Even if your company has established an information security program, no program is perfect. And threats to data security continue to change. It is quite possible that someday, your company will find that it has sustained a data security breach of sensitive consumer information. If and when that occurs, your company might need to make certain notifications under state law, even if the other federal laws don't apply to your company.
For example, Oregon's Consumer Identity Theft Protection Act requires that any person who owns, maintains, or otherwise possesses data that includes certain types of personal consumer information must, in certain circumstances, disclose the fact of a security breach "in the most expeditious time possible and without unreasonable delay." Failure to do this can result in civil penalties, as well as liability from private lawsuits. The disclosure must include, at a minimum:
- A description of the incident in general terms;
- The approximate date of the breach of security;
- The type of personal information obtained as a result of the breach of security;
- Contact information of the person subject to this section;
- Contact information for national consumer reporting agencies; and
- Advice to the consumer to report suspected identity theft to law enforcement, including the Federal Trade Commission.
Oregon's statute permits specific forms and scopes of notice. And if the breach affects more than 1,000 consumers, then additional steps are required.
Although Washington's statute is similar to Oregon's statute in many respects, other states' data breach notification laws might apply to your data breach event, and some of those laws differ in significant ways. And of course, federal law might also apply. Therefore, it can be important to involve privacy counsel to provide confidential legal advice regarding the data breach notification process.
As with any emergency, it is best to plan ahead. Consider developing an incident response/data breach notification plan in advance, before your company finds itself in the midst of the next inevitable data security crisis.