What steps do you need to take if your business or organization suffers a data breach (sometimes called “security breach”) affecting the “personal information” of your customers, employees, or contractors? The answer varies depending on your specific circumstances and the law that applies, but hopefully the following information will be helpful.

1. What constitutes personal information, and what is a security or data breach?

1. Among other things, personal information (sometimes called “Personally Identifiable Information”) includes all of the following: name and address, SSN, DOB, mother’s maiden name, driver’s license number, medical information, and other identifying information. Personal information may also include email addresses, phone numbers and other contact info, family history information, etc.
2. A data breach usually occurs when personal information is compromised or disclosed without prior authorization.

2. As a custodian of personal information, your obligations in the event of a data breach are likely dictated by federal law, state law, and common law standards of negligence.

1. Many state and federal laws require data custodians to give notice to the people whose personal information has been compromised and often require the custodian to take steps to limit the damage that could be caused by the breach. Links to state laws at the time of this writing are listed below. Keep in mind the potential victims of a data breach may live in a number of states.
2. In addition to any statutory obligations imposed by federal and state law, there may be common law liability that could come into play if any of the compromised private information is used by identity thieves to harm the victims of the breach. This is why many organizations that experience a data breach offer victims a fraud alert management solution such as LoudSiren -- usually for at least one year from the date of the breach and often at no cost to the victims.

3. To see a typical notification letter to victims, click here

4. If a data breach could result in harm to a person or business, you should consider calling local law enforcement immediately. If you do, explain your situation and the potential risk for identity theft. Typically, the sooner law enforcement learns about a breach, the more effective they can be to prevent or limit theft. If your law enforcement agency is not familiar with investigating data breaches, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service. Check the blue pages of your telephone directory or an online search engine for the number of the nearest field offices.

5. Other helpful resources

1. Federal Trade Commission
2. California Recommended Practices for Security Breaches
3. PrivacyRights.org
   •compiles data regarding recent data breaches and other helpful information
4. LoudSiren
   •helps victims of a data breach to stop credit-based identity theft before it happens
5. LoudSiren Fraud Alert Management. Enables victims to stop credit-based identity theft before it happens.
6. PrivacyRights.org. Good compilation of recent data breaches and other helpful information.