Share this on:
 E-mail
10
VIEWS
0
COMMENTS
 
SHARES
About this iReport
  • Not verified by CNN

  • Click to view adlerlaw's profile
    Posted March 6, 2014 by
    adlerlaw

    More from adlerlaw

    A Lesson In How NOT To Respond To A Data Breach

     

    In January of this year, the California Attorney General obtained $150,000 settlement, plus ongoing notification obligations, from a CA company that learned that one its computers had been sold at a thrift shop.

     

    The ongoing obligations include a duty to: 1) notify employees as information becomes available, 2) train employees on additional methods to protect sensitive information, and 3) review and improve its policies regarding protecting sensitive information.

     

    The CA AG’s enforcement action alleged that the company learned of the lost hard drive on September 24, 2011 and regained the drive on December 21, 2011. Within a week, forensic analysis determined employee personal information was contained on the drive. However, the company did not notify some 20,000 current and former affected by the disclosure until mid-March 2012, almost four(4) months later.

     

    So, what is a reasonable time period to respond to a security breach and how fast does a company have to notify consumers or employees that a data breach has occurred?

     

    Unfortunately, there is no “bright line” rule. Most state breach notification laws and, for that matter many Data/IT/Cloud contracts, require notification within a reasonable time frame, or “without delay”, subject to some qualifications. A couple of states require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer.

     

    California’s law requires that: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

     

    The key take away is that waiting several months after a forensic investigation to disclose the occurrence of a data breach to those affected is probably too long. Companies facing a data breach can and should take into account the legitimate needs of law enforcement and the requirements of forensic investigation. Within those parameters, a company is well-advised to begin the notification process even if it must reserve for itself the ability to conduct additional investigation and provide sole tang notification.

     

    NOTE: This is not legal advice. Every situation is unique and if you or your company is dealing with a data breach or its consequences you should engage a qualified attorney.

    What do you think of this story?

    Select one of the options below. Your feedback will help tell CNN producers what to do with this iReport. If you'd like, you can explain your choice in the comments below.
    Be and editor! Choose an option below:
      Awesome! Put this on TV! Almost! Needs work. This submission violates iReport's community guidelines.

    Comments

    Log in to comment

    iReport welcomes a lively discussion, so comments on iReports are not pre-screened before they post. See the iReport community guidelines for details about content that is not welcome on iReport.

    Add your Story Add your Story