Know the facts around notification-requirement laws to protect your business, and yourself as a business owner.
Data breaches continue to impact organizations and individuals alike, and California legislators are doing something about it. New data-breach laws went into effect last year. They apply to any business or individual doing business in the state of California that stores personally identifiable information (PII).
The hope is that early data-breach notification will result in fewer losses. Unfortunately, this can have a negative impact on businesses as they scramble to ensure they’re meeting these new requirements.
Personally Identifiable Information (PII)
Anytime a business maintains PII, they’re under a moral obligation to ensure the tightest possible security at all times. PII classifications are managed by the U.S. General Services Administration (GSA) and apply to government employees, businesses, contractors and individuals who store data digitally.
The definition of PII may require a case-by-case assessment, but generally refers to any information that can be used to trace a specific person’s identity, either by itself, or in combination with other information.
It’s important to note that all data points aren’t required to be in the same location. For instance, information would be personally identifiable if a hacker uncovered data points that could be matched to public information such as phone books, corporate directories and websites. Key data points include:
The final point was recently added as a result of the revised legislation. This broadens the responsibilities of California organizations in regard to notifications after a PII data breach.
The Dangers of Data Breaches
One scenario that gets a lot of negative press is credit-card breaches— something that happens on a regular basis. While the majority of credit card companies will cover individuals’ losses as long they report quickly, people typically don’t check their accounts on a regular basis.
With hundreds of millions of records falling prey to cybercriminals on an annual basis, the problem continues to grow. If your business currently accepts credit cards as a method of payment, you must be aware of the potential impact. If you’re storing hundreds or even thousands of records, you’ll face significant liability in the event of a data breach. Liabilities average around $150 per record, per incident.
Who’s Protected by the New Data Breach Laws?
All Californians are protected by the new laws (which went into effect January 1, 2016). While the California Civil Code refers to “customers” or “customer records,” there are no limitations beyond this statement— meaning all residents of the state are covered under the same statutes.
While individuals living in other states are not expressly covered by this legislation, they are benefiting from the notification requirements. When an organization is required to notify residents of the state, it’s often easier to notify all customers on the same schedule to minimize confusion.
A Data Breach Defined
The term “data breach” refers to any unauthorized acquisition of digital data that could compromise the integrity, security or confidentiality of PII. The infringement can consist of encrypted or unencrypted data, or a combination of both. Data breaches aren’t always caused by hackers, and can often be the result of internal systems or procedures that aren’t up to security standards.
Data-Breach Notification Requirements
While nearly all states have some form of notification requirements, California’s laws are quite specific and meant to provide the greatest level of protection possible to the consumer. This can make the laws more challenging for businesses to implement, especially since the notification must be made “immediately following discovery,” and when businesses are scrambling to restore operations.
Notification requirements are as follows:
While California’s laws may seem aggressive, remember that they were put in place to protect innocent individuals.
Protect your organization in San Francisco or the Bay Area from the negative effects of data breaches. Boost security levels with adequate training, stringent security standards, and reliable computer hosting and support. Contact Intivix at (415) 543 1033 or firstname.lastname@example.org to learn more about California’s data-breach notification requirements, and best practices for securing your data.