Affirmative Data Security Obligations for Business
Delaware is the latest state to amend its data breach notification statute to include an affirmative duty for companies to proactively take “reasonable” measures to protect personally identifiable information of Delaware citizens.
Effective in April 14, 2018, the new statute requires that:
Any person who conducts business in [Delaware] and owns, licenses, or maintains personal information shall implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
Delaware is the thirteenth state to adopt such proactive mandates, with California, Massachusetts and Rhode Island requiring specific written policies and procedures. Several jurisdictions require encryption. Other jurisdictions require companies to contractually bind third party vendors with access to such data to implement their own proactive protective procedures. Certain states mandate as to how long data should be maintained and prescribe means for destruction of data when no longer needed.
The message is clear: any business that collects “personally identifiable information” about its customers and/or its personnel should be proactive to protect this data. Further, in several jurisdictions, companies that act proactively are statutorily shielded from liability in the event of a data breach that compromises personally identifiable information.
While the majority of the states have not (yet) adopted such proactive mandates, all but two states have adopted breach notification statutes that prescribe (i) what is a breach, (ii) who has to be notified in the event of a breach, (iii) how and when notice must be given, and (iv) fines and penalties for failure to comply with such notification mandates.
Whether your business “only” collects information about its own personnel, or also collects information about its customers, failure to be prepared for a security breach puts your entire company at risk.
Please contact us to help you:
- Identify the statutes and standards by which your business is bound
- Work with your company to develop written policies and procedures
- Train your personnel
- Develop response plans
- Respond and recovery from security breaches