A day barely passes without news of a major data breach perpetrated by outsiders who gained unauthorized access to sensitive personal information and intellectual property stored on company computers. In an age where practically every company collects and stores personal information about its consumers and employees, all businesses have to grapple with the difficult questions of how to safeguard their sensitive data, how to avoid a data breach, and how to respond to a data breach when one occurs. What's more, data breaches don't only come at the hands of foreign hackers, credit card thieves or even malicious employees. Often, it's plain old human error that results in data loss: a laptop stolen from a vehicle or backpack, an email attachment sent to the wrong recipient, a consultant losing a thumb drive or a webmaster accidentally posting sensitive material online. Below is a summary of current data breach notification laws and seven best practices to reduce your risk.
Data Breach Notification Laws
Forty-seven states (and D.C., Guam, Puerto Rico and the Virgin Islands) have enacted data breach notification laws that impose notification requirements, mandatory credit monitoring and other significant burdens on companies that lose control over data containing personally identifiable information, or "PII." The definition of PII differs by state, but generally includes a person's first name (or initial) and last name plus that person's social security number, state identification number, financial account number, medical information or other sensitive data. While data breaches that impact consumers tend to receive the most media attention, employee records are one of the largest sources of PII and the subject of many incidents. In addition, although the loss of intellectual property and proprietary company data may not trigger breach notification laws, the consequences of a breach involving valuable non-PII may be just as devastating for a company.
The Fallout From a Data Breach
The fallout from a data breach can be substantial. A recent report by the Ponemon Institute found that the average cost for each lost or stolen record containing sensitive information is $201 and the total average cost paid by organizations for a data breach is $5.9 million. Responding to a breach often requires diverting significant staff resources, hiring outside counsel to ensure compliance with state and federal laws, engaging a forensic computer expert to help...