GDPR: How to Handle a Data Breach

Photo by Christoph Scholz from Flickr (Creative Commons License)

Every company that sends commercial emails to people who reside in the EU or process their data has to comply with the new privacy law, the General Data Protection Regulation (GDPR). This law has specific rules about how companies have to respond when a data breach occurs. It’s so much better than the current rules in the U.S.

Report the Breach to Supervisor within 72 Hours

When a data breach occurs, the employee must report the breach to their supervisory authority without undue delay, and where feasible, within 72 hours of learning of the breach. This notice must include the likely consequences of the breach and the measures the company is taking to mitigate the potential adverse effects.

The only exception to this rule is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company doesn’t have to report the breach if it’s will not likely cause harm to those impacted.

Report the Breach to Consumers

In addition to reporting the breach up the chain of command, the company, without undue delay, must notify the people’s whose data was compromised if the breach is likely to result in a high risk to their rights and freedoms. The law doesn’t specify a number of days or a rubric to determine what is notification “without undue delay.”

Companies should notify the effected persons unless it would require a disproportionate effort. In that case, notification may be made by public communication.

There is an exception to this requirement. The company does not have to disclose that the data breach occurred if the personal data would be unintelligible (e.g. encrypted) to whomever stole it or if the risks have been sufficiently mitigated that adverse results are unlikely to occur.

These new requirements are fantastic. These will hopefully eliminate the problem of companies waiting weeks or months to disclose to impacted consumers that their personal data was hacked.

You can learn more about this aspect of the GDPR here:

Remember, if you are subject to the GDPR, you must comply with this law by May 25, 2018 when it goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Thoughts on the Ashley Madison Hacking

Puzzle by Andreanna Moya Photography from Flickr (Creative Commons License)

Puzzle by Andreanna Moya Photography from Flickr (Creative Commons License)

I have had a lot of different thoughts about the recent hacking of the Ashley Madison website – both as a lawyer and as a person. Ashley Madison is a website geared towards helping people participate in infidelity. They apparently have over 37 million users. According to NPR, the company suspects it was an inside job. Allegedly, whoever did this threatened to release the identity of its users if the company doesn’t take down the website.

As a social media lawyer, I am against hacking. Whenever I work with a company on their website, I always ask what security measures they are taking to protect their users’ information, and I encourage them to explore whether they need cyber liability insurance. Conversely, people need to remember that there is no expectation of privacy in anything they post on the internet, regardless of their privacy settings. There is always a risk that they could be unmasked, which could lead to social, professional, and legal consequences.

Do I believe this hacker deserves to be punished? Yes. If this person has an issue with what this website does, assuming this was perpetrated by an employee, they should quit their job. Being personally morally opposed to a company is not a valid reason to potentially jeopardize millions of people’s lives.

Additionally, I am a huge advocate of everyone leaving each other alone (with a few exceptions related to safety and public policy). Stay out of other people’s relationships that don’t involve you. I have no idea what these 37 million people were doing on Ashley Madison. I suspect some of them were there with the consent of their significant other as part of an open relationship arrangement. Some people may be allowed to cheat as long as they do it discreetly. I wouldn’t be surprised if there are partners where both people have profiles on this site. The only thing I know for sure, is that I don’t care about what these consenting adults do in the privacy of their own lives.

Part of what makes this situation so newsworthy is that it involves infidelity, and it forces us to acknowledge on some level that not everyone believes in or practices monogamy. This isn’t a legal issue; it’s a personal choice. And the only people who deserve a say on these decisions are the other people who are directly impacted (meaning that person’s significant other and possibly children). The fact that outsiders are outraged by these beliefs and activities is irrelevant.

I know this is a hot button topic for a lot of people, and I am open to continuing the conversation in the comments below, on TwitterFacebookYouTube, or LinkedIn, or you can contact me directly.

Does Your Business Need Cyber Liability Insurance?

Guilty Viewing Pleasures: Hackers by Ingrid Richter from Flickr (Creative Commons License)

Guilty Viewing Pleasures: Hackers by Ingrid Richter from Flickr (Creative Commons License)

Anthem Health Insurance was victim the latest cyber attack to hit the news. Approximately 80 million customers’ health records were compromised by this security breach. When you hear about these hacking stories, do they make you wonder about your company’s security system? Do you assume that you probably have nothing to worry about because hackers are only interested in big companies like Target?

I attended a workshop last month about cyber liability insurance where the presenter said that a 2011 study revealed that 95% of all credit card breaches were against small businesses. We only tend to hear about the security breaches involving bigger companies but any size company could be at risk. Data breaches can occur through hacking, theft by unauthorized access , employee errors, and stolen or lost paper or electronic files, laptops, smartphones, flash drives.

Any business that handles or stores private business, customer, or employee data should consider getting insurance to cover them if a data breach occurs. This data includes social security numbers, bank account information, credit card numbers, driver’s license numbers, and email address. Additionally, you should take a look at your company’s policies and procedures related to data security. Are you taking the following precautions?

  • Secure sensitive data
  • Restrict access to data
  • Dispose of data properly – i.e., wipe laptops before donating them, shred paper files
  • Use effective passwords
  • Use encryption and secure remote access
  • Make sure your employees understand how to protect data and why it’s important

There are many benefits of having cyber liability insurance. Your provider should offer risk management services to help prevent a data breach from occurring. If a breach occurs, they will can professional assistance for damage control and regulatory compliance as well as cover the response expenses for mailing notification letters, credit monitoring services, and public relations. Your cyber liability insurance policy can also cover your defense and liability expenses if you are sued because of the breach.

This is a serious issue that can affect any company that uses the internet for business or commerce. If you have a traditional business liability insurance policy, read the terms carefully; it may not cover cyber liability. If you need a cyber liability insurance policy, contact a cyber liability insurance specialist to discuss your needs and options.

If you have questions or want to chat more about these issues, feel free to connect with me on TwitterFacebookLinkedIn, or you can send me an email.