Your IT technician has just informed you that your business has suffered a data security breach. Now what should you do?
Content Provided by Defeat The Breach Member
Fraser Trebilcock P.C.
Data breach incidents continue to make headlines. WhatsApp, Facebook, iPhones, health insurers, money managers, the U.S. Customs and Border Patrol, the U.S. Department of Defense, an NBA team and dozens (if not hundreds) more businesses and entities were hacked in 2019 alone. All one needs to do is search "biggest data base breaches of 2019" (or even 2020) to find lists and compilations that are staggering in scope. Data security breaches affect companies of all sizes, and any company that maintains an electronically stored database containing personal information - which can include credit card numbers, driver's license numbers, or Social Security numbers, or a combination of these items coupled with names or parts of names - is susceptible to a data security breach and identity theft.
If you have been informed that your business has been the victim of a data security breach, you will, at a minimum, need to follow the breach notification requirements in the Michigan's Identity Theft Protection Act (the "Act"). It can be found in the Michigan Codified Laws ("MCL"), beginning in Section 445.61. This blog series will provide an outline of the steps you should consider in connection with the Act if your business has suffered a data security breach. This introductory article is no substitute, however, for seeking the assistance of legal counsel in connection with the breach.
Step. 1: Determine the extent of the breach and what harm may result from the breach.
Under the Act, a business that discovers a security breach of personal information must provide a notice of the security breach to each affected Michigan resident, unless the business can establish that the security breach is not likely to cause substantial loss of injury to, or result in identify theft with respect to, one or more Michigan residents. Personal information means the first initial or name and last name of a Michigan resident linked to one of the following elements: i) a social security number; ii) a driver's license or state identification card number; or iii) a bank account or credit card number combined with an access code that would permit access to any of the financial accounts.
In order to determine whether a security breach is likely to cause injury to, or result in loss or identity theft to a Michigan resident, the Act requires that a business must act with the care that an ordinarily prudent person in like position would exercise under similar circumstances. In other words, once you have determined that a security breach has occurred, you should immediately begin a thorough, reasonable investigation into the security breach before concluding that harm is unlikely.
This article is Part One of a brief summary of state law. Additional federal or common law principles may also apply, given the circumstances. Readers should not rely on this generalized, introductory article as it is not legal advice. Anyone affected by the law should seek competent counsel regarding the law. This content Provided by Defeat The Breach Member Fraser Trebilcock P.C.