How to Respond to a Data Breach

The question isn't if your company will be the victim of a data breach, but when. Those were the sobering words of Martin Einstein, senior partner at Brann & Issacson, a law firm that represents online and multichannel companies, at the American Catalog Mailers Association's (ACMA) Forum last week in Washington, D.C. Einstein addressed the crowd of direct marketers on what they can do to mitigate their risk and exposure to a data breach, as well as how best to respond in the unfortunate event that a breach does occur.

Citing recent examples of high-profile data breaches involving Target, Home Depot and TJX Companies (parent company of T.J. Maxx, Marshalls, HomeGoods, Sierra Trading Post), Einstein noted that there's no federal law governing data security. There are 47 individual state laws that retailers need to be in compliance with, and nexus is not a defense. You need to be in compliance with the privacy laws of where your customers live, not just the state where your company is headquartered.

Where it becomes tricky is that there's no uniformity across the state laws, Einstein noted. For example, in Massachusetts retailers can not describe the nature of a breach when notifying the state's attorney general and affected customers, yet in Maryland the law says that retailers must describe the nature of the breach when notifying the state's attorney general and affected customers. To help with the confusion, Einstein suggested that retailers have a templated letter ready to go for each state (with inserts for common info). State laws also differ in many cases around notification requirements - timing, method (email, mail), what constitutes "personally identifiable information," etc.

Costs of a Data Breach
A data breach can take a tremendous financial toll on your business. Here are just some of the costs associated with a breach identified by Einstein: