Knowing five things to do before a data breach can make the difference when and if one occurs in your business or firm. Planning ahead provides peace of mind and a clear path to follow. Just as important is that a state law may require that you act after a data breach. Data breach notification laws in Arizona apply to all businesses that store personal information. The Arizona breach notification law, known as A.R.S. Sec. 44-7501, governs unencrypted computerized data. When there is a breach, an investigation is required to determine the breadth of the breach. Notification must be made without delay to the person(s) whose data was compromised.
According to the National Conference of State Legislatures 47 states have data breach notification laws. Attorneys General of all 47 states recently sent a letter to Congress urging it to forego preemption of state laws which allow local protection of consumer data. Privacy and data breach notification bills have stalled in Congress for now. Arizona’s statute includes language that repeals the legislation one year after the effective date of the federal personal data privacy and security act.
Is your law firm or business prepared to comply with Arizona law in the event of a breach? Arizona law gives the Attorney General the exclusive authority to enforce the data breach law with penalties up to $10,000. Taking the time to implement a data breach plan and policy will save you money, time and clients. Below are some tips to help you get started with a data breach notification plan.
Identify the data you collect and store.
Is the data your business or firm collects considered personal information? Most businesses and firms collect personal information. Read your state statute to determine if the information you have fits the definition. A free brochure and a link to state laws can be found here: DATA BREACH
To encrypt or not to encrypt.
Right now your data is either encrypted or it is not encrypted. Find out which applies because some state laws, including Arizona, have data breach notification laws that apply only to unencrypted data.
Make sure you have a method of contact with anyone whose data you collect and/or store.
Since data breach notification laws require, well, notification, you must have a way to contact anyone whose personal data has been breached. When taking on a representation, when collecting any personal data, when setting up contact forms on the web…have a way to either destroy personal information securely or to store it and have it handy in the event of a breach. This may mean storing it separately (backup) from the personal data that later is the subject of a breach.
Decide now how you will notify of a breach.
If you decide to notify by telephone, make sure you have phone numbers of each person whose personal information you have at the ready and prepare your staff. Consider drafting a notification now–which you can modify later as needed–with the basic information. Preparing ahead reduces the stress of the apology that will necessarily come along with the notice.
Access your resources.
Become informed on state and federal laws concerning data privacy and breach notifications. Consider hiring a law firm that focuses on data privacy and technology law to help you fashion your plan. What you do before a breach will not only prepare you for handling it, it will also provide an opportunity for you to review your own procedures and policies and come away with confidence that you can handle what happens.
Lawyers may want to consider advising clients that the firm has a data breach plan in the unlikely event one is needed. It tells a client the firm has thought about their security and what happens in a worst-case scenario. It reinforces that law firms do whatever is necessary for their client’s confidence.
You can download a free publication on data breach law at this link: DATA BREACH
Susan Kayler practices in the area of Privacy and Technology Law and provides firms, individuals and businesses with privacy assessments, data breach plans and more. Contact her at email@example.com.