Partner
When your business experiences a data breach, your first instinct is usually to stop the damage. This can be done by securing your systems and figuring out what went wrong. Now, from a legal standpoint, there is another urgent aspect you cannot afford to ignore: Whom do you need to notify, and how fast should that be done? Data breach laws are complex because they differ from one state to another, and in some cases, by country. So, if you serve customers across multiple jurisdictions and have been hit by a data breach, knowing whom to notify and when is critical.
A data breach occurs when someone gains unauthorized access to or discloses personal identifiable information (PII). This can happen through hacking, phishing emails, stolen devices, poorly configured software, or even human error. Any business that stores customer data, especially payment or identity information, is at risk of experiencing data breaches. Even if you run a small business, you are not immune to these risks.
When it comes to breach notification laws, they all hinge upon one thing: personal information. Personal information means a person’s first and last name combined with sensitive data about them. This may include a Social Security number, driver’s license, state ID number, financial account details, credit or debit card numbers, and even their health information. If this kind of information is exposed, as a business, you are legally obligated to notify the appropriate parties.
Generally, businesses must notify affected individuals without unreasonable delay if the data breach is likely to result in identity theft, fraud, or other harm. The only exception is when law enforcement requests a delay because notification could interfere with an ongoing investigation.
As mentioned earlier, breach notification laws vary by state and even by country. For example, California requires businesses to notify affected individuals within 30 days of discovering a breach. And if more than 500 California residents are affected, the business must submit a sample notification to the California Attorney General shortly after notifying consumers. In other states like Michigan, the law allows businesses to forgo notification if they determine the breach is unlikely to cause significant harm. Given this disparity, it is advisable to consult with a consumer data privacy and compliance attorney to advise you on the best course of action, based on your situation.
If your business handles data belonging to individuals in the European Union, the General Data Protection Regulation (GDPR) may apply. Under GDPR, a business must notify the appropriate authority within 72 hours of becoming aware of the breach if it presents a risk to people’s rights and freedom. If the risk is substantially high, you must also notify the affected individuals.
When a notification is required, the message must be clear and easy to understand. It should include the following:
A description of what the business has done to secure its systems
A contact number where customers can ask questions
A reminder to customers to stay alert for fraud or identity theft.
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
In today’s digital age, many customers rely on online reviews when deciding where to eat, shop, and even do business. Reading reviews is just as effortless as posting them. With just a few clicks, anyone can post feedback that reaches thousands, and sometimes millions of people. While honest criticism is part of doing business, not […]
Read more about Online Defamation: When Reviews Cross the Legal Line
Data breaches are no longer rare, headline-only events. Data breaches can happen to any business, regardless of size, from startups and small businesses to established companies. When customer data is stolen, whether by hackers, leaked by an employee, or accidentally exposed due to a website error, one question comes to mind: Who is responsible? Nowadays, […]
Read more about Data Breach Liability: Who Is Responsible?
A few years ago, e-commerce was an uncharted territory for many. Today, e-commerce has become the backbone of countless businesses and continues to grow. However, the legal rules governing e-commerce are still unfamiliar to many businesses. Selling online is not just about a smooth checkout and proper marketing; it also comes with legal responsibilities that […]
Read more about E-Commerce Laws You Cannot Afford to Ignore