Two years ago, I wrote about data breach notification requirements. See Back to Basics, Continued—Data Breach Notification. I want to spend a few minutes detailing the sequence of events that may require action on the part of the “covered entity” for a security breach.

1. As a preliminary matter, most state statutes require that a covered entity (one that acquires or uses sensitive personally identifying information) maintain reasonable security measures to avoid a data breach scenario.  (Federal and state laws and regulations set forth records disposal requirements as well. See Back to Basics, Continued—The Disposal of Consumer Report Information and Records Rule and Back to Basics, Continued—Documents Destruction.
2. So first, there must be a determination that a breach of security has occurred.  That is, the unauthorized transmission of electronic personally identifying information has indeed occurred.  Every release does not necessarily amount to a breach of the statute.  A careful review of the law must be undertaken to determine that.
3. A review of the type of information will determine whether it is the type of sensitive personally identifying information that then requires further action. 
4. Assuming that this review or investigation reveals that there has been an actionable breach, the covered entity must then evaluate whether further action is required.
5. If there is a determination that it is reasonably likely that the breach will cause substantial harm to the individuals to whom the information relates, then notice must be given to each affected individual.  The applicable law will provide the types of information that is to be included within the notice.
6. If the breach is large, the law may require that notice be given to law enforcement—the attorney general of the state.
7. Depending upon the number of affected individuals, notice may be given via an internet website of the covered entity, or by other means that the attorney general may approve.
8. And, if the breach involves a large number of individuals, the statutes often require the covered entity to notify consumer reporting agencies.

It is important to stay vigilant of data security requirements and be prepared to respond appropriately when required.  

Please Note: This is the two hundred fourth blog in a series of Back to Basics blogs, in which relevant and resourceful information can be easily accessed by clicking Dentons - Consumer Finance Report.