Hacking, security breaches and data theft are not laughing matters. However, people in the IT security industry often joke there are two types of computer systems—those that have been breached and those that will be breached. As hackers get more sophisticated and data theft becomes more lucrative, more systems are breached every day. It very likely is a case of not IF, but WHEN a data breach will occur. Therefore, you should consider your response to a data breach now so that you can plan to react coolly and calmly if something does occur.
Types of breaches
For purposes of this post, we are focusing on two types of breaches. First is the unauthorized intrusion by a third-party into your own computer systems resulting in the loss or theft of data. This type of incident might include actual, physical access to your systems, hacking from the outside or even theft from the inside, such as an employee copying files onto a memory stick and taking them home. The second involves unauthorized access into the systems of a third-party wherein your data stored with that third party was compromised. This might include the situation where your credit card payment processor gets hacked and the hackers obtain information about your customers’ credit cards and other personal information.
Stop the bleeding
In either case, the first thing that should happen after a breach is noticed is to act to identify the point of breach and close off access. This might mean hiring technical consultants to analyze your systems to locate and quarantine malware. When a breach happens directly to your systems, this will be a major consideration since you obviously want to stop the outflow of information. If the breach is on some other system, such as a credit card processor, then you will want assurances from that provider that the breach has been secured and to take whatever steps might be necessary on your end to prevent any additional data leaking. This might include changing passwords or other basic defensive moves.
What kind of Data was compromised?
It is imperative to understand what kind of data may have been lost or compromised, since that will dictate what steps you might have to take next. Any data is vulnerable and thieves have different targets and motives. For some businesses, the most important information to a thief might be vender sourcing documents or component price sheets. To others, and most relevant for this article, the most important data is data identifying your customers and their personal information. If you store customer data or other such information then the question to ask is whether the compromised data included any “personal information” as that term is defined in the Florida Information Privacy Act (“FIPA”). Under this Act, “personal information” includes an individual’s first name or initial and last name in combination with any of the following:
- Social Security number
- Driver’s license, identification card, passport or similar government identification number
- Financial account number or credit or debit card number (and CVN Security code)
- Information about an individual’s medical history, treatment or diagnosis
- Health insurance policy number or subscriber identification numbers
- Username or email address in combination with password or security question and answer that would permit access to an online account.
If the data includes any of this “personal information,” then the Notice provisions of FIPA are triggered.
Notice of Breach
If the data breach includes this information, then any affected individual must be notified via email or letter, as soon as possible, but not more than 30 days after the breach was discovered. The notice should include as much information as is available at the time to inform the individual about what may have been compromised and when. If the breach is large scale and impacts 500 or more Floridians, then notice must also be provided to Florida’s Attorney General within 30 days. Failure to make the requisite notice within the time periods above could expose you to penalties so care must be taken to act swiftly.
The easiest way to deal with a data breach is to have a solid response plan in hand before anything happens. Just like fire drills and hurricane preparedness, potential data breaches are something that all prudent businesses should be ready for. If you would like more information or would like to consult with one of our attorneys, please don’t hesitate to contact us. I personally can be reached at firstname.lastname@example.org or by phone at 239-344-1153.