Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.
Legal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.
When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)
- Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
- Though there aren’t really any notification laws regarding overseas victims, they too should be notified.
The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.
Damage from misuse can be significant, such as with stolen SSNs and names.
When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.
FTC Recommendations for Notification
- Inform law enforcement when notification takes place so they don’t cross lines with it.
- Also find out from them precisely what information the consumer notification should contain.
- Select someone from your organization to manage release of information.
- This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
- To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
- Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
- Make sure victims know how to reach the contact person.
- Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
- Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.
Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Data Breaches: The Insanity Continues
Robert Siciliano Identity Theft Expert The Identity Theft Resource Center Breach Report also monitors how breaches occur. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have
- Data Breach Notification Bill goes to the House
H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected. The bill allows for a shorter notification deadline and
- Identity Theft on the Rise…Again
According to a report released by Javelin Strategy and Research and another by the FTC, the incidence of identity fraud increased in 2012 for the second consecutive year, affecting 5.26 percent of U.S. adults. This increase was driven by dramatic jumps in the two most severe fraud types, new account fraud (NAF) and account takeover
- What Are the Latest Identity Theft Statistics?
The 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier, released by Javelin Strategy & Research, reports that in 2011 identity fraud increased by 13 percent. More than 11.6 million adults became a victim of identity fraud in the United States, while the dollar amount stolen held steady. Approximately 1.4 million more
- Data Security Legislation is inevitable
A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers. Despite this