Privacy Practices | Privacy & Free Speech: It's Good for Business

Do we have a plan to notify and protect users if a security breach occurs?

Even with a solid data security plan, data can still be lost or stolen. Forty-four states, the District of Columbia, and Puerto Rico have laws that require businesses to notify users if their data is lost or stolen. Every company and online service that conducts business nationwide needs to know how it will quickly and effectively inform users in the event of a data breach.

ChoicePoint: Being targeted by identity thieves who obtained personal data about 163,000 individuals was bad enough, but ChoicePoint compounded its own injury by initially notifying only victims who happened to live in California, the sole state at the time with a law mandating notification in the event of data loss. The ensuing public outcry forced ChoicePoint to notify all affected individuals, but not before its reputation was further tarnished.

Notify users promptly. Prompt notification is often crucial to allow users to prevent identity theft and other consequences of data loss before they occur. The costs to your users and the erosion of their trust vastly outweigh any benefits of delaying notification until required by law.
Clearly explain what happened. Let users know what happened to their data, what you are doing to fix the problem, and how they can protect their credit. By being forthright about the problem and offering clear guidance and assistance to your users about how they can protect and monitor their credit, you will reassure them that you take your business responsibilities—and their privacy—seriously. Many users have actually reported feeling more secure once they saw the positive way that a company responded to a data breach.
Contact all relevant institutions. In the event of a data breach, you may need to contact law enforcement officials, banks, credit payment processors, and credit agencies. Generate a list of institutions to contact ahead of time so that you will be prepared if disaster strikes.
Repair your reputation. Offer free credit monitoring to your users, where appropriate. LexisNexis, Horizon Blue Cross Blue Shield of New Jersey, and the US Department of Agriculture all offered free credit monitoring after data breaches and received favorable press attention for making an effort to redress the harms to their users.