Getting Started
- Create a sata breach notification policy.
A data breach notification policy tells consumers how your small business will notify its customers if a data breach occurs. - Train your employees to identify breaches.
Employees need to know how to spot a potential breach and how to report this type of event. - Immediately gather the facts of a potential breach.
- Notify financial institutions.
If financial information, such as payment card numbers, was compromised, contact the bank or company that manages your payment card processing. - Seek outside counsel.
Seek attorney assistance as soon as you become aware of an incident that might constitute a data security breach. Your attorney can help you identify which laws might be involved, and whether you need to alert consumers or the government of the incident. - Notify affected customers.
Notify customers in the manner you said you would in your Data Security Policy.
Checklists
- Create and publish a data breach notification policy.
- Consider informing consumers that you will notify them through a quicker and relatively inexpensive method (e.g., email or publication) instead of a more expensive method (e.g., US mail). However, there are state-specific laws on the notification delivery method, so consult with an attorney before sending out any notices.
- Train your employees to identify breaches.
Consider the following points for your employee training:- Teach employees what constitutes a "data breach." They should be aware that this might include errors such as inadvertently sending information to the wrong person via mail or email.
- Instruct employees to report any event where personal information is accessed, acquired by, or shared with an unauthorized person to you or to a specific supervisor.
- Consider providing employees a confidential means of reporting a data breach. This can be particularly useful if your employees might be afraid that reporting a data breach might result in disciplinary action against them or one of their colleagues.
- Immediately gather the facts of a potential breach.
- Investigate the basic facts surrounding the incident.
- Keep a written chronology of what you learn, when you learned it, and from whom.
- If your business is short on internal resources, consider obtaining the assistance and guidance of a data forensic expert to assist in your investigation.
- Your investigation should try to answer the following questions:
- Was the data kept on paper or in an electronic record?
- If the data was kept electronically, was it encrypted?
- Did the data include names and/or addresses?
- Did the data include any financial account numbers or payment card numbers?
- Did the data include any birth dates?
- Did the data include any Social Security numbers?
- Did the data include any other information that could be linked to specific consumers?
- How many people's information was included?
- In what states did the affected people reside?
- In what countries did the affected people reside, and what languages do they speak?
- Who (if anyone) acquired the data?
- Did the person or entity who acquired it misuse it? Are they likely to misuse it in the future?
- If you think you need help, consult with a data forensics team to investigate and determine the full extent of the event.
- Notify financial institutions.
- Seek outside counsel.
Consider asking the following questions to the outside counsel you engage:- Which state laws apply to the incident?
- Would the incident be considered a "data security breach" under those laws?
- Am I required to notify consumers of the incident?
- Am I required to notify the government of the incident?
- If so, which state or federal government agencies must be notified?
- If not, should I voluntarily notify my local law enforcement, or the FBI?
- Am I required to notify the consumer reporting agencies (e.g., Experian, Equifax, and TransUnion)?
- Am I required to notify the payment card companies of the incident?
- If notification is required, how much time do I have to issue those notices?
- What is required if the affected individuals live abroad?
- What information is required in the notification letter?
- How and in what format should the notification letter be sent?
- Notify affected customers.
Advise them of:- What occurred
- When it occurred
- The specific steps you are taking to address the event
U.S. Legal Requirements
Federal Laws
The Gramm-Leach-Bliley Act ("GLBA") and the American Recovery and Reinvestment Act require that certain financial institutions as well as health care providers, or businesses that provide services to health care providers, notify patients and the government if the security of the personal information that they maintain is breached.You should consult an attorney to determine if you are covered by one of these statutes.
State Laws
Almost every state and territory, including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, has enacted a "data breach notification" statute. Although statutes vary between states, data breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information.You should consult an attorney to determine which state data breach notification statutes apply to your business, and what the specific requirements of those statutes might be.
- GLBA Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
http://www.occ.gov/news-issuances/federal-register/70fr15736.pdf - Links to state data breach notification statutes
www.ncsl.org/Default.aspx?TabId=13489
