Data Breach Compliance a Mixed Bag From State to State

Data Breach Compliance a Mixed Bag From State to State

Many small business owners across the country who have to worry about the ways in which their companies store sensitive customer or client data may be well aware of just how much they can benefit from tech insurance and other measures to safeguard them from data breaches and their fallout. However, when it comes to complying with state laws, they may have considerable difficulty in understanding what they need to do following such an incident.

The simple fact is that because there is no overarching federal data breach notification law, the rules about what companies or organizations suffering these incidents have to do in their immediate aftermath can vary widely from one state to the next. This was recently highlighted in states including Vermont, North Dakota and Michigan, according to a report from major industry vendor Sophos’ Naked Security blog. The former two states recently decided that now was the time to significantly improve data breach notification rules within their borders, while the latter allowed a potentially major breach to avoid some aspects of state law.

In Vermont, the previous data breach regulations allowed institutions under the purview of the state’s Department of Financial Regulation that were hit by these incidents to avoid having to alert potential victims of the problem, the report said. However, a recent revision to that rule closed the potential loophole, and became law in mid-May.

Meanwhile, North Dakota broadened its definition of what constitutes personally identifying information that, when exposed, requires that the company or organization sends out a data breach notification, the report said. Previously, this included a person’s Social Security or driver’s license number, state ID cards, details about financial accounts including credit cards and bank accounts, dates of birth, mothers’ maiden names, employee ID numbers, and even copies of consumers’ signatures. Now, all those are still included, but information related to health insurance or personal medical data is now also included in the rules.

Where Michigan lags behind
Earlier this month, the state of Michigan’s Department of Community Health began contacting more than 49,000 people about an incident that exposed their names, Social Security numbers, dates of birth and cancer screening results, the report said. Federal law mandates that when health information is exposed, it typically has to be reported to victims, but in this case, the state decided that with the Michigan Cancer Consortium, which suffered the breach, did not qualify as a covered organization, as defined by the U.S. Department of Health and Human Services. Specifically, a state spokesman said that the exposed data in question did not qualify as “medical records,” in the strictest sense.

Data breach notification mandates can be difficult waters to navigate for even the savviest small business, particularly when information involving people living in a number of different states is exposed. For these reasons, it might be wise for companies to do all they can to make sure they’re following the most strict rules possible so that they know for sure that all their bases will be covered in the event that such an incident takes place. It is also important at this time to have small business insurance policies designed specifically to protect companies in the wake of these incidents. While they may be somewhat expensive, it’s important for owners to keep in mind that in many cases the cost of smoothing over even a small data breach is often so large that it can run into the hundreds of thousands of dollars or more, which is a difficult financial burden for even the most financially fit companies to bear.