How Are We Still Unsure of What Makes a Data Breach?

Since the first of July 2017, over 10 million records containing personal information have been stolen each day. Are you one of these people? If you’re not, you might know someone who has been affected by these data breaches. Considering how high this rate is, it’s natural that you would want to take steps to protect your personal information, as well as any data stored by your business.

Have you ever considered the process that takes place when a major data breach occurs? How are you notified, and how do you know whether you’ve been affected? We’ll help you wrap your head around the various laws surrounding the notification of data breach scenarios, as well as identity theft and unauthorized account access.

There’s more than a reasonable chance to expect a breach of personal or business information, but the legal waters surrounding these situations are somewhat obscure. Even if it has ethical complications, companies that expose your personal information to a data breach are often under no legal obligation to inform you of the event. Even the information considered “personal” can vary, depending on the state. Naturally, this will lead you to question whether you can count on your organization being notified in the event of a data breach.

Legal Definitions of Personal Information
Each state has its own laws and policies concerning data breaches and notification requirements. All of these policies, however, give a general idea of what personal information is. At a minimum, the following can be considered personal information:

• First name (or first initial) and last name.
• One or more of the following elements: Social Security number, driver’s license, state ID number, financial information.

This information is generally considered the foundation of any legislation concerning data breaches. Some states even go further than these standards, going as far as a stolen PIN being considered a breach of personal information, but ONLY if the PIN was included in the same breach as its associated account number. Therefore, you’ll only be notified if both were found during the same breach, and not necessarily if it was just the PIN that was stolen and not the card number.

Some states, like North Carolina and Nebraska, even include biometrics and fingerprint information as part of personal information. Other states, like Missouri, have specific and detailed laws that make taking legal action somewhat difficult regarding personal data. Laws concerning health and medical information are generally covered under the United States’ federally mandated Health Insurance Portability and Accountability Act, or HIPAA. Some states do include health-related information in their definition of personal information.

Once the number of records stolen has exceeded a certain threshold, consumers must be notified of the instance, as well as the attorney generals of all states that are home to victims. This number generally sits somewhere between 1,000 and 5,000.

Regarding sectoral legislation, decisions are generally made in favor of the information holder, rather than the individual who has actually been affected by the breach. Here are even more ways that data breach laws work:

• Encryption: Some states specify that data that was encrypted and stolen doesn’t necessarily constitute personal information. However, they don’t include information about what happens to encrypted data that’s cracked after the theft.
• Questionable Non-Personal Information: Some information is not quite personal enough to constitute personal information. An example of this is the last four digits of your Social Security number. Remember all of those accounts that only ask you to confirm those same last four digits? Yeah--that’s not personal or anything.
• Good-Faith Acquisitions: A good-faith acquisition is defined as the recipient of the sensitive data being involved on the internal team, a vendor, or a partner. This could be either with or without your consent, but as long as the data isn’t misused, it’s usually not pursued legally. However, the most notable thing about these types of situations is that there are no requirements concerning notification.
• Risk of Harm Analysis: Around half of the states in the United States include laws that allow an information-holding organization to run what’s called a Risk of Harm analysis. This is a method used to determine how likely the information is to be compromised. If there is minimal risk involving the data, the state attorney general doesn’t need to be notified regarding a breach, and neither does the party whose personal information has been stolen.

Does your organization understand the laws surrounding notification for data breaches and other sensitive information being lost? If so, Atech MSP can help you prepare for the day that it inevitably happens. To learn more, reach out to us at (888) 814-4843.