Spencer Fane Chairman Pat Whalen was featured as a guest author in this month’s issue of BankNews magazine providing insights and updates on the protocol for handling data breach notifications. The article, titled “When to Send a Data Breach Notification,” discusses the laws surrounding security breaches and the responsibility of companies to determine when notification of customers is both necessary and required by law.
“While a few states require notification whenever customer personal data is even accessed by an unauthorized person, the overwhelming majority of statutes require notice only after the data owner makes a determination that there is a reasonable likelihood that the customer will suffer some harm because of access by an unauthorized person,” Whalen explains in the article.
Oftentimes the laws and guidelines regulating data breach notifications are vague and open-ended leaving companies to make a judgment call on which course of action to take. This issue, combined with the short time frame in which companies are required to disclose the notification, makes for a very stressful and tumultuous environment for those determining a company’s security policies.
However, as Whalen outlines in the article, most federal and state privacy laws use a general four-step process to determine if notification is required. Additionally, previous court cases on data breach notifications can help companies shed some light on the proper way to respond in various incidents. Overall, Whalen states, the most important thing is to have a plan set in place well before a breach ever occurs.
To learn more on data breach notifications read the full BankNews article here.