Act Promptly to Respond to a Data Breach

If you own or operate a business or non-profit organization, then it is likely not a matter of if, but when, you will experience a data breach.  News stories proliferate of high-profile data breaches involving sensitive data of millions of people.  A recent data breach of a major online fundraising platform has had far-ranging implications, affecting countless individuals, businesses, and organizations throughout the world.  The costs to investigate the breach, notify all affected parties, and work with those parties to address the breach must have been staggering.  The same data breach laws that apply to large, multi-national IT providers also apply to small businesses and non-profit organizations.  If you experience a data breach, it is imperative that you act quickly to address the breach and comply with any applicable data breach notification laws.        

Of course, you are responsible for data stored on your own server and any unauthorized access to your data may give rise to data breach notification requirements.  However, you may not realize that you are ultimately responsible for any data you own, regardless of where it is stored and which third parties you hire to store or maintain it.  For example, in addition to storing data on your server, you may be using third parties to back up your data in other areas of the country or world.  The type of data you have and the use you make of that data may result in sharing the data with other third parties.  For instance, you may need to transmit your data to a payment processing service or an order fulfillment company.  In the nonprofit sector, donor information is often stored with online fundraising and donor communication platforms.  If those services are hacked and your data are accessed or stolen, you may be liable for complying with data breach notification laws. 

When a data breach occurs, whether on your own system or those of third-party providers, you need to take prompt action to determine if you are required to comply with data breach notification laws.  When you first become aware of the data breach your IT professionals should immediately secure your systems.  After your systems are secure, you should engage in a detailed analysis to determine which data were accessed, stolen, or exposed during the breach.  Did the hacker only access names and addresses? Were Social Security numbers stolen?  Did the hacker have access to account authentication information?  These are examples of some of the questions (and many others) that may need to be answered.  If the breach occurred on the systems of third-party providers, you will need to work closely with those providers to determine which data were compromised.  Once you know that information, you will be in a position to determine if the breach gives rise to data breach notification requirements. 

We recommend retaining legal counsel early in the data breach analysis because if data breach notification laws apply, time is of the essence in making any required notifications.  If the breach involves victims living in other states, the laws of multiple states may need to be evaluated to determine if notification is required and what the notification must contain.  Each of the 50 states has its own data breach notification law, which are not always consistent from state to state.  Some states require notifications to be made within a specific period of time, whereas others require more general deadlines.  Under certain circumstances, the breach may require notifying the Attorney General or other state agency.  All of these notifications must be carefully drafted to comply with applicable requirements, while also meeting any deadlines.

We have experience working with clients to comply with data breach notification requirements.  If you would like our assistance responding to a data breach please contact our office.

This article is provided for general information and should not be relied upon as legal advice for a specific situation. If you are in need of specific advice or legal representation, please do not hesitate to contact us.

©2020 Bea & VandenBerk