Data Breaches under State Law
Businesses are increasingly reporting data breaches. Some of those data breaches involve customer information. Both Wyoming and Colorado state law provides that when a business becomes aware of a data breach affecting state residents, it should take certain steps to protect its customers including the following:
- Conduct an investigation to determine the likelihood that hacked personal information has been or will be misused; and
- If the investigation reveals that personal information has been misused or is reasonably likely to be misused, then notice must be given to the customers. (See C.R.S. 6-1-716 and W.S. 40-12-502)
If a business fails to comply with the investigation and notice requirements, the Attorney General may bring an action to address the violations and ensure compliance. Most states have data breach laws protecting their state residents. This is important to keep in mind as in today's economy, many businesses have customers located throughout the nation. A business that has a data breach has to ensure compliance with the state law of each state in which it has customers.
Data Breaches under Federal Law
On the federal level the Federal Trade Commission (FTC) has been active in taking action against businesses that suffer data breaches where those breaches could have been prevented through adequate data security practices. The FTC's actions are based upon the premise that a failure to adequately undertake certain data security practices may be considered an “unfair” practice under the FTC Act. See e.g. FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). Although there is recent case law that suggests that the FTC's ability to force businesses to change their data security practices is limited (Federal Trade Commission v. Amazon.com, Inc., 2:14-cv-01038 (W.D. Wash. 2016)), the FTC still has considerable power to address the harm caused by data breaches.
What Businesses can do to Reduce Risk
Most every business is at risk of suffering a data breach. There are some things that businesses can do to protect themselves from data breaches. First, businesses should ensure that knowledgeable people assess the risk of data breach. This includes identifying the data that is retained and reviewing the vulnerabilities to exposure of that data. Second, businesses should implement practices to manage the risk of a data breach. Third, businesses should implement written policies on how to handle data breaches. Fourth, businesses should engage in risk monitoring and auditing on an ongoing basis.
If you need assistance in addressing a data breach or if you would like advice on developing a plan to assess and manage the risk of data breaches contact Clyde Hutchins. He can be reached at (970) 488-1857.