In the world of transactional print and mail, data security is a top priority. Protecting confidential customer information ensures you remain compliant and credible. Although a data security and breach notification law has failed to pass federally, all 50 states have enacted rules.
In this article, we’ll explain these laws and how they relate to critical customer communications.
What Is the Proposed Data Security and Breach Notification Act?
Congress has proposed a nationwide Data Security and Breach Notification Act at the federal level. However, it has yet to pass.
The law would require companies to deliver notifications to impacted individuals that a breach has exposed their personal data. It would also mandate security measures for safeguarding personally identifiable information (PII). Organizations would also need to report the breach to relevant authorities or agencies.
Since no federal law exists, businesses would need to follow the state regulations.
Key Areas of Data Security and Breach Notification Rules
While every state has unique laws, most include all these components.
- Purpose: Protect consumers and provide timely notice of the breach so they may take steps to mitigate any potential harm, such as identity theft.
- Covered entities: Any business that collects, stores, or transmits personal information about individuals.
- Breach defined: The unauthorized access to PII, credit card details or other confidential information.
- Notification requirements: Once a discovery of a breach occurs, notifications must go out within a specific timeframe. Contents of these communications often include breach details, information compromised, and steps for protecting themselves.
- Government reporting: Jurisdictions vary, but in most cases, organizations must report the data breach to agencies like the Federal Trade Commission (FTC).
FTC Guidance
The FTC offers best practices to take to respond to a data breach. The first action to take is securing operations, which involves identifying the vulnerability responsible for the breach and addressing it. This may not be feasible, however, especially in the case of a ransomware attack.
Organizations must mobilize their breach team and engage with third parties like a data forensics team. If the vulnerability is within your control to fix, the guidance recommends network segmentation and investigating what cybersecurity protocols failed, such as encryption or unauthorized access.
Communication plans go into effect as well as notification to those impacted. The notification requirements follow the state’s rules and may also include contacting law enforcement. Should the breach contain personal health records, the regulations of HIPAA apply.
Data Breach Notification Laws by State
You can find a complete list of laws by state here. This page contains specific statutes of each state but not their interpretation. For this, you should consult with counsel.
Which state laws apply when a breach occurs? The potential jurisdictions depend on where the company stores data and the states where affected parties live.
Avoiding a Data Breach When Working with Third Parties
Organizations must have proactive cybersecurity measures to prevent data breaches. Building a fortress for data is crucial. This should also extend to the third parties you share data with, like a transactional print and mail partner.
Scrutinizing their practices requires due diligence and inquiries about their data security protocols. At a minimum, those should include:
- Certifications and compliance with all regulatory standards (e.g., HIPAA, FISMA, PCI DSS)
- Providing a secure platform for data transmission like SFTP (Secure File Transmission Protocol)
- Encryption of data while in transit and at rest
- Firewalls and IPS (Intrusion Protection System)
- Network segmentation
- User-level security
- Multi-factor authentication
- Proactive cybersecurity initiatives like penetration testing and vulnerability scanning
If you’re confident in your partners’ ability to safeguard against data breaches, you minimize risk. Should an incident occur, you also need to understand their response plans to ensure they’ll follow all compliance mandates.
Transactional print and mail companies can also serve as your provider for sending data breach notification letters to those individuals affected. It’s secure, efficient, and a system designed to follow all compliance and regulatory requirements.
If you’d like to learn more about our data security initiatives or data breach notification solutions, contact us today.
