Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Building A Notification Plan

Under the laws of over 40 states, certain notification must be provided to persons whose personal information has been improperly accessed. Although similar and, in fact, mostly modeled on the first data breach notification law enacted by California, each state's law varies in subtle ways. In addition, other nations are beginning to consider similar data breach notification laws, which will add a complex international layer to the data breach response.

In addition, your vendors or suppliers may have contractually bound your organization to notify them in case of a data breach. Failure to comply with these requirements could be costly, and may jeopardize your relationship with your vendors or suppliers.

Current state laws generally require notice to every individual affected by the data breach incident. The notice usually must contain a description of the types of information improperly accessed. Various contact information may also have to be given. The goal is to inform those affected by the breach so that they can take action to limit potential damage to them that may result from the breach. Care must be taken because each state has different requirements on timing and substance.

Although there is uniformity in the laws, there are critical differences that must be taken into account. Some states, for example, require notice to the state Attorney General Office. Others require notification to various departments or divisions within the state bureaucracy. New York, for example, requires notification of data breaches to certain consumer protection offices. Puerto Rico requires notice within 10 days of discovering the breach. Understanding the differences between these laws can mean the difference between compliance and non-compliance, which could result in severe penalties.

Distilling all of the various laws into one overarching notification letter can be daunting and expensive without the proper planning and experience. However, compliance with every state law can be achieved. A proper Notification Plan must account for the various state laws, the individuals who must be notified, and the notification process itself.