In case you haven’t heard, Alabama’s new data breach notification law went into effect on June 1st. In short, the law requires a business entity that “acquires or uses sensitive personally identifiable information (Sensitive PII)” to have certain security measures in place and predetermined notification measures to alert impacted individuals of the breach within a reasonable amount of time.
In our last blog, we mapped out 6 steps businesses should take to prevent a cyber-security breach based on the new law’s requirements. But, what happens if a cyber-security breach occurs despite these protective measures? How does the law require your business to respond?
Brandon Robinson, a partner at Balch & Bingham who specializes in cybersecurity and data privacy, advises immediately taking these steps once you determine a breach has occurred:
- Engage outside counsel. An attorney can help assess the situation, meet legal obligations, mitigate potential liabilities and create a careful and compliant communication plan.
- Identify the source, type and scope of compromised data. Determine what data was exposed, for how long and to whom. While restoring system integrity and operations, keep a record to retain evidence.
- Identify notification obligations and deadlines. Whether statutory or contained in vendor agreements or insurance policies, be sure to identify and comply with all notification obligations and deadlines.
- Control the story through timely and clear communication. Communicating quickly, regularly and consistently is key to controlling the story. According to Robinson, it’s important to find a balance between supplying stakeholders with sufficient information to retain their confidence, but not so much that you risk having to correct yourself as the investigation continues.
Overall, it is essential to be prepared and move quickly once a data breach has occurred because Alabama’s 45-day notification period will pass by in a flash. For more insights from Brandon Robinson, read his blog in Business Alabama.