Question: We recently had a server breach that resulted in some of our customer records being potentially exposed to the hackers. Our IT team has resolved the issue. Are we required to report this incident to the police or any other agency?
Answer: The United States is behind other countries in clarifying companies’ responsibilities in the wake of a cyber security breach. There are only agency-by-agency, or state-by-state requirements. Consult your IT provider, insurance company and/or legal counsel to determine which requirements apply to you.
We recommend, however, that companies report the nature and scope of cyber security breaches to law enforcement agencies and the companies and individuals potentially impacted.
The FTC has published a “Data Breach Response Guide for Businesses,” which can be found at FarmEquip.org/breachresponse. Among suggestions in the guide:
- Determine your legal requirements by state or applicable federal regulations;
- Notify law enforcement;
- Notify affected businesses, including financial institutions, if applicable;
- If social security numbers have been involved, contact the three major credit bureaus (Equifax, Experian, Transunion) to obtain additional information and advice;
- Notify individuals, based on the circumstances of the breach and your requirements under No. 1.
The guide includes a letter template that can be used for drafting such notifications.
All 50 U.S. states have enacted some form of legislation requiring government and/or private entities to notify individuals when a breach of Personally Identifiable Information (PII) has occurred. Unfortunately, there is no consistent definition of what constitutes PII. Some states define this information to be solely “critical PII,” such as social security numbers, drivers’ license numbers, or bank account numbers. Other states define PII more broadly to include date of birth, address, or in at least the case of California, information as broad as a name and zip code.
Further, states currently do not agree on the definition of what constitutes a breach, nor on the timing for how soon after a breach is discovered that individuals must be notified, nor on what exemptions might exist, such as an exemption if the only information taken was encrypted.
Companies with customers in several states can be subject to a patchwork of different regulations. It is considered best practice to comply with the most-restrictive regulations your company could be subject to, which in the U.S. are the guidelines in California or Illinois (depending on the nature of the data disclosed).
Given the attention being paid to this issue at all levels of government, it seems likely that the U.S. will soon have a comprehensive set of cybersecurity regulations and disclosure requirements.
Until then, what should companies do in response to a breach?
First, recognize that cybersecurity is one of the few areas where the victim of a crime can become subject to legal jeopardy as a result of their victimization. While this may seem unfair, in this case, companies are acting as custodians of their customers’ personal information. Even though the company is itself a victim of cybercrime, it has a responsibility to protect its customers from further harm.
In the jurisdictions where they exist, these cyber response laws are not optional! Failing to prepare or fulfill your responsibilities under these laws can subject a company to penalties worse than the fallout from the actual breach.
Companies must develop an incident response plan and train staff on a breach response. Following best-practices and notification rules leads to the best outcomes. Companies, individuals, and enforcement agencies respond more favorably to incidents that were well-handled and well-communicated.
The Association has partnered with Enquiron, which provided this article, to offer members the Shortline Cyber Resource Center. This no-cost resource provides access to information, training and tools to help companies prevent a cyberattack and respond effectively if they fall victim, including help in creating an incident response plan. If you haven’t yet activated your member benefit, go to FarmEquip.org/CyberResource. Click on “forgot password” to follow the prompts to create a login. Call the Association office with questions at (314) 878-2304. Or, contact Enquiron at (877) 568-6655; press one for assistance.