Recent news has been littered with examples of companies that have had their data systems breached or hacked, resulting in the release of confidential information to the public.
In simple terms, a data breach can be characterized as the intentional (or unintentional) release of secure, personally identifiable information to an unsecure setting. As of January 2014, 46 states (including Pennsylvania) have enacted legislation that requires private companies to notify individuals of security breaches that lead to the dissemination of an individual’s personal information.
Making matters worse, there is no single, comprehensive law that regulates the privacy, collection, processing, and security of personal information. Federal laws, such as the Federal Trade Commission Act, the Gramm-Leach Bliley Act, and the Health Insurance Portability and Accountability Act (HIPPA), may all come into play. Additionally, nearly all states have enacted their own state laws that are applicable in the event of a data breach. In 2005, Pennsylvania enacted its own statute (The Breach of Personal Information Notification Act) that has far-reaching implications.
Failure to comply with privacy and data security laws can also result in significant adverse consequences. Some studies have found that the company’s average cost of a damage breach can exceed $5,000,000. The liability for a data breach will subject a business to stiff consequences, including:
- Government-imposed civil and criminal fines, penalties, and sanctions;
- Civil lawsuits and class actions from those affected;
- Damage to the company’s reputation, loss of customers’ confidence and trust, lost sales, and brand devaluation.
Fortunately, there are ways to minimize the risks of potential data breaches, which will be explored in other articles on the MLBMO Business Leader Resource Center.