U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Manufacturing Innovation Blog

Powered by the Manufacturing Extension Partnership

Data Breach Notification Laws: How to Manufacture a Confident Response

By: Robert Barnes

Share

Data Breach Button on Computer Keyboard
Credit: iStock/GOCMEN

With the number of reported data breaches steadily increasing every year, they are in the news so frequently that it’s hard to keep them all straight. In 2017, Equifax suffered a massive breach, and almost 150 million customer records (representing nearly half the U.S. population) were stolen. In 2018, Marriott International experienced a breach where hundreds of millions of customer records – including personal information, credit card numbers and even passport numbers – were compromised.

Data breaches affect all types of organizations – large and small, popular and little known. While the big company breaches make the news, you rarely hear about smaller companies that are often vulnerable and can find themselves in the crosshairs of cybercriminals. Most involve some type of hacking, such as a phishing attacks or malware, where an attacker successfully gains access to protected or private information.

Data Breach Notification Laws – It’s Complicated

If your manufacturing company experiences a breach, what will you do? Should you notify law enforcement right away? Notify customers? Is there anyone else to inform? How long do you have?

The answers are complicated. While no comprehensive federal laws exist, each state and territory has its own data breach notification law. These laws require anyone that suffers, or even suspects, a breach to notify customers of anything involving personally identifiable information. The laws also require notifying law enforcement and taking specific steps to remedy the situation. But state laws vary considerably when it comes to the types of information covered, timing of notifications and reporting standards. Who must comply and what even constitutes personal data varies state to state. Adding to the complexity, requirements are also changing, with some states recently updating their laws.

How Much Time Do I Have to Report a Data Breach?

Most data notification laws require that businesses notify customers without unreasonable delay. The length of time varies by state and industry sector. When dealing with a data breach, manufacturers have competing responsibilities – to their company, to others in the industry, to customers and to law enforcement. There are even circumstances where law enforcement is investigating a breach and it must be temporarily concealed.

Prepare for Data Breaches Before They Happen

Treat data breach notification plans as you would any other disaster plan – don’t wait! Since there is no single, standard response to a data breach, U.S. manufacturers must understand the specific state and federal laws that apply to them. Manufacturers must consider the laws in all states where they conduct business.

Luckily, there are several excellent resources manufacturers can turn to for some clarity. Several organizations summarize state data breach laws, including National Conference of State Legislatures, IT Governance and Perkins Coie.

To ensure that your manufacturing company complies with data protection laws, you should stay aware of current regulations for your state and industry. A data breach will always be a stressful event. Awareness of your obligations and a plan in place can ease some of the stress – and help you avoid heavy fines. Here are some tips:

  • Identify the state and industry laws that cover your company
  • Document the data breach notification requirements that affect your company, along with the process(es) to meet those requirements in a worst-case scenario
  • Create a policy around the breach notification requirements that affect your company
  • If there are overlapping regulations, use the most stringent one for your company’s policy
  • Create draft notification letters and emails ahead of time
  • Create a clear communication strategy for data breaches and get it through your company’s legal and public relations departments ahead of time, if necessary

The MEP National Network is Ready to Help You

For help understanding your state’s data breach notification laws and other cybersecurity questions, you can reach out to one of the 51 MEP Centers, located in all 50 states and Puerto Rico, that are part of the MEP National NetworkTM.

Cybersecurity

About the author

Robert Barnes

Robert Barnes

Robert is currently an Administrative Assistant with the NIST MEP Extension Services Division (ESD). In addition to his normal duties, he assists the working group service leads with the coordination and running of meetings for the ESD working groups. Robert is a recent addition to the program and graduated from Virginia Tech with a degree in Interdisciplinary Studies, with focuses in Economics and International Studies. Robert is currently attending the University of Maryland Global Campus, working towards a Master’s Degree in Cybersecurity.

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.