Method of Reporting
The business must provide notice by mail , telephone , facsimile , or email . 6 Notice must be provided to each affected individual . If the business is required to report disclosure to 500,000 or more Indiana residents , the business can choose to provide notice by the above methods , or by using both conspicuous posting on the business ’ website and providing notice to major news reporting media in the area of the affected individuals ’ residences .
Required Information
The business must provide , generally , a description of the information accessed in the security breach and the date of access .
Most states have enacted various data breach statutes that require slightly different forms of reporting . Although each state generally requires the same information be reported to affected individuals , several states specifically prohibit providing certain information in the disclosure statement . For example , in Illinois a business cannot include information on the number of residents affected , and in Massachusetts the business cannot describe the nature of the breach . These may require residents of those states be sent a slightly modified notice ( from that sent to the majority of affected individuals ). Due to the complexities in the statutes of each state , it is recommended that any business attempting to draft a disclosure statement to notify affected individuals who are residents of multiple states seek expert guidance as soon as a breach is discovered .
Notice to Third Parties
As referenced above , a business that has revealed personal employee or consumer information of Indiana residents must report the breach to the Office of the Indiana Attorney General . Failure to report to the Office of the Indiana Attorney General is cause for legal action and fines of up to $ 150,000 per deceptive act . If the breach affected 1,000 or more Indiana residents , the business must provide notice to the three major credit reporting agencies :
• Equifax equifax . com or 1-800-525-6285
• Experian experian . com or 1-888-397-3742
• TransUnion transunion . com or 1-800-680-7289
Steps That Businesses can Take to Prevent Data Breaches
Unfortunately , there is no magic remedy to prevent data breaches . Most disclosures are inadvertent or the result of a targeted attack . However , there are steps that businesses can take to help prevent data breaches and inadvertent disclosure :
• Do not use “ autofill ” when drafting emails . If an individual has sent an email to a company account fraudulently using the name of an executive or official , the email platform may suggest the incorrect email address after an employee has typed the first letters of the name . Always type the full address , or hover the cursor over the suggested name to ensure the email address is correct .
• Make a phone call to any party requesting personal information by email . Phishing scams utilize email because of the ease of impersonating a person on that platform ( the email will often appear to be from a supervisory level person or officer – who might be less likely to otherwise be ‘ questioned ’). A quick confirmation phone call to the requesting party will reveal if the request was real or fake before the disclosure occurs . The more unusual the request , the more it should raise flags to the recipient .
28 Riley Bennett Egloff LLP - June2017