Your Organization was breached! Now what? (Part 2 of 4)

Your Organization was breached! Now what? (Part 2 of 4)

Your IT technician has just informed you that your business has suffered a data security breach. Now what should you do?

Content Provided by Defeat The Breach Member
Fraser Trebilcock P.C.

Click here for Part 1 of this series.

Step 2: You have determined that a breach has occurred. How should you notify your customer or contacts?

Once you have determined that a data breach has occurred, you will need to provide notice to customers and vendors affected by the breach. The form of notice you must give is largely determined by the relationship between you and the intended recipients of the notice. Under the Act, notices are described by type, being: written, electronic written, phone, or substitute notice. One ore more of these types of notices may be used.

Written notice. The most common and simplest form of notice you may use is written notification sent to the recipient's postal address on file in your records.

Email notice. The written notice may be sent in electronic format if you can show any of the following three requirements: 1) the recipient has expressly consented to receive electronic notice, or 2) you have an existing relationship with the recipient that includes electronic mail communications, and as a result of those communications, you reasonably believe you have the recipient's current electronic mail address, or 3) you conduct your business primarily through the internet or through internet-based account transactions.

Phone notice. If not prohibited by state or federal law, you may make notification by phone if the following two requirements are met: 1) the notice is not given in whole or in part by recorded message (i.e. the message is given by an "individual"), and 2) the recipient has expressly consented to receive notice by phone. However, if the recipient has not expressly consented, you may provide phone notice if you also provide written or electronic written notice if the notice by phone does not result in a live conversation between you and the recipient within 3 business days after the initial attempt at phone notification.

Substitute notice. If you determine that the cost of providing notice as described above exceeds $250,000.00 or that the notice must be provided to more than 500,000 residents of Michigan, you may provide substitute notice. While the required contents of the substitute notice vary by medium (i.e. depending on whether you provide written or phone notice as part of your notice response), that notice is generally required to: 1) provide electronic notice to all residents for whom you have an electronic mail address; 2) if you have a website, conspicuously post the notice on that website; and 3) notify "major statewide media," which must include a telephone number or website address that an individual may use to obtain additional information and assistance.

Agreed upon notice. The Act also allows parties or agencies governed by it to address and agree upon the type of and contents of this notice, provided that the terms of that agreement or notice do not conflict with Section 12 of the Act (codified at MCL §445.72).

Join us next week for Step 3: You have identified recipients that require notification and have obtained their contact information. What information should the notification contain?

This article is Part Two of a brief summary of state law. Additional federal or common law principles may also apply, given the circumstances. Readers should not rely on this generalized, introductory article as it is not legal advice. Anyone affected by the law should seek competent counsel regarding the law. This content Provided by Defeat The Breach Member Fraser Trebilcock P.C.

!-- Start of HubSpot Embed Code -->