Understanding Breach Laws

Excerpt from: {see} Digital Magazine - Issue #2
Published: May 15, 2008



UNDERSTANDING BREACH LAWS

AN INTERACTIVE MAP OF ALL 50 STATES’ BREACH LAWS

Everyone has seen the headlines: Huge corporations suffering large data security breaches. But smaller businesses can be affected too. In Issue #2 of {see} Magazine we offer a brief overview, state-by-state of breach notification requirements. Make a point of reading up on the laws in the states where you sell and from which you have information because both may apply. It's the best way to protect your business and your customers from the headaches associated with data breach and identity theft.

View the Interactive US Map Here

NOTIFICATION: REASONS TO ACT IN A REASONABLE TIME

Most state security breach laws require organizations that suffer a breach to notify affected individuals "in the most expedient time possible and without unreasonable delay." The date of actual notification may be delayed by the exceptions available in most states for law enforcement investigations and restoring system security.

But if the exceptions for delay don't apply, what does "without unreasonable delay" mean? How quickly is that?

The best way to look at that is to consider the purpose of the notice: it is to allow consumers to take action to prevent them from becoming victims of identity theft. If the criminal applies for credit in a victim’s name, the approval process can be fairly quick for in-person transactions. But then other identifiers must usually be presented.

More typically, the criminal will apply for credit remotely—using the internet or mail applications. They will want the credit card to be mailed to another address or wait for it to be delivered to the victims address and then steal the mail. That takes longer and could take up to thirty days.

Also, typically, the new account won't be reported in the victim’s consumer report until at least one billing cycle has been completed. That might be at least two months after the breach occurred.

Therefore, it might be reasonable to conclude that the notice should be sent up to, but no later than two months after the breach occurred.

But one point often overlooked is the duration of remedies offered alongside notification. For example, credit monitoring may be offered for a year, or a fraud alert may be placed on the consumer's report for 90 days if he or she has not yet been a victim. But those stolen identities are valuable forever. The criminals may wait until the monitoring is over and then strike. Or they may get the information on college students and wait until they have a good job, and then get new credit in their names.

Therefore, it is critical to notify consumers and encourage them to take action to protect themselves for the long term. For responsible companies who value their customers, the reason for timely notification is to help customers to protect themselves in the long term.

View This Original Article and More Inside {see} Digital Magazine

The full HD experience - {see} Security Issue: Red Flags and Breach Laws

View Our Other Articles From This Issue of {see} Magazine

BETTER BUSINESS

LENDING

YOUR GUT INSTINCT: TRUST, BUT VERIFY

WHAT’S WRONG WITH THIS PICTURE?

IDENTITY THEFT

 
 
FEATURED PRODUCTS
Business Solutions Newsfeed   Subscribe To Microbilts Business Solutions News Feed

For many people from all backgrounds, cars are seen as a necessity now. Without vehicles, individuals may not be able to commute to their jobs, but they generally cannot affor
...[More]
Unfortunately, many consumers believe banks are the only legitimate sources of financing.Contrary to popular belief, there are a number of alternative lending options people c
...[More]
Whether to pay for tuition or a car, consumers are looking to procure loans in whatever way possible. While some take the traditional route and visit their banks for financial
...[More]
Find Us: