With the number of reported data breaches steadily increasing every year, they are in the news so frequently that it’s hard to keep them all straight. In 2017, Equifax suffered a massive breach, and almost 150 million customer records (representing nearly half the U.S. population) were stolen. In 2018, Marriott International experienced a breach where hundreds of millions of customer records – including personal information, credit card numbers and even passport numbers – were compromised.
Data breaches affect all types of organizations – large and small, popular and little known. While the big company breaches make the news, you rarely hear about smaller companies that are often vulnerable and can find themselves in the crosshairs of cybercriminals. Most involve some type of hacking, such as a phishing attacks or malware, where an attacker successfully gains access to protected or private information.
If your manufacturing company experiences a breach, what will you do? Should you notify law enforcement right away? Notify customers? Is there anyone else to inform? How long do you have?
The answers are complicated. While no comprehensive federal laws exist, each state and territory has its own data breach notification law. These laws require anyone that suffers, or even suspects, a breach to notify customers of anything involving personally identifiable information. The laws also require notifying law enforcement and taking specific steps to remedy the situation. But state laws vary considerably when it comes to the types of information covered, timing of notifications and reporting standards. Who must comply and what even constitutes personal data varies state to state. Adding to the complexity, requirements are also changing, with some states recently updating their laws.
Most data notification laws require that businesses notify customers without unreasonable delay. The length of time varies by state and industry sector. When dealing with a data breach, manufacturers have competing responsibilities – to their company, to others in the industry, to customers and to law enforcement. There are even circumstances where law enforcement is investigating a breach and it must be temporarily concealed.
Treat data breach notification plans as you would any other disaster plan – don’t wait! Since there is no single, standard response to a data breach, U.S. manufacturers must understand the specific state and federal laws that apply to them. Manufacturers must consider the laws in all states where they conduct business.
Luckily, there are several excellent resources manufacturers can turn to for some clarity. Several organizations summarize state data breach laws, including National Conference of State Legislatures, IT Governance and Perkins Coie.
To ensure that your manufacturing company complies with data protection laws, you should stay aware of current regulations for your state and industry. A data breach will always be a stressful event. Awareness of your obligations and a plan in place can ease some of the stress – and help you avoid heavy fines. Here are some tips:
For help understanding your state’s data breach notification laws and other cybersecurity questions, you can reach out to one of the 51 MEP Centers, located in all 50 states and Puerto Rico, that are part of the MEP National NetworkTM.