We’ve known for a long time that websites that collect user information need a privacy policy. We also know that in the U.S. at least, the laws on protecting information that isn’t medical records or financial records is pretty, well, non-existent. You can do a lot with consumer information, as long as they are made aware of what you’re doing and they aren’t lied to. And use some basic non-negligent best practices to make sure the information stays locked up. But what about the times when, despite our very best intentions and even our best practices, we can’t keep our users’ information safe? What about when there’s a breach?
Target. Home Depot. Citibank. Wyndham Hotels (first in 2012, and again in 2015). If your data hasn’t been compromised, then you must not have any. But breaches happen to all sizes of companies, whether it’s hackers coming in with Trojan horses, or a recently fired employee walking out the door with a Memory Stick. And legislators are starting to get interested in how best to protect their citizens when (not if) this happens. Of course, these legislators are in 50 different states, and as of yet we’re not seeing model legislation. But what we are seeing are aggressive laws.
YOU NEED A DATA BREACH POLICY.
In June of last year, Florida passed a state law that is certainly meant to keep Floridians and their personal information safe from prying eyes, but in actuality places new obligations on every company that has data from customers or users who reside in that state. When a breach has taken place affecting Floridians, the Attorney General of Florida is entitled to ask the breached company for all manner of information about how it handled the breach, including a copy of the company’s breach policy. If the company does not have a breach policy when asked, the fines can run up to a half a million dollars.
Sure, the Florida law may be overreaching and who knows if it’s constitutional, but do you really want to bet your company’s cash on it? Get a policy. It doesn’t have to be five hundred pages. It should clearly document who needs to be notified of a breach, what steps the company will take to try to plug the leak, who is responsible for preparing notices to customers and to authorities if necessary, and that the company will contact a privacy professional to determine what the notice requirements are in each of the 50 states.
Of course, Aaron | Sanders PLLC is happy to help you craft one that will comply with the Florida law and will be a manageable response procedure for your company. And you really need one of these things. You can read the statute and get some good guidance about how to draft one. Or you can call us. Just get one.