In our current network-based society, the possibility that your business may be a victim of data hack is a real concern. However, many business owners and executives have very little understanding of what a hack is and what to do if they have a data breach. A few weeks ago, we posted about the rise of spear phishing cyber attacks. If you are a California business, here are a few steps you need to consider if you suspect your company has suffered a data breach.
NOTE: Businesses based in other states can use the following resource from Steptoe & Johnson LLP.
What is considered a “hack”?
A “hack” or “breach of the security of the system” is described as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”
Are there any exceptions?
Yes. If an agent of the company or trusted third-party accesses the information in order to do a job which is in accordance with the business, it is not considered “a breach”.
Okay, I think my business was hacked. Do I need to report it?
Maybe, depending on what was accessed or stolen. Any business or person that handles computerized data of other people’s personal information may need to report a breach depending on what information was hacked.
What “personal information” would require reporting?
Any personal data that includes a person’s First Name or Last Name with any combination of the following information:
- Social security number
- Driver’s License number or State ID number
- Credit card or debit card number in combination with password or access code
- Medical or health insurance information
- Email address (or username) and password for an online account
- A few other things like information obtained from license plate recognition
What about corporate data like trade secrets or intellectual property? Do I need to report it?
Not necessarily, unless the information includes personal information. However, that’s a question probably best answered by your lawyer. Additionally, keep in mind that corporate hacking is still illegal and is best reported to the authorities.
Who needs to be informed of the breach?
Those people who have been affected need to be notified, obviously. Additionally, if more than 500 people have been affected by the breach, then you will also need to notify the State Attorney General.
Do I need to inform credit reporting agencies of a breach?
No.
How much time do I have before I have to notify those affected?
The general sense is that you should notify those affected “in the most expedient time possible and without unreasonable delay” depending on if there is a criminal investigation ongoing or you’re actively trying to restore integrity to the system. A general guideline is that you should notify victims of the breach within 10 business days unless told otherwise by a law enforcement agency investigating the matter.
How do I need to notify people?
Generally, you need to send a written letter to each person affected. You can send an electronic notice if it meets certain guidelines. Normally, sending an email or posting a notice on your company’s website is only acceptable if the cost of informing everyone affected will be more than $250,000.
What happens if I don’t notify people?
Probably nothing good, especially if you consider high-profile cases like Equifax or Yahoo. Though you might be tempted to keep a confirmed data breach secret, you leave yourself and your company open to civil lawsuits and penalties from those affected. Best to get out in front of the situation as promptly as possible.
Are they are additional ways to protect my business.
Most general liability policies contain some level of cyber protection in the case of a data breach; however, it is usually inadequate to provide any real coverage. Nearly all-reputable carriers offer cyber liability insurance policies that can provide additional protection in case your business is hacked.
Conclusion
Getting hacked is scary, but it doesn’t have to be the end of your business. By preparing appropriately and handling a data breach in a straightforward manner, you can maintain your company’s reputation and keep your customer’s trust.
If you have additional questions on this or other insurance issues, please feel free to check out our resource page. To reach me directly, feel free to contact me at (626) 535-1405 or email me at wlewis@boltonco.com.
If you liked this, check out these great articles:
- Post Your OSHA Logs from February 1 to April 30, 2023
- Post Your OSHA Logs from February 1 to April 30, 2022
- Going Public With Your Cannabis Business: The Importance of Corporate Governance
- Here Are Three Critical Mistakes Multi-State Operator Cannabis Companies Need to Avoid
- Hazard Exclusion Endorsement—Is Your Cannabis Business Covered?
