If your business has information on an individual residing in a given state, two key questions in assessing reporting requirements are the nature of the data involved and whether or not the incident meets the definition of a reportable breach. This means that businesses must consider the scope of the data they collect and store in order to determine whether they are likely to have obligations to report under the laws of a given state. For data breach reporting statutes, most businesses have to comply with the law of a given state if they have a breach that compromises the personal information of a resident of that state. The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers recently issued by the FDIC which requires FDIC supervised banking organizations to notify the FDIC within 36 hours of determining that they have suffered a computer security incident (a) that materially disrupts or degrades the organization's ability to maintain banking operations or to deliver services to a material portion of its customers, (b) that materially disrupts or degrades the operations of one or more business lines that could result in a material loss of revenue or decrease in the organization's value, or (c) that could pose a threat to the financial stability of the country.īeyond the federal laws, all 50 states have data breach reporting laws, and they all have different requirements for determining whether a breach has occurred and for the notices that are required. The Gramm-Leach Bliley Act (GLBA) requires covered financial institutions to notify customers whose non-public personal information is compromised by a security breach.The Health Insurance Portability and Accountability (HIPAA) Act provides notification requirements for a security breach that compromises protected health information held by a covered entity or its business associates.In the United States, certain Federal Laws govern obligations to report data breaches in particular industries, including: In most cases, substitute notice requires notification to be placed prominently on your website as well as distributed through the media, in print, on television, and/or by radio. If you are missing contact information for some of the identifiable individuals, if the number of identified individuals is particularly high, or if the cost of the required notifications is excessive, you may have the option to, or be required to, provide substitute notice in lieu of or in addition to individual notices. In addition to notifying the identified individuals, many states require that the Attorneys General offices and the Credit Reporting Agencies be notified, depending on how many identified individuals in the state received notices. Breach Notification Lawsīreach notification requirements obligate organizations that are collecting, storing, processing, or otherwise in possession of personally identifiable information to notify the individuals if the information is compromised in a security breach. With the continuing increase in cyber-attacks and particularly ransomware, combined with laws that are imposing shorter and shorter notice deadlines, it is important for all businesses to understand the scope of their potential notification obligations in the event they fall victim to an attack. Has your business considered what obligations you would have to notify people in the event of a cyber-attack that compromises some or all of your IT systems? Have you cataloged all the data you collect and where it is stored so that you can determine whose information is impacted by a breach? If not, you are certainly not alone.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |