Data Breach: What Business have to Report

The Texas Hospital Association recently described the “security of information” as the number one concern for hospital CEOs in Texas. We all understand a hospital or doctor is required to notify you if your health information is breached. But what about for small businesses: should information security be the number one concern? Or at least in the top five?

Any business which either owns or maintains its customers’ personal information, no matter the business’s size, is required to immediately report a breach either as soon as the breach occurs or whenever the business has been notified of it. Each state defines protected personal information differently. In Texas personal information includes the following: name (first and last or first initial and last); social security number; date of birth, maternal data such as mother’s maiden name; government-issued IDs; biometric data; unique computerized ID, routing codes, or addresses; financial account information; credit card or debit card (as well as all passwords and PINs); personal in information relating to physical or mental health; and healthcare payment history.

While a business which has experienced an information security breach is required to immediately provide notification unless law enforcement determines the notice will hinder a criminal investigation. Notice generally must be submitted in written form, though notice can be delivered in electronic format if it complies with relevant federal regulations, which include obtaining affirmative consent by the consumer as well as a lengthy statement. However, if a provision of written notification would cost over $250,000, be to over 500,000 individuals, or you have insufficient contact information, you may make the notifications by email. If possible, a traditional letter is the safest way to notify your consumers their personal information may have been compromised.

Failure to properly notify a customer of a data breach involving their personal information may expose you to liability for penalties ranging from $2,000 to $50,000 per violation. Prompt notification is therefore vital, because every day that goes by without taking reasonable action to notify affected individuals may result in increased penalties.