Data breach notification laws are different for most States. Which creates a complex landscape for anyone trying to understand their obligations and potential exposures. Each State has different triggers, definitions, and requirements when it comes to assessing a data breach and what the potential financial and criminal penalties are.
If you’re a healthcare organization, understanding the choke hold regulations of the HIPAA Data Breach Notification Rule is fundamental to understanding your potential exposures. Similarly, for someone that deals with financial institutions they should be aware of the Gramm–Leach–Bliley Act.
Staying on top of changing legislation and the prerequisites for compliance can be tricky. Part of that challenge is the numerous techniques States use to penalize companies can vary widely from one to another. State breach notification penalties can be any combination of the sanctions identified below.
- Monetary penalties can be issued based on a violation, per a series of violations, or a dollar amount per resident. Fines range from $1000 to $10,000 per violation usually with a not to exceed $250,000 to $5,000,000.
- Through injunctive relief, many States can restrain the organization from conducting business until the data breach notification process is completed. The cost to business is enormous: loss of revenue, reputation damage, additional fines, and legal fees. Financial exposure to business in these States is in the tens of millions of dollars. The fines pale compared to the loss of revenue, reputation, and legal fees. No insurance policy protects you in this case.
- Attorney General: Several States require the attorney general to be noticed of any data breach. If the AG does get involved, they can enforce penalties, pursue additional relief, and injunctive relief.
- Statutorily authorized private right of action: This statutory right brings in the class action lawyers who feed on large fees and lots of wasted time. Legal fees, settlements, and reputation are in the millions of Dollars.
- Few States have criminal charges associated with data breach notifications. Arkansas data breach includes misdemeanor charges.
Securable helps business reduce data breach notification exposures through building mini human firewalls with each and every employee. It takes about an hour to set up a 150-person company and approximately 5 hours for a 500 person organization. Once the system is setup, it is a set and forget mode and will only notify when an employee meets a predefined cyber security threshold.