How do you respond to a breach of customer data? If you operate an ecommerce store, you need to know. Revision Legal partner John DiGiacomo has published another article on Practical Ecommerce: How to Respond to a Breach of Customer Data.

Data breaches seem to be the norm these days, whether they are at Yahoo, Home Depot, or, more recently, Michigan State University. And ecommerce merchants are not immune. My firm has recently handled data breach responses for small ecommerce companies that were affected by a breach of the LemonStand ecommerce platform.

Ecommerce merchants must take the risk of a data breach seriously. A breach that exposes customers’ data carries enormous potential liability. It can cause a business to go bankrupt.

But there is some good news. According to “2016 Global Security Report” by Trustwave, the security firm, only 38 percent of global data breaches target ecommerce stores. Traditional brick-and-mortar retail stores are the most targeted — roughly one-third of overall data breaches target magnetic strip data obtained from point of sale machines.

Notification laws vary from state to state:

It can be difficult, however, to detect a data breach. Forty-one percent of worldwide breaches are detected by victims, while 58 percent of breaches are reported to their victims by regulatory bodies, credit card companies, and banks. This, again, is from the Trustwave report. The average median time between a network intrusion and detection is 168 days for external detection and 15 days for internal detection.

Develop a Strategy to Reduce Risk

… develop a strategy for reducing the company’s risk associated with the breach. Many breached companies have offered credit-monitoring services or identity-theft-monitoring services to victims of the breach, to reduce the further risk of loss or harm. Others have offered informational packets or even some form of compensation to reduce their risk of liability. Each circumstance is different.

You can read the entire article here on the Practical Ecommerce site.

Revision Legal has worked with businesses of all sizes to assess data retention risks. If you have concerns about your exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced data breach attorneys at Revision Legal. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. You should get experienced legal help as fast as possible.

The Full Legal Framework: What Every Business Must Know

A data breach involving customer information is not simply a technology problem — it is a legal event that triggers obligations under multiple overlapping legal frameworks. Every business that collects, stores, or transmits customer personal data needs to understand those obligations before a breach occurs.

Federal Notification Requirements

Federal law imposes sector-specific breach notification duties that apply regardless of where affected customers reside. The Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq., requires covered entities and business associates to notify affected individuals within 60 days of discovering a breach of protected health information. Breaches affecting 500 or more individuals in a single state must also be reported to HHS and, in some cases, to prominent media outlets in the affected area. The Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6809, requires financial institutions to notify customers and in some situations banking regulators following a breach of non-public financial information. The FTC’s Safeguards Rule, 16 C.F.R. Part 314, was significantly strengthened in 2023 and now requires non-bank financial institutions to report breaches involving 500 or more customers to the FTC within 30 days.

State Notification Laws: All 50 States Have One

Every U.S. state has enacted a data breach notification statute. These laws are not uniform. They differ on the definition of personal information covered, the timeline for providing notice, who must be notified, and what remedies are available. An ecommerce merchant based in Michigan who sells to customers in California, New York, and Texas may be subject to the breach notification laws of all four states simultaneously. Identifying which laws apply and in what order requires analyzing the residence of affected individuals, not just the merchant’s home state.

Several states have enacted particularly demanding standards. California’s Consumer Privacy Rights Act allows consumers to bring private lawsuits for statutory damages of $100 to $750 per consumer per incident when their personal data is exposed through inadequate security. New York’s SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, requires notification to the New York Attorney General, the Department of State, and the Division of State Police when more than 500 New York residents are affected. Illinois requires notification “without unreasonable delay” under 815 ILCS §§ 530/1–530/25.

The Immediate Steps After Discovering a Breach

The first 72 hours following discovery of a breach are the most legally consequential. Here is what businesses need to do immediately:

• Engage legal counsel immediately. Retaining an attorney before beginning an internal investigation allows the investigation to be conducted under attorney-client privilege. Forensic reports and internal communications prepared at counsel’s direction can be shielded from discovery in subsequent litigation. Do not begin the investigation without counsel in place.
• Preserve evidence. Do not wipe or overwrite systems that may contain evidence of the intrusion. Document the timeline of events as they become known. Destruction of evidence, even inadvertent destruction during remediation, can result in spoliation sanctions in subsequent litigation.
• Contain the breach. Isolate affected systems to prevent further unauthorized access. If the breach is ongoing, containment must occur before remediation. Credential rotation, network segmentation, and disabling compromised access points are typical first steps.
• Identify the scope. Determine what data was exposed, whose data was exposed, and the geographic distribution of affected individuals. This analysis drives the notification compliance analysis.
• Map notification obligations. Based on the scope analysis, identify every state notification law, federal regulation, and contractual notification obligation that applies. Payment card industry (PCI-DSS) contractual requirements with card processors often require notification to the card brands within 24 hours of breach discovery, independent of any statutory requirement.

Drafting the Customer Notification

Notification letters require careful legal drafting. Most state statutes specify what information the notice must contain: a description of the incident, a description of what personal information was involved, steps the company has taken to contain the breach, steps consumers can take to protect themselves, and contact information for follow-up questions. Some states also require the letter to include information about consumer credit freeze rights under the Fair Credit Reporting Act, 15 U.S.C. § 1681c-1.

The notification letter should be accurate and complete but should not contain admissions of fault that will be used against the company in subsequent litigation. Striking that balance requires an attorney reviewing every draft before it goes out. Rushed notifications without legal review often contain inadvertent admissions that create additional liability.

Contact a Data Breach Response Attorney

If your business has experienced a data breach or you want to build a breach response plan in advance, the data breach attorneys at Revision Legal can help. We work with ecommerce merchants and businesses of all sizes to navigate the notification requirements, manage regulatory exposure, and defend against consumer litigation. Contact us today for a consultation.