STATE DATA BREACH LAW REQUIRES YOU TO TAKE ACTION WHEN EMPLOYEE INFORMATION IS COMPROMISED
April 22, 2015
Data breaches are on the rise. Large and small organizations alike have been affected, and IT experts believe that it's a question of when, not if, an organization will experience a breach.
What you need to know as an employer is that state laws generally require virtually all employers to take certain steps in the event of a data breach where sensitive information is compromised, even if that information relates only to your employees and not your customers, clients, or business contacts. Which state law applies depends on where you do business and/or where affected employees live, as many state laws protect their residents' personal information, even if that information is maintained by an organization in another state. Currently, 46 states plus the District of Columbia have enacted data breach notification laws. There is no unified federal standard regulating breach notifications, although President Obama recently proposed one.
Maine's law on data breaches is triggered when an employer's computer system is breached and someone gains unauthorized access to personal information about Maine residents. Most of the time this breach is caused by a person outside your organization (i.e. a hacker), but, unfortunately, sometimes it is an employee inside your organization.
If you experience a breach, the law requires you to conduct a good faith and reasonably prompt investigation to determine the likelihood that personal information has been or will be misused. If personal information has been, will be, or is likely to be misused, you must give written notice to those employees who are Maine residents and whose information was compromised.
Under the law, "personal information" means unencrypted data related to a person's first name or first initial and last name in conjunction with any one or more of the following:
Social Security number;
Driver's license or state ID number;
Account number, credit or debit card number if the number could be used without additional information access or passcodes;
Account passwords or personal ID numbers or access codes; or
Any of the above when not connected to an individual's first name or initial and last name, if the information that is compromised is sufficient to permit a person to fraudulently assume or attempt to assume the person's identity.
Although the law does not require this notice to take any particular form, you may want to include the following in your notices:
A summary of the nature and timeframe of the breach;
The type of information involved;
Steps taken (or to be taken) to address the breach;
Appropriate instructions to the recipient of the notice and contact information or a hotline for questions.
Under the law, you must provide notice as expediently as possible without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the data in your computer system. If notice is delayed because of a criminal investigation, you must provide notice within seven days after a law enforcement agency determines that notification will not compromise a criminal investigation.
Also, if more than 1,000 people must be notified at one time, you must also notify consumer reporting agencies, and that notice must include the date of the breach, and estimate of the number of persons affected (if known), and the actual or anticipated date that affected people were, or will be, notified. If your organization is regulated by the Department of Professional and Financial Regulation, you must also notify them. All other employers must notify the Office of the Maine Attorney General. If information about employees who reside in other states is compromised, you also need to determine if the laws of those other states require you to provide notice and/or take other actions. Some states have very specific requirements about what a notice must provide and when it must be provided.
Because the steps that you have to take in the event of a data breach are complex, you should strongly consider designating someone within your organization to take the lead on data breach issues and develop a data incident response plan so that you have a roadmap to follow in the event of a breach. Doing so can reduce the stress and anxiety that inevitably comes with responding to a breach and can help to eliminate potential legal issues down the road related to failure to comply with notice laws. We can help you put together a plan if you decide you would like one.