Most businesses take steps to implement and maintain reasonable security procedures and practices in order to protect information from unauthorized access, destruction, use, modification or disclosure. A good cybersecurity strategy should not only manage security threats—it should also proactively address how a business will respond to security breaches.
Forty-seven U.S. states require corporate and government entities to take particular actions in the event that a security breach compromises personal information. Some states’ laws set a specific deadline for sending security breach notifications to affected individual residents (30 or 45 days after the breach is discovered, depending on the state), and other states generally require that notification be given in the most expedient time possible and without unreasonable delay. Time is of the essence after a breach is discovered, both to contain and mitigate damage caused by the breach, and to notify affected individuals, regulators, and consumer reporting agencies of the details underlying the breach. Taking the time to plan in advance how breaches will be addressed will enable an entity’s response team to act quickly and in compliance with applicable law.
An established information security policy can help streamline breach notifications when residents in several different states are affected. For example, some states allow entities which have implemented an information security policy to follow the notification procedures set forth in that policy rather than the procedures set forth in the data breach notification statute.
In addition, service providers processing data on behalf of data owners are only required to notify the data owner of the breach, and the burden is on the data owner to provide notice of the breach to affected individuals. This burden, however, can often be shifted to or shared by the service providers through the services contract between the entity and the service provider.
Cybersecurity strategies should be documented in policies and procedures that can be used later as a resource when responding to a security breach. Moreover, the security measures and the steps taken to remediate a security breach should both be documented for reference in the event that the breach results in litigation or administrative action.