Breach Notification Services
Can my organization have a Data Breach?
Nearly every organization collects and stores Personal Identifiable Information (PII). Personally Identifiable Information (PII) is any information that can identify an individual and possibly lead to identity theft or fraud. All businesses have PII, it comes from customers, employees, and vendors and is usually found in every department. It can be as obvious as a credit card number, social security number, an email address or phone number. This data can be stored in paper form (medical charts, printed invoices, paper checks, personnel files) or electronically (your bookkeeping program, PDF’s, saved emails). Improper safeguarding of that personal data can cost your company time and money, risk your reputation, and even violate the law in some cases. Your responsibility for data protection encompasses all paper records and electronic files containing PII.
How do Data Breaches Occur?
Data Breaches occur in many ways. Most physical incidents involve the theft of devices such as laptops, cell phones and storage devices or stolen, lost or misplaced paperwork. Employees are increasingly encouraged to work on the go, but if they don’t keep an eye on their assets, an opportunist crook could easily steal them. Criminal Hacking is also another top cause of data breaches. Ransomware, Malware and Phishing are also ways to lose sensitive data.
Who has had recent Data Breaches?
- Facebook: 540 Million Records Exposed
- Marriot: 500 Million Guests
- EBay: 145 Million users
- Home Depot: 56 Million
- City of St Petersburg, Florida: 28,000 consumers
- South Carolina Dept. of Revenue: 6 million people
- Health First: 42,000 customers
- Some Others: Panera Bread, PDQ Restaurant and Chili’s Grill & Bar
What would you do if your organization had a Data Breach?
If a Data Breach at your organization is suspected, is your company prepared to deal with the incident? Do you have the proper protocols put into place, and a designated reporting source to whom to contact immediately?
Stevens & Stevens data privacy offering includes CSR Readiness® Pro Edition – a data privacy compliance service comprised of the CSR Readiness Privacy Assessment, a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their privacy procedures and safeguards and presents them with suggested improvements for areas the program identifies as deficient and the REACTIVE CSR Breach Reporting Service.
SSBRM will provide Client with the CSR Breach Reporting Service 24 hour toll free number to call CSR Privacy Experts in the event of a suspected or actual data breach. CSR’s Certified Privacy Experts (Certified Information Privacy Professional or CIPP), will assess your incident. If it is a reportable event, CSR will file all necessary documents to all required state and federals agencies (or appropriate international bodies). If customer data is involved, they will guide you through the delicate notification process.
The SSBRM Readiness Pro Edition, powered by CSR, will help your business reduce the risk of a data breach, and in the event of an actual or suspected breach, CSR takes the headache and hassle out of the legal requirements to report the loss or breach of PII to an ever-increasing number of authorities, as well as mandated notification to your customers.
How it works
for Breach Reporting Service
Watch CSR’s Breach Reporting Service Video
Learn why reporting and notification is mandatory, how the service works, and who the experts are behind it.
Important to know: when reporting a breach, a customer calls and leaves a detailed message for CSR. In 2 hours or less a CSR Representative will contact you regarding the incident.
Mandatory PII Security Program for Florida:
FLORIDA: 501-171(2). REQUIREMENTS FOR DATA SECURITY: Each covered entity and their third-party agent must take reasonable measures to protect and secure data in electronic form containing personal information.
Related Statutes and Laws:
Florida:
- FL STAT § 282.318 INFORMATION TECHNOLOGY SECURITY ACT
- FL STAT § 322.143 USE OF A DRIVER LICENSE OR IDENTIFICATION CARD
- FL STAT § 408.051 FLORIDA ELECTRONIC HEALTH RECORDS EXCHANGE ACT
- FL STAT § 501.171 SECURITY OF CONFIDENTIAL PERSONAL INFORMATION
South Carolina:
- S.C. CODE § 39-1-90 BREACH OF SECURITY OF BUSINESS DATA; NOTIFICATION; DEFINITIONS; PENALTIES; EXCEPTION AS TO CERTAIN BANKS AND FINANCIAL INSTITUTIONS; NOTICE TO CONSUMER PROTECTION DIVISION
- S.C. CODE § 37-20-180 RESTRICTIONS ON PUBLICATION AND USE OF SOCIAL SECURITY NUMBERS; EXCEPTION
- S.C. CODE § 37-20-190 REQUIREMENTS FOR DISPOSITION OF BUSINESS RECORDS; EXCEPTIONS
- S.C. CODE §§ 38-99-10 – 38-99-100 SOUTH CAROLINA INSURANCE DATA SECURITY ACT
- S.C. CODE § 59‑1‑490 SOUTH CAROLINA DEPARTMENT OF EDUCATION DATA USE AND GOVERNANCE POLICY
- S.C. CODE §§ 44‑115‑10 – 44‑115‑140 PHYSICIANS’ PATIENT RECORDS ACT
North Carolina:
- N.C. GEN. STAT. §§ 75-60 – 75-66 IDENTITY THEFT PROTECTION ACT. REFERENCED CITATIONS WITHIN THE IDENTIFY THEFT PROTECTION ACT:
- N.C. GEN. STAT § 75-1.1
- N.C. GEN. STAT. § 14-113.8(6)
- N.C. GEN. STAT. § 14-113.20(B) DEFINING THE TERM “IDENTIFYING INFORMATION”
- N.C. GEN. STAT. § 58-2-105 CONFIDENTIALITY OF MEDICAL AND CREDENTIALING RECORDS
- N.C. GEN. STAT. § 58-39-45 ACCESS TO RECORDED PERSONAL INFORMATION
- N.C. GEN. STAT. § 58-39-75 DISCLOSURE LIMITATIONS AND CONDITIONS
- N.C. GEN. STAT. § 132-1.10 SOCIAL SECURITY NUMBERS AND OTHER PERSONAL IDENTIFYING INFORMATION
Georgia:
- O.C.G.A. §§ 10-1-910 – 10-1-912 NOTIFICATION REQUIRED UPON BREACH OF SECURITY REGARDING PERSONAL INFORMATION
- O.C.G.A. § 10-1-393.8 PROTECTION FROM DISCLOSURE OF AN INDIVIDUAL’S SOCIAL SECURITY NUMBER
- O.C.G.A. §§ 10-15-1 – 10-15-7 DISPOSAL OF BUSINESS RECORDS CONTAINING PERSONAL INFORMATION; HANDLING OF RECEIPTS FOR CREDIT CARD TRANSACTIONS; PROHIBITED ACTIVITIES INVOLVING MAGNETIC STRIP OR STRIPE ON PAYMENT CARD
- O.C.G.A. §§ 20-2-660 – 20-2-668 STUDENT DATA PRIVACY, ACCESSIBILITY, AND TRANSPARENCY ACT
- O.C.G.A. §§ 31-33-1 – 31-33-8 HEALTH RECORDS
- O.C.G.A. § 33-24-57.1 HEALTH INSURANCE IDENTIFICATION CARD; ISSUE REQUIRED; CONTENTS; UPDATING; SOCIAL SECURITY NUMBERS NOT TO BE DISPLAYED
- O.C.G.A. § 46-5-214 ACTION IN EVENT OF TELEPHONE RECORD SECURITY BREACH