The personal records of millions of Americans have been compromised through data security breaches in recent years. This in turn has caused an astronomical rise in identity theft – 8.6 million U.S. households were victimized in 2010.

In response, 47 states have enacted laws requiring that persons be notified promptly whenever someone obtains unauthorized access to sensitive personal information (e.g., Social Security numbers, credit card numbers). These laws apply to any organization – profit or non-profit, irrespective of physical location. Some states require notification within specified time frames; others require notices be sent to credit reporting agencies and state law enforcement officials. Businesses that fail to comply with these laws or have lax data security practices are increasingly being held accountable.

Suits and Penalties

Class action lawsuits are becoming more common. Any time there is a security breach, organizations must consider the risk of litigation and may also become embroiled in contractual disputes with third-party service providers or IT vendors.

Government penalties for non-compliance can also be significant. Virginia permits the attorney general to seek up to $150,000 in civil penalties per violation. Other states set higher limits (a $500,000 cap in Florida; a $750,000 cap in Michigan). In Ohio, an intentional or reckless failure to notify customers for more than 60 days may result in penalties of $5,000 or $10,000 per day.

How to Protect Personal Data

The first line of defense is to identify internal and external data security risks and then take proactive steps to mitigate those risks – before there is a problem. A good data security plan will (1) include procedures for the safe storage and transport of data; (2) limit the amount of data collected and how long it will be retained; (3) limit employee access to data; (4) provide for encryption of data stored on laptops and other portable storage devices; and (5) provide for employee training, compliance, and monitoring. In Massachusetts, a written data security plan is mandatory for any organization that collects personal information on Massachusetts residents (regardless of the company’s location). See