When it comes to record management and customer notifications, the legal requirements for businesses are vastly different from state-to-state. Take for example California, where businesses are required by law to immediately notify a state resident if his or her personal information has been acquired by an unauthorized user. Most states have similar laws. In Alabama, however, there is no state law requiring a business to notify customers of a data breach.
But only doing the bare minimum of what is legally required can still leave your business vulnerable to reputational harm, loss of customers and disruption of business processes that may prove catastrophic in the long run. Ask yourself this: If it were your data stolen, would you want or even expect to be notified?
What Constitutes a Customer or Employee Record?
In 2016, more than 4,000 data breaches exposed over four billion records. But what exactly are we talking about when we are referring to “records” that have been exposed?
In general, data collected on customers and employees falls into three basic categories:
- Health Information such as records from a doctor’s office or human resources department
- Banking Information such as credit card, debit card or bank account numbers
- Personally identifiable information (PII) or data that can identify the person, the person’s location or other private information
It is often this last category, PII, that causes the most confusion. The federal government and many states have taken a stab at clarifying what constitutes PII and these definitions vary wildly.