data security law | Fraser Blog

1. Train employees and users on data breach prevention

Human error is often to blame for most breaches. The easiest way for a hacker to invade your network is by preying on an employee who doesn’t recognize the risk. Whether through a malware email attachment, or by downloading a document from an unreliable resource, there is a wide variety of easy phishing attempts that can lead to a data breach. The key to prevention is teaching your employees how to avoid making these common mistakes. Also, include a technology protocol section in your employee handbook where your team can easily access it. This section should cover proper steps to take to protect your technology, especially anything that could be considered a trade secret, or private customer/client information and data.

2. Store customer data in an encrypted database

Another tip for data breach prevention is to use a secure database and encrypt any items containing customer/client information or trade secrets. The encryption process converts that information or data into a code, which then works to prevent unauthorized access. A common example of this process is the one used when you make an online purchase. Once you enter your payment information onto an ecommerce website and it has been approved, your information is encrypted before it is stored on the website. When you later go back to the website to make another purchase from your account, your information is ready to use.

3. Improve cybersecurity with two-factor authentication

Two-factor authentication adds an extra layer of protection to logging into a website. After a user inputs the required login and password, an extra step is initiated to ask the user for another piece of information that only he or she would have. For example, a text message with a one-time code may be sent to the user’s phone, which is tied to the account. Two-factor authentication is very important for data breach prevention if your business has devices that go in and out of the office, such as tablets or laptops, making sure they are secure in the event they become lost or stolen.

4. Malware detection software on both servers and workstations

Each workstation inside your business, as well any servers, need to have malware detection software installed to help with data breach prevention. The detection software prevents malware from being installed. Malware can be hidden in a variety of formats, the detection software helps scan each item to ensure its safety. There are a variety of different software packages available for businesses, depending on the level of security needed.

5. Perform regular vulnerability checks

It’s critical that you perform regular vulnerability checks to minimize the risk and prevent data breaches. For example, it’s important that firewall configurations be reviewed regularly with penetration testing, to make sure only trusted networks are given access. Software updates may also vary with your malware protection software. There are programs that can run regular checks, or you can look to a third-party IT company for assistance. It’s also important that you continue to test and train employees through phishing emails to ensure they stay vigilant.

6. Require frequent remote data backups

Whether routinely completed on the cloud or on an external hard drive, remote data backups ensure that your data is stored securely. A routine backup allows you to have a reference point if your data is breached in the future. Most backup providers allow you to pick the frequency of the backup, time of day it occurs, and what level of information detail you would like to store.

7. Have a disaster plan ready in case of a data breach

Protecting your business against a data breach is an ongoing process. Under the Michigan Identity Theft Protection Act, in the event of a data breach that is likely to cause harm or result in identify theft, a business must provide a notice of the security breach to each affected Michigan resident, customers and vendors affected by the breach, as well as consumer reporting agencies. Keep in mind, the notifications must be precise and meet certain statutory requirements.

Unfortunately, even with planning, a cyberattack can still happen. Be prepared by having a disaster plan ready, and be sure to include the proper steps for employees to take both during and after an attack. Review the plan as an internal team frequently to ensure that everyone has a clear understanding of timelines and responsibilities. Time is of the essence during a data breach, and having a disaster plan prepared will make that stressful time more efficient.

To learn more, contact an attorney at Fraser Trebilcock at 517.482.5800 or by clicking here to fill out this form on our website.

Data breach incidents continue to make headlines. The Yahoo data security breach—affecting more than one billion accounts—announced late last year is a recent example. Data security breaches affect companies of all sizes, and any company that maintains an electronically stored database containing personal information—such as credit card numbers, driver’s license numbers, or Social Security numbers, is susceptible to data security breach and identity theft.

If you have been informed that your business has been the victim of a data security breach, you will need to follow the breach notification requirements in Michigan’s Identity Theft Protection Act (the “Act”). This blog will provide an outline of the steps you should consider if your business has suffered a data security breach.

Step. 1: Determine the extent of the breach and what harm may result from the breach.

Under the Act, a business that discovers a security breach of personal information must provide a notice of the security breach to each affected Michigan resident, unless the business can establish that the security breach is not likely to cause substantial loss of injury to, or result in identify theft with respect to, one or more Michigan residents. Personal information means the first initial or name and last name of a Michigan resident linked to one of the following elements: i) social security number; ii) driver’s license or state identification card number; or iii) bank account or credit card number combined with an access code that would permit access to any of the financial accounts.

In order to determine whether a security breach is likely to cause injury to, or result in loss or identity theft to a Michigan resident, the Act requires that a business must act with the care that an ordinarily prudent person in like position would exercise under similar circumstances. In other words, once you have determined that a security breach has occurred, you should immediately begin a thorough, reasonable investigation into the security breach before concluding that harm is unlikely.

Step 2: You have determined that a breach has occurred. How should you notify your customer or contacts?

Once you have determined that a data breach has occurred, you will need to provide notice to customers and vendors affected by the breach. The form of notice you must give—written, electronic written, phone, or substitute notice—is largely determined by the relationship between you and your customers and vendors—the intended recipients of the notice.

Written notice. The most common and simplest form of notice you may use is written notification sent to the recipient’s postal address on file in your records.

Email notice. The written notice may be sent in electronic format if you can show any of the following three requirements: 1) the recipient has expressly consented to receive electronic notice, or 2) you conduct your business primarily through the internet, or 3) you have an existing relationship with the recipient that includes electronic mail communications, and, as a result of those communications, you reasonable believe you have the recipient’s current electronic mail address. MCL 445.72(5)(b)(i-iii).

Phone notice. If not prohibited by state or federal law, you may make notification by phone if the following two requirements are met: 1) the notice is not given in whole or in part by recorded message, and 2) the recipient has expressly consented to receive notice by phone, or, if the recipient has not expressly consented, you also provide written or electronic written notice if the notice by phone does not result in a live conversation between you and the recipient within 3 business days after the initial attempt at phone notification.

Substitute notice. If you determine that the cost of providing notice as described above exceeds $250,000.00 or that the notice must be provided to more than 500,000 residents of Michigan, you may provide substitute notice by doing all of the following: 1) providing electronic notice to all residents for whom you have an electronic mail address; 2) if you have a website, conspicuously posting the notice on that website; and 3) notifying statewide media, which must include a telephone number or website address that an individual may use to obtain additional information and assistance.

Step 3: You have identified recipients that require notification and have obtained their contact information. What information should the notification contain?

Any notifications you send out must meet all of the following requirements: 1) The notice must be written in a clear and conspicuous manner or clearly communicated; 2) You must describe the security breach in general terms; 3) You must describe the personal information that is subject to the breach; 4) If applicable, describe in general terms what you have done to protect the recipient’s data from further security breaches; 5) Include a telephone number where a notice recipient may obtain additional information or assistance; and 6) Remind notice recipients of the need to remain vigilant for incidents of identity theft and fraud.

Step 4: You have notified affected customers and vendors of the data breach. Do you have to meet any additional notice requirements?

After you have provided notice to individual recipients, you must also notify consumer reporting agencies of the breach without unreasonable delay. The notice you provide to consumer reporting agencies, which are defined in 15 USC 1682a(p), must include the number of notices that you have provided to residents of Michigan as well as the timing of those notices.

In some limited circumstances you may not be required to notify consumer reporting agencies of the data breach. Notification to consumer reporting agencies is not required if: 1) the breach affected 1,000 or fewer residents of Michigan, or 2) your business is a financial institution subject to Title V of the Gramm-Leach-Biley Act (governing treatment of nonpublic personal information about consumers by financial institutions).

Limited exceptions to the notification requirements through compliance with federal regulations.

The Act carves out limited exceptions to the notification requirements for certain businesses complying with specific federal regulations. For example, a financial institution with notification procedures in place that are subject to interagency guidance prescribed by the federal reserve system and other federal bank and thrift regulatory agencies is considered to be in compliance with the Act. Similarly, a business that is subject to, and complies with, the Health Insurance and Portability Act of 1996 (HIPAA) and its attendant regulations is considered to be in compliance with the Act.

Penalties for failing to provide notification of a data security breach.

If you do not provide the notification required by the Act, the attorney general or a prosecuting attorney may seek a civil fine of not more than $250.00 for each failure to provide notice. The aggregate liability for multiple violations of the statute cannot exceed $750,000.00 for the same security breach.

Conclusion

Michigan’s Identity Theft Protection Act is complex, and the failure to comply with the statute’s notification requirements can be significant.

This article is a brief summary of a law. Readers should not rely on the contents of this article as it is not legal advice. Anyone affected by the law should seek competent counsel. To find out more about the laws concerning data breaches, contact Fraser Trebilcock at 517.482.5800.

Tag: data security law

7 Tips About Data Breach Prevention and Cybersecurity for Small Businesses