Because state laws regulate the investigation and handling of data breaches, it's important to know the notification requirements for your business location. Learn more about the laws for data breach notification in your state.
Data breach notification laws regulate how businesses need to notify anyone affected by a data breach in which an individual’s personally identifiable information (PII) was accessed or stolen.
While notification requirements differ by state, the general idea is that businesses need to notify those affected as soon as possible after a data breach. Failure to comply with notification requirements could result in civil penalties and expensive lawsuits.
Depending on your state’s data privacy laws, its definition of PII likely includes:
PII may also include biometric information (such as fingerprints and retinal scans), usernames, email addresses, and passwords.
Any business that handles PII should invest in cyber insurance to mitigate costs in the event of a data breach.
All fifty states in the U.S. have laws requiring businesses to notify individuals of a data security breach.
Each state provides its own unique consumer protection laws and data breach notification requirements, although many of these state laws are similar to one another. California set the standard for data breach notification laws by being the first state to enact them in 2002.
Every state requires notification of affected individuals without unreasonable delays. Some states give a specific number of days for notification, typically within 30 to 60 days of a breach being discovered.
You would likely have to send a written notice to everyone directly, as well as make a general notification through the media and a state agency or officer, such as your state’s attorney general.
For some states, notifying the authorities must be done for any breach, while for others it depends on the number of residents affected. Some states also require a business to offer credit monitoring services after a data breach.
If your business operates in multiple states, it’s a good idea to be aware of what’s required within each jurisdiction and make this notification part of your cyber breach response plan.
A data breach notification must be written in plain language. Some states require a notice to be titled “Notice of a Data Breach.”
Depending on your state, the notification requirements for a data breach will likely include such information as:
The notice may have to include an offer of identity theft prevention and mitigation services for at least a year. You should also include contact information for your company’s representatives.
If a large number of individuals were affected, you may also need to report the breach to consumer reporting agencies, such as Experian and Equifax.
It’s a good idea to consult with an attorney and get legal advice in advance to make sure your data breach response plan complies with all applicable laws.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a Breach Notification Rule that requires notification after a breach of unsecured protected health information. Businesses must notify:
Individuals must be notified by first-class mail, or by email if they've agreed to electronic communication, within 60 days of the discovery of a breach.
The Federal Trade Commission also has a Health Breach Notification Rule for the vendors of personal health records and their third-party service providers, under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Financial institutions should be aware of their obligations under the Gramm-Leach-Bliley Act (GLBA), which requires them to protect the personal information of their customers against data breaches. This affects any business that offers financial products or services, from financial advisors to insurance agents.
The increasing costs and risks of a cyberattack or data breach could put any company in a bind. In 2021, the average cost of a data breach rose from $3.86 million to $4.24 million, according to a report by IBM. This is especially true for small business owners who might not have the financial resources to recover from a security breach.
Insurance carriers make a distinction between tangible property and digital property, because each comes with its own risks. So while general liability insurance is a necessity for most businesses, general liability policies will only cover injury to tangible property and exclude information stored, created, used, or transmitted digitally.
There is a newer exclusion to general liability insurance, known as electronic data liability coverage, that can be added an endorsement to your standard policy. However, this is only designed to account for damage to electronically stored data that results from a physical injury to the computer hardware, such as a laptop being dropped and resulting in stored data being permanently lost.
That’s why many small business owners are turning to cyber liability insurance as a way to financially protect themselves. Cyber liability coverage can help pay for expenses such as customer notification, credit monitoring, legal fees, and regulatory fines. It can also offset the cost of recovering data.
There are a couple different kinds of cyber liability insurance.
First-party cyber liability insurance, also known as data breach insurance, covers the direct costs of a data breach or cyberattack. This includes things like forensic investigations, notifying those affected, credit monitoring services, cyber ransoms, and business interruption expenses.
This coverage is purchased by most business owners looking to insure themselves from a data breach.
Third-party cyber liability insurance insures against lawsuits filed by clients, if they accuse you of failing to prevent a data breach or cyberattack at their business. Also known as technology E&O insurance, it's crucial for IT consultants and cybersecurity businesses that are responsible for protecting their clients from cyberattacks.
When your business stores data, technology and education are your most important tools in data protection and avoiding a breach. It's crucial to make sure you take measures to prevent data breaches.
Some states may even require it. For example, New York’s Stop Hacks and Improve Electronic Data (SHIELD) Security Act requires businesses to safeguard private information through a variety of methods, such as designating one or more employees to coordinate a security program.
Requiring strong passwords, security questions, and two-step authentication can provide reasonable protection for your business and any service providers who access this information, thereby reducing the chance of an unauthorized acquisition of data.
Complete Insureon’s easy online application today to compare quotes for cyber liability insurance from top-rated U.S. insurance companies. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.