Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Understanding the Various Breach Notification Laws/Contractual Obligations

Over 40 states currently require notification to individuals affected by a data breach incident and certain government bodies. Click here for the current list to see if your state has a breach notification law.

The data breach laws are similar, but contain specific differences that must be taken into account when planning a data breach Notification Plan. Synthesizing the elements of each law can be arduous and confusing. Of course, the various differences must be taken into account when preparing a data breach notification letter. But preparing a separate letter for each state is inefficient and costly. A thorough understanding of the data breach laws is necessary to take advantage of the similarities, yet account for the differences, to create a data breach notification letter tailored to comply with all of the breach notification laws.

In addition, your vendors and suppliers may have contractual notification requirements that you must complete following a data breach. Failure to comply with these requirements could put you in breach of your agreements with these entities, and could jeopardize your future relationships with them. A detailed analysis of all contractual obligations is necessary to understand which entities must be notified, when, and with what information.

A failure to take your breach notification obligations seriously could have costly ramifications. Many state laws provide for civil or criminal penalties for failure to properly notify affected individuals. In addition, some state laws provide a private right of action by third party data aggregators against the party responsible for the breach.

The laws are constantly in flux as well. Some states without data breach laws are considering enacting them. States that currently have such laws may amend them to account for new advances in technology or to counter new data breach threats. Although the volume is high, to ensure compliance you must keep up with each state's law. The variances in and difficulties of understanding these laws will not excuse a failure to comply. You have to get it right the first time.