Data Breach Notification Laws: How to Manufacture a Confident Response
With the number of reported data breaches steadily increasing every year, they are in the news so frequently that it’s hard to keep them all straight. In 2017, Equifax suffered a massive breach, and almost 150 million customer records (representing nearly half the U.S. population) were stolen. In 2018, Marriott International experienced a breach where hundreds of millions of customer records – including personal information, credit card numbers and even passport numbers – were compromised.
Data breaches affect all types of organizations – large and small, popular and little known. While the big company breaches make the news, you rarely hear about smaller companies that are often vulnerable and can find themselves in the crosshairs of cybercriminals. Most involve some type of hacking, such as a phishing attacks or malware, where an attacker successfully gains access to protected or private information.
Data Breach Notification Laws – It’s Complicated
If your manufacturing company experiences a breach, what will you do? Should you notify law enforcement right away? Notify customers? Is there anyone else to inform? How long do you have?
The answers are complicated. While no comprehensive federal laws exist, each state and territory has its own data breach notification law. These laws require anyone that suffers, or even suspects, a breach to notify customers of anything involving personally identifiable information. The laws also require notifying law enforcement and taking specific steps to remedy the situation. But state laws vary considerably when it comes to the types of information covered, timing of notifications and reporting standards. Who must comply and what even constitutes personal data varies state to state. Adding to the complexity, requirements are also changing, with some states recently updating their laws.
How Much Time Do I Have to Report a Data Breach?
Most data notification laws require that businesses notify customers without unreasonable delay. The length of time varies by state and industry sector. When dealing with a data breach, manufacturers have competing responsibilities – to their company, to others in the industry, to customers and to law enforcement. There are even circumstances where law enforcement is investigating a breach and it must be temporarily concealed.
Prepare for Data Breaches Before They Happen
Treat data breach notification plans as you would any other disaster plan – don’t wait! Since there is no single, standard response to a data breach, U.S. manufacturers must understand the specific state and federal laws that apply to them. Manufacturers must consider the laws in all states where they conduct business.
Luckily, there are several excellent resources manufacturers can turn to for some clarity. Several organizations summarize state data breach laws, including National Conference of State Legislatures, IT Governance and Perkins Coie.
To ensure that your manufacturing company complies with data protection laws, you should stay aware of current regulations for your state and industry. A data breach will always be a stressful event. Awareness of your obligations and a plan in place can ease some of the stress – and help you avoid heavy fines. Here are some tips:
- Identify the state and industry laws that cover your company
- Document the data breach notification requirements that affect your company, along with the process(es) to meet those requirements in a worst-case scenario
- Create a policy around the breach notification requirements that affect your company
- If there are overlapping regulations, use the most stringent one for your company’s policy
- Create draft notification letters and emails ahead of time
- Create a clear communication strategy for data breaches and get it through your company’s legal and public relations departments ahead of time, if necessary
The MEP National Network is Ready to Help You
(Contact CONNSTEP) for help understanding your state’s data breach notification laws and other cybersecurity questions.