Data breaches involving businesses are happening all the time. The best way for a company to deal with a hack is to prepare for data breaches before it happens. It does not matter what size your business is, if hackers can easily access personal information stored in your company’s system, they will find a way. Businesses are indiscriminately being targeted and victimized by cyber thieves, and any business could be next. Preparation is key if you want your business to be able to recover quickly after a data security breach.

Here are some interesting hacking statistics from Nationwide Mutual Insurance Company that are relevant to today’s small and mid-sized businesses:

• 79% of businesses have no idea how they would handle a data breach if it happened to them. They have no plan for how to deal with the breach situation.
• Of those, 40% believe that their business could not or would not be targeted or affected by cyber attack.
• And yet 73% of businesses are concerned about a data breach affecting their business.
• 63% of businesses have been victimized by some form of cyber breach. This includes computer viruses, phishing scams, Trojan horse virus, hacking, data breach, exploited vulnerabilities in unpatched security software, and unauthorized access to customer and company information.

What are Some Ways That Companies Can Prepare for Data Breaches?

When it comes to cyber security, every business needs a plan in case something goes wrong. There are several ways that companies can prepare for data breaches:

• Develop a company policy and response plan for in the event that there is a data security breach at your company.
• Create a breach response team within your company.
• Consider purchasing cyber security insurance protection.
• Identify a security firm that can investigate any breaches that might occur at your business.
• Understand your obligations and rights concerning any contracts you hold with vendors, suppliers and other parties.

The Legal Obligations Businesses Face After a Data Breach

Preparation is not just a security best practice — it is a legal necessity. Businesses that fail to prepare for data breaches often discover, too late, that the law imposes strict obligations that begin within hours of a breach being discovered. The businesses that struggle most in the aftermath of a breach are those that have never mapped their legal obligations and have no infrastructure in place to meet them under pressure.

State Notification Laws Apply Immediately

Every U.S. state has enacted a data breach notification statute. These laws vary significantly in their definitions, timelines, and requirements, but they share one common feature: they begin running from the moment the business discovers the breach, not from the moment it finishes investigating it. A business that discovers an intrusion and then spends weeks completing a forensic investigation before notifying affected individuals may be in violation of multiple state statutes before the first notification letter is sent.

Colorado requires notification within 30 days of determining that a breach has occurred. Florida requires notification within 30 days of determining that a breach of security has or is reasonably believed to have occurred. New York’s SHIELD Act requires notification in the “most expedient time possible and without unreasonable delay,” and requires concurrent notification to the New York Attorney General, the Department of State, and the Division of State Police when more than 500 New York residents are affected. California’s data breach statute, Cal. Civ. Code § 1798.82, imposes similar requirements and allows consumers to bring private suits when their data is exposed through inadequate security under the California Consumer Privacy Rights Act.

Federal Sector-Specific Requirements

Beyond state notification laws, many businesses face additional federal obligations depending on the nature of the data they handle. Healthcare providers and their business associates must comply with the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414, which requires notification of affected individuals within 60 days of discovering a breach of protected health information. Breaches affecting 500 or more individuals must also be reported to the Department of Health and Human Services and, in some cases, to the media in the affected geographic area.

Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6809, must notify customers when non-public personal financial information is exposed. The FTC’s updated Safeguards Rule, 16 C.F.R. Part 314, now requires non-bank financial institutions to report breaches involving 500 or more customers to the FTC within 30 days of discovery. FTC enforcement actions for GLBA Safeguards Rule violations have resulted in multi-million dollar civil penalties.

Contractual Obligations: PCI-DSS and Vendor Agreements

Many businesses face breach notification obligations that arise not from statute but from contract. Any business that accepts credit or debit card payments is bound by contractual Payment Card Industry Data Security Standard (PCI-DSS) requirements through its agreement with its payment card processor. PCI-DSS contractual requirements typically mandate notification to the card brands within 24 hours of discovering a payment card breach — a timeline far shorter than most statutory requirements. Non-compliance with PCI-DSS notification requirements can result in card brand fines passed down through the acquiring bank, as well as the costs of a mandatory forensic investigation.

Vendor contracts, service agreements, and data processing agreements often contain breach notification clauses as well. A business that fails to notify a vendor or business partner as required by contract may face breach of contract claims independent of any statutory obligations.

Civil Litigation Exposure

Affected customers who suffer financial harm following a data breach can sue the breached business under multiple legal theories: negligence, breach of implied contract, unjust enrichment, and state consumer protection statutes. The negligence theory asks whether the business took reasonable steps to protect customer data given the known risks — and whether its failure to do so was the cause of the harm. Courts have generally allowed data breach class actions to proceed past the pleading stage when plaintiffs can allege that a business failed to implement basic, well-established security measures while continuing to collect and retain sensitive customer data.

A business that has never conducted a security risk assessment, never trained employees on phishing awareness, and never updated its security software cannot credibly claim it exercised reasonable care when its systems are breached. Preparation is, in this sense, both a risk reduction strategy and a litigation defense.

Building a Legally Defensible Breach Response Plan

A legally defensible breach response plan has specific components that go beyond generic IT security advice. The plan should include:

• Designated legal counsel. Identify outside legal counsel experienced in data breach response before a breach occurs. Engaging counsel immediately after discovery of a breach allows the forensic investigation to be conducted under attorney-client privilege, which can shield sensitive findings from discovery in subsequent litigation.
• A notification compliance matrix. Map every state data breach notification law and federal regulation that could apply based on the categories of data your business holds and the states where your customers reside. Know the applicable timelines and notification content requirements before a breach happens.
• A forensic vendor on retainer. Identify and pre-engage a qualified digital forensics firm. Breach investigation quality and speed are significantly better when the forensic vendor is already familiar with the business’s systems and has existing access credentials and agreements in place.
• A communications protocol. Define who within the organization is authorized to communicate about the breach — internally and externally. Unauthorized employee communications during a breach incident frequently create additional legal exposure.
• Tabletop exercises. Conduct simulated breach response exercises with the response team at least annually. The businesses that respond most effectively to actual breaches are those that have rehearsed the process repeatedly in a low-stakes environment.

Contact a Data Breach Attorney

Revision Legal works with businesses to build legally defensible data breach response plans and to navigate breach response when an incident occurs. If your business needs to assess its breach preparedness or has experienced a security incident, contact the data breach attorneys at Revision Legal today.