Data Security Law in 2011: Responding to a Breach and Security Considerations for Engaging Vendors
Tags: Data Breach, Fraud Management
Eventually, almost every company may need to respond to a threat or actual data breach. There are steps to prepare and to get through an incident. This paper provides some helpful considerations to responding to a data breach and vendor relationship practices regarding data breach risk.
Practical Aspects of Responding to a Breach Incident To date, 46 states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have enacted data security breach notification laws. These laws are not uniform and vary significantly in terms of their scope, notice triggers, notice contents, and other requirements. For example, the California law (upon which many state breach laws appear to have been modeled) generally requires any person conducting business in California that owns or licenses computerized data that includes personal information to notify the individuals to whom that data relates about any breach in which ?unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.? Inevitably, every company must address a potential or actual security breach incident. Accordingly, a crucial element of a company?s overall data security program is a process to detect and investigate possible incidents, secure data systems if an incident has, in fact, occurred, and take steps to respond in an appropriate manner as quickly as possible.