Information security incidents involving personally identifiable information and other sensitive organizational data are almost inevitable in the current environment. Organizations across the world reported more than 100,000 incidents in 2015, according to the Verizon 2016 Data Breach Investigations Report. The frequency with which incidents occur make it essential that your organization be prepared to address its cybersecurity and information security risks. Earlier editions of our 7 Ways to Strengthen Cybersecurity series covered how incidents frequently arise, the types of attacks that may occur and what can be done to prevent them. Responding to an incident is also essential. After the cybersecurity breach has been stopped, you will be faced with how to communicate what happened to the parties affected by the breach. Who needs to be contacted and when may vary depending on your physical location.

1. ADVISORY
MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that is a member of Kreston International Limited, a global network of independent accounting firms.
Learn more at www.mhmcpa.com
Our roots run deep
Information security incidents involving personally identifiable information and other sensitive organizational
data are almost inevitable in the current environment. Organizations across the world reported more than
100,000 incidents in 2015, according to the Verizon 2016 Data Breach Investigations Report.
7 Ways to Strengthen Cybersecurity:
Know Your State Notification Laws
The frequency with which incidents occur make it
essential that your organization be prepared to address
its cybersecurity and information security risks. Earlier
editions of our 7 Ways to Strengthen Cybersecurity series
covered how incidents frequently arise, the types of
attacks that may occur and what can be done to prevent
them. Responding to an incident is also essential. After
the cybersecurity breach has been stopped, you will
be faced with how to communicate what happened
to the parties affected by the breach. Who needs to
be contacted and when may vary depending on your
physical location.
State Reporting Obligations
According to the National Conference of State
Legislatures, 47 states have information security incident
legislation. State laws affect all types of organizations,
from private and public companies to not-for-profit
organizations and governmental entities. Laws vary
by the state, but typically define when a breach has
occurred, the timing and/or method of the notice and
who must be included in the breach notification.
Organizations need a clear idea of what the state
requirements are in the jurisdictions in which you
operate. Most state laws apply to organizations that
conduct activity within the state or that own licenses or
computerized data that includes personal information
within state jurisdictions.
Define Incidents That Are Security Breaches
Once you have determined the state notification laws
that apply, you must then understand the definitions
of security breaches by state. The definitions are fairly
nuanced. Alaska, Hawaii and Louisiana, for example,
define security breach both as incidents where
unauthorized access has occurred and incidents where
there is reasonable belief that a breach occurred. States
including California, Missouri and Illinois (effective
January 1, 2017) include medical information in
the type of data compromised that would indicate a
security breach. Arizona’s law defines security breach
as the unauthorized access of unencrypted data
that, if compromised, would lead to economic loss to
the individual. The law in Kansas stipulates that the
unauthorized access to unencrypted data must have
the chance to cause identify theft in order for the victim
organization to be subject to the notification laws.
Evaluate What Else May Be Affected by the Law
The extent that an organization’s third parties are
covered by the notification requirements also varies.
In Maine, third-party claim databases maintained by
property and casualty insurance providers are excluded
from the notification requirements. Most states require
third parties that are maintaining data on behalf of
another identify to notify the owner or holder of the
license of the data if a security breach has occurred
because the owner/licensee of the data will be subject to
the breach notification laws. Third parties in Florida have
a 10-day time limit to notify the owner of the data.

2. ADVISORY
MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that is a member of Kreston International Limited, a global network of independent accounting firms.
Learn more at www.mhmcpa.com
Our roots run deep
©Copyright2016.MayerHoffmamMcCannP.C.Allrightsreserved.
Timing and Form of the Notifications
Timing is essential with notification laws. Many states put
specific time limits on when the individuals whose data
were compromised must be notified. States including
Ohio, Tennessee and Rhode Island regulations give
breached organizations 45 days after the discovery of a
breach to notify affected parties. Other states have more
general guidelines, including “without unreasonable delay”
and “as soon as expedient.”
State Attorneys General may also need to be notified
in some scenarios. With some laws, including those of
California, Hawaii and Missouri, the Attorney General gets
involved when the number of affected individuals reaches
a threshold. Florida requires notification to the Florida
Department of Legal Affairs if more than 500 people are
affected. Organizations subject to Nebraska requirements
only notify the state Attorney General if the breach was
likely to have caused harm to individuals. States including
Colorado, Arizona and Kansas do not require the Attorney
General to be notified.
Penalties
How penalties are assessed for noncompliance with state
notification laws also varies by state. Some opt for flat
penalty for the breach. In Arizona, it’s up to $10,000 per a
breach or series of similar breaches discovered in a single
investigation. Florida takes a more stringent approach and
treats the violation as it would an incident of deceptive
trading. Organizations that fail to meet the notification
requirements could face up to $50,000 per day after
a 30-day period, up to $500,000. California allows
individuals affected by the breach to seek financial relief
from the organization that was breached; many states do
not allow private cause of action.
The bottom line is that following the specific requirements
for alerting relevant parties to the breach is essential
to minimizing your risk of penalties. There is no one size
fits all with notification laws, so a careful evaluation
of the jurisdictions that may be affected by a breach
is highly recommended. If you have any specific
comments, questions or concerns about the aftermath
of a cybersecurity or information security breach, please
contact us.
If you have any specific questions, comments or
concerns about this topic, please contact:
James Comito
Professional Standards Group
jcomito@cbiz.com | 858.795.2029