For many years now, businesses large and small across the country have dealt with the threat of data breaches and perhaps not known how best to proceed when they, unfortunately, happen to suffer such an incident. This is often because the rules for dealing with such an event typically vary significantly from one state to the next; while the vast majority of states have data breach notification laws, they are certainly anything but uniform.
However, that might soon change, because the White House recently announced that it would soon put forward a bill to create a national standard for data breach notification rules, according to a report from JD Supra Business Advisor. The Obama administration’s Personal Data Notification and Protection Act would enact many standards that would impact organizations of all sizes, by defining what kinds of data exposure constitute a breach, and what those firms have to do in the aftermath of such an event.
There are, of course, many aspects to the law, but some of the more general rules that businesses would have to start following are laid out fairly simply, the report said. For instance, when these incidents occur, organizations would have just 30 days to notify impacted people, and that could be done by U.S. mail, telephone, or email. And when a breach impacts more than 5,000 people in one state, the organization would also have to alert the media to help get the word out. Likewise, if the size of a breach exceeds 5,000 people overall, the companies might have to alert both the federal government and the three major credit reporting bureaus about the issue as well.
Other conditions
Despite all that, companies that do not store a large amount of data – handling the information for 10,000 or fewer people over a 12-month period – would be exempted from any of these notification rules, the report said. Meanwhile, firms that complete a risk assessment within that 30-day period and determine that the breach would not be impactful for any people would likewise be able to avoid the individual notification requirements, but would still have to let the Federal Trade Commission know about the incident.
Owners who want to more fully protect these companies from the often costly fallout from a data breach might be wise to consider the benefits of investing in tech insurance. This type of small business insurance can help insulate companies from the costs associated with remediating a breach’s impact.
