Your Washington Small Business Was Hacked: What Should You Do About Your Customers’ Stolen Data?
All over television news and the Internet there are disclosures of major corporations having been hacked, with data compromised for millions of their customers. Once the news is out, the victim company’s CEO goes on television to apologize and, of course, to promise to do better. Ads appear in newspapers, and mass emails are sent to customers to explain how this will never happen again. Across the board price discounts are offered to bring customers back.
But what if it is your small business that has been hacked? You probably won’t be interviewed on national television, and you probably don’t have the financial resources to hire professional media consultants for damage control and to “spin the message.” What must you do, and what can you do? The Legal Side. While there is no general federal data breach law at the present time, if you do business on a national basis, you may have to comply with the state laws of the residence of your customers. Currently there are over 40 states that have laws regarding notice of disclosure of protected personal information. These state laws are not all the same, so if your business is hacked, and you do a lot of interstate business, you may be subject to these state laws and you should seek the counsel of an attorney to help you navigate those waters.
- Washington State Laws. In Washington, as in many states, your obligations depend on the type and condition of the information that was stolen by the cyber-crooks. Once you determine what was stolen, and whether the data was encrypted, your obligations can range all the way from being required to notify governmental regulators and provide mandatory notices to your customers, to being legally required to do very little.
The substance of the law (RCW 19.255.010, et al.) requires that any person or entity that conducts business in this state who owns, licenses or maintains computerized data that includes personal information must disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay.
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (a) social security number; (b) driver’s license number or Washington identification card number; or (c) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. “Encryption” is an added element of protection of the data itself that is included in a computer file beyond the normal “user name and password” methods of restricting access to the file.
- Protected Health Information. A special category of personal information is Protected Health Information (“PHI”). In the event that you believe PHI has been stolen or disclosed, the provisions of the Health Information Privacy and Portability Act of 1996, as amended (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) are likely to apply, as well as state healthcare information privacy laws. In the state of Washington, health information privacy laws are principally found at RCW 70.02. The notice and disclosure provisions of the federal and state laws are complex and are outside the scope of this article. However, you should be aware that, depending on the size and nature of the unauthorized disclosure of PHI, the federal laws may obligate you to contact the U.S. Department of Health and Human Services and to provide notices to those affected. You will likely be required to comply with any government regulator’s findings and directives after their investigation, and you could be subject to significant fines. In this situation, consulting with a health care law attorney who is knowledgeable regarding these federal and state privacy laws is highly advisable.
The Non-Legal, But Practical Side. Separate and apart from your legal obligations is the critical concern of treating your customers well under what are difficult circumstances to say the least. Here, communication is key. According to the National Cyber Security Alliance, “Maintaining trust in a crisis is the best way to hold on to your customers.” The fact is, you are a victim, too. If you demonstrate that you are doing the right things to help your customers, they will be more understanding than if you are secretive or perceived to be withholding valuable information. Examples of things you can do:
- First, spend the time, and money if need be, to conduct a thorough investigation of what happened. Understand how the hackers got in and have detailed knowledge of who was affected. This will help you communicate with your customers and instill confidence that you are on top of things.
- If the data theft is significant, consider communicating with the local office of the FBI’s InfraGard coordinator: (206) 622-0460.
- For at least the first several months after the hack, establish and staff a toll free telephone number where customers can call in and talk to a live person about their situation.
- Consider preparing a Frequently Asked Questions (“FAQ”) page on your company website that will be easy to access, provide important information, and can remain in place after the toll free telephone line is no longer provided.
- If you can afford it, offer free credit monitoring for as long a time period as you can manage. The big companies do it, and it offers your customers a sense that you are doing everything you can to help them in an unfortunate situation for everyone.
- Consider purchasing Cyber Breach Insurance. It is now readily available and it could save you a lot of money in the long run, not to mention the peace of mind it may offer you today.