Since the first of July 2017, over 10 million records containing personal information have been stolen each day. Are you one of these people? If you’re not, you might know someone who has been affected by these data breaches. Considering how high this rate is, it’s natural that you would want to take steps to protect your personal information, as well as any data stored by your business.
Have you ever considered the process that takes place when a major data breach occurs? How are you notified, and how do you know whether you’ve been affected? We’ll help you wrap your head around the various laws surrounding the notification of data breach scenarios, as well as identity theft and unauthorized account access.
There’s more than a reasonable chance to expect a breach of personal or business information, but the legal waters surrounding these situations are somewhat obscure. Even if it has ethical complications, companies that expose your personal information to a data breach are often under no legal obligation to inform you of the event. Even the information considered “personal” can vary, depending on the state. Naturally, this will lead you to question whether you can count on your organization being notified in the event of a data breach.
Legal Definitions of Personal Information
Each state has its own laws and policies concerning data breaches and notification requirements. All of these policies, however, give a general idea of what personal information is. At a minimum, the following can be considered personal information:
This information is generally considered the foundation of any legislation concerning data breaches. Some states even go further than these standards, going as far as a stolen PIN being considered a breach of personal information, but ONLY if the PIN was included in the same breach as its associated account number. Therefore, you’ll only be notified if both were found during the same breach, and not necessarily if it was just the PIN that was stolen and not the card number.
Some states, like North Carolina and Nebraska, even include biometrics and fingerprint information as part of personal information. Other states, like Missouri, have specific and detailed laws that make taking legal action somewhat difficult regarding personal data. Laws concerning health and medical information are generally covered under the United States’ federally mandated Health Insurance Portability and Accountability Act, or HIPAA. Some states do include health-related information in their definition of personal information.
Once the number of records stolen has exceeded a certain threshold, consumers must be notified of the instance, as well as the attorney generals of all states that are home to victims. This number generally sits somewhere between 1,000 and 5,000.
Regarding sectoral legislation, decisions are generally made in favor of the information holder, rather than the individual who has actually been affected by the breach. Here are even more ways that data breach laws work:
Does your organization understand the laws surrounding notification for data breaches and other sensitive information being lost? If so, SCW can help you prepare for the day that it inevitably happens. To learn more, reach out to us at (509) 534-1530.
About the author
Sam is a network engineer with a broad range of experience spanning more than 35 years. He wrote is first piece of code in 1979 and has been involved with the industry ever since. For the last 20 years, he has worked for SCW Consulting where he has embraced his passion for network technology and security.
Mobile? Grab this Article!
Tag Cloud
Comments