Since every business must maintain records relating to their employees – including former employees and candidates – there will always be the potential for sensitive data to be stolen. The data breach at Equifax (the credit reporting company that was hacked last year, affecting 145 million people) is evidence that even large companies with tight security are vulnerable. Could your company be liable in the event of a hack?
Data breach reporting – How state laws influence your responsibility
If your company does business in multiple states – whether or not you have brick-and-mortar locations in each state – you will have to abide by different laws for each jurisdiction. Over just the last few weeks, both Alabama and South Dakota have pushed data breach notification laws that increase the responsibility that businesses carry in the case of hacking or other exposure. When these laws come into effect in the near future, every state in the nation will have their own legislation regarding this issue.
Standards for data breach notification
Though every state has different standards for reporting misappropriated information, the new legislation that is about to be enacted in Alabama and South Dakota sheds valuable light on how the reporting process works in each state.
What is protected information?
Protected information includes any information that, if stolen, could potentially lead to identity theft or other crimes. Such information includes employee or client names, social security numbers, addresses, driver’s license numbers, and other such information that would be valuable to thieves.
What constitutes a data breach?
Most states use almost identical language to define a breach. For example, New York defines a breach as “acquisition without valid authorization that compromises the security, confidentiality or integrity of the covered info.” Most states also include language that excludes the routine sharing of information between employees of the company in question. In short, only select members of your organization can access private information.
When must a data breach be reported?
If stolen information could reasonably result in harm or damages, you must always inform the person whose private information was lost as soon as possible. While some states explicitly give a time frame for notifications to be made (such as 45 days in Alabama), others simply state that reporting must be completed without unreasonable delay.
Who must be informed of security breaches?
While some states mandate that security breaches must always be reported to the victims, others allow for businesses to evaluate the severity of the breach and the potential for harm before notifying the victim. You may also be required to notify specific government agencies. South Dakota’s new laws, for example, will exempt businesses from reporting low-threat leaks only if they first notify the attorney general of their findings; other states have similar caveats in their legislation. In any case, you should always thoroughly document your investigation into how you determined the severity of the breach.
Protecting your business from liability
The vast differences between reporting laws – even between neighboring states – means that businesses must be extremely careful when handling sensitive information. Since the hiring process, including background screening, inevitably involves the collection and sharing of large amounts of sensitive information, this is one of the most delicate aspects of the employer/employee relationship, and a professional touch is vital. At Chane Solutions, we take pride in providing thorough, accurate, and secure screening services to clients across the nation. In addition to our comprehensive and cost-effective screening services, our team can guide your business through the complex process of managing sensitive information. To learn more about our services, contact us today.