Data Breach Notification Costs
Cyber liability costs are soaring these days for all kinds of businesses (startups included). Most people think of these “costs” as those related directly to the data breach: legal defense fees, settlements with users and 3rd party vendors, and forensic costs.
Loss attributed to data breach notification costs can go under the radar. When user data is compromised, the company must take steps to notify users that the their personal data has been [potentially] leaked. Seems simple enough, but the problem is that data breach notification laws differ across all 50 states. Each state can have it’s own way of thinking about:
- what constitutes Personally Identifiable Information (“PII”)
- what constitutes a breach
- when users must be notified (i.e. a “known” breach vs “reasonable belief a breach has occurred…”)
- how notification should be made
- safe harbor provisions that decrease liability under the statute
- who is subject to the breach notification law (based on company operations, size, location…)
As you can see, navigating the breach notification legal landscape can get expensive pretty quickly. A good Cyber liability insurance policy can mitigate a ton of this risk by covering data breach notification costs as well as more “traditional” data breach costs.
If you’re curious about the laws in your state, law firm Mintz Levin created a quick cheat sheet of breach notification laws by state that has been updated as recently as August 2014. You can dive in to look at the laws in your specific state, but here are a couple big picture takeaways from the document:
- The general definition of “PII” is as follows: “An individual’s first name or first initial and last name plus one or more of following data elements: (i) Social Security number, (ii) driver’s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes PI.”
- NOTE: California has one of the most sweeping definitions varying from the above: “any user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
- The only states that don’t have breach notification laws are the following: Alabama, New Mexico, South Dakota.
Take a look to see where your state falls on the breach notification and reach out to us if you need help making sure you’re covered here.