Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

Cyber Liability: Get In the Know About Security Breach Notification Changes

Cyber Liability Get In the Know About Security Breach Notification ChangesForty-seven states currently require employers to notify employees when personal information such as Social Security numbers are acquired by unauthorized parties. This can be rather complicated for multi-state employers as notification laws differ from one state to the next. Moreover, the undertaking has become even more complicated with eight states having enacted amendments in 2015 to their breach notification laws with new and unique requirements.  The bottom line: It’s essential for employers to be aware of these recent changes, some of which we discuss here.

For example, in California effective October 2015, the Golden State requires a specific form to notify individuals of a security breach. The amendment requires a “Notice of Data Breach” to be issued with specific information provided about the breach that falls under each of the following headings: what happened, what information was involved, what we are doing, what you can do, other important information, and for more information.

According to a recent article by global employment and labor law practice, Littler, this new California standard form creates practical problems for employers addressing a multi-state breach.  “Other states require that the breach notification include information in addition to, or different from, California’s mandate,” says the article. Employers in Massachusetts and Rhode Island, for instance, must inform individuals of their right to obtain a police report. In Wyoming, employers are required to state whether law enforcement requested the employer to delay the notification. “As a result, multi-state employers will find it difficult to draft a single notification that satisfies California’s new notification law as well as all other notification laws.”

In 2015, five additional states—Montana, North Dakota, Oregon, Rhode Island and Washington—joined the already 18 states that require entities to report a breach to state regulators. Most states require reporting the breach regardless of how many individuals were affected by the breach. However, there are some states that require reporting only after a certain number of individuals were affected by the breach. For example, Hawaii requires 1,000 affected individuals before reporting is required. Florida’s requirement is at a 500-person threshold. Regarding the additional states, Montana’s reporting requirement applies regardless of the number of affected residents.  In North Dakota and Oregon, the reporting requirement applies only if the breach involves more than 250 state residents, and Rhode Island and Washington set a reporting threshold of 500 affected state residents.

Other changes to breach notification laws involve when a compromise triggers a notification requirement. All breach notification laws define the categories of “trigger information” to minimally include first name or initial and last name in combination with Social Security number, driver’s license or state identification number, or credit or debit card number or financial account number coupled with any required security code.  Many states over the last few years have expanded this definition to include other categories of information, such as health information and health insurance information. This year, four states expanded these categories of information. For instance, in Montana, effective October 1, 2015, medical record information, taxpayer identification number, or identity protection personal identification number issued by the Internal Revenue Service as trigger information is included. Effective July 1, 2015, Nevada added the following to its list of trigger information: medical identification number; health insurance identification number; or a user name, unique identifier or email address in combination with a password, access code or security question and answer that would permit access to an online account.

In addition, effective January 1, 2016, Oregon’s security breach law will add the following categories of trigger information: health insurance policy number or identification number; an individual’s medical history, condition, diagnosis, or treatment; or data from automatic measurements of an individual’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the individual’s identity in the course of a financial transaction or other transaction.

Other changes to state breach notification laws include providing identity protection services to affected individuals and imposing strict deadlines for notifying affected individuals of a breach.

What these changes mean for employers are increased risks and costs. Knowing each state law where you have employees is critical in order to remain in compliance should a breach occur. In addition, having a robust Cyber Liability insurance policy today is as important as carrying general liability or property coverage. A Cyber policy will address notification costs, call-monitoring services, and identity protection services; help in conducting forensics to pinpoint the cause of the breach and how many individuals were affected; and provide cover for reputational management, third-party damages, fines and penalties, and loss of income as a result of a breach.

At Axis Insurance Services, we specialize in Cyber/Privacy & Network Security Liability insurance and can provide you with a proposal outlining the scope of coverages right for your company needs and the costs involved. We can also help you understand your duties as an employer and assist you in establishing a security incident response team and developing a security incident response plan so that you are properly prepared in the event of a breach. Give us a call at (877) 787-5258.

 

 

Comments

comments

Blogged on: November 30, 2015 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions