take reasonable steps to protect consumer data. Your business should implement reasonable security measures and document them.
- Take proactive steps
- Preventing data breaches is easier, more efficient, and less stressful than addressing a data breach after the fact.
To learn more about new and emerging legal requirements regarding the disclosure of data breaches, contact a member of McGrath North’s Privacy and Cybersecurity Team today. We will work with you to develop a comprehensive plan to properly address any data incidents that your business may face.