Navigation

• Current page is 1: Overview

• 2: What Is A Data Breach?
• 3: Giving Notice of Data Breaches
• 4: Contacting Law Enforcement After A Data Breach
• 5: Protection And Prevention
• 6: Notable Data Breaches
• 7: Suggestions for Individuals

Today, nearly every business finds itself collecting and storing personally identifiable information. Whether it’s a medical service provider collecting health information from its patients, a retailer collecting payment information from its customers, or an Internet service provider collecting IP addresses from its subscribers, it’s rare for a business not to come into contact with some personally identifiable information. As a consequence, businesses find themselves in the possession of a valuable set of data, which often subjects them to state, federal, and even foreign law. So the question arises: What should a business do when its security is breached and outside parties access the personal information in its possession?

While it’s a scary thought, such data breaches are far more common than most people believe. Recent data indicates that greater than 80% of businesses that collect or store personally identifiable information have experienced a data breach in the past two years. And of those businesses that have experienced a data breach, a significant majority had no incident response plan or procedure in place at the time of the breach.

Such data breaches can occur in any number of ways, such as: a) an employee of a business having his or her laptop stolen, b) a computer hacker accessing the business’s database without the business’s knowledge, c) a rogue employee selling or using the personally identifiable information in the business’s possession and accessible by the employee, and d) the business inadvertently disclosing such information in an otherwise routine communication or publication.

As noted above, these situations are not as uncommon as one might believe. History has shown that regardless of a company’s line of business, the size of the company, or even the security efforts it has undertaken, that company may become a victim of a data breach (See Data Breaches of Note). Any business that collects, stores, or transfers personally identifiable information must be prepared to respond in the event of such a data breach. In fact, various state, federal, and foreign laws impose specific requirements for businesses in responding to data breaches. A business’s ability to survive a data breach may well depend on its knowledge of its legal obligations and its ability to promptly comply. The failure to satisfy these obligations may expose a business to civil and criminal liability, as well as to extreme scrutiny in the court of public opinion.