If your professional firm has never experienced a data breach before, you may be unaware of the legal process after it happens.
Data breaches are becoming all too common in the current business climate. Cybercriminals are especially aware that professional firms hold a massive amount of sensitive client data. This data can be used to access email accounts, bank accounts, and other important accounts that may lead to identity theft and other unfavorable outcomes.
Understanding that your firm may experience a data breach in the near future, are you aware of the compliance process if client data is stolen? If not, here are six key steps for legal compliance following a data breach.
6 STEPS TO DEAL WITH DATA BREACH LAWS AND REGULATIONS
- Review your insurance policy. Some insurance policies cover data breaches and costs that arise from such incidents. However, cyber insurance is often excluded from policies unless you specifically request it when you originally purchase an insurance policy.
If you are covered under this type of incident, your insurance company may cover the cost of a data breach compliance process. If not, continue reading these next steps to ensure that you are fully able to comply with the compliance process.
- Identify which (and how much) information was accessed. It is crucial that your firm is aware of which information was accessed, stolen or exposed in the data breach. If the stolen information does not pose any risk to your clients, then it may not lead to major issues.
However, if sensitive client information was stolen, such as Social Security numbers (SSN), bank account numbers, email addresses, passport numbers, or other similar information, this is likely to cause major problems if your firm fails to act. This information is otherwise known as “personally identifiable information,” and it plays a major role in identity theft.
- Check your state’s laws and regulations. Each state has its own set of in-depth data breach laws requiring compliance for firms that store customer or client data. It is important to note that your firm must comply with each state where your firm’s clients reside. For example, if you have clients in Florida, Georgia, and Texas, you must comply with each of these states to understand and fulfill each state’s requirements.
While many states have common requirements, some states are more strict than others. Florida, for instance, requires businesses to notify customers within 30 days of the breach, while other states allow for 45 or 60 days before notifying clients. Additionally, some states require additional measures to be taken, while other states are more relaxed. Check state laws here before moving forward in order to understand the process.
- Notify clients. As mentioned above, states require notification to customers if their information was accessed in the breach. Most states expressly mention how to notify customers of a breach. For instance, many states provide that notification letters must include the information that was accessed, the company’s contact information, steps that the company is taking after the data breach, and other similar steps. Each state requires different information, but there are several overlaps in these letters.
- Consider contacting law enforcement, state regulators, and/or credit reporting agencies. Although it may be difficult for law enforcement to find the cybercriminal, it may be a good idea to document the incident with law enforcement. Some states may require that you contact law enforcement or credit reporting agencies if the number of individuals subject to the breach exceeds a certain amount. For instance, Florida requires companies to provide the state with notice when the breach affects 500 or more individuals in the state. Check state laws to verify whether or not your firm is required to report incidents to these institutions.
- Hire an attorney. If you are unfamiliar, uncertain, or simply uncomfortable with the data breach compliance process, hire an experienced cyber litigation attorney who can handle this process for you. A cyber attorney will know how to navigate the compliance process to ensure that your firm complies with all laws and regulations regarding data breaches.
If you have any questions at all about the legal process following a data breach, please feel free to give us a call at (239) 319-4434 or email us at firstname.lastname@example.org. We are more than happy to serve you.
Vernon Litigation Group represents businesses and individuals throughout the United States who have financial disputes, including cyber litigation, securities litigation & arbitration, business & commercial litigation, financial advisors & employment disputes, and FINRA arbitration.