The recent Equifax data breach has prompted many of us individually to try to protect our identities from theft and misuse.
For small businesses, the risks associated with data protection are exponentially greater than that for individuals because each business must protect its own data, the data of its employees and the data of its customers and everyone else with whom the business conducts transactions.
Businesses are strictly liable to protect the “personal information” of their customers and employees in Ohio. “Personal information” is defined as the person’s name and any one or more of the following pieces of information: Social Security number, driver’s license number, any account number or any credit or debit card numbers with passwords, security codes or access codes that would together permit access to an account.
If a non-bank business becomes aware that personal information of an Ohio resident has been accessed or reasonably could have been accessed (if a firewall or other protection method failed for any substantive period of time, even if there is no proof that personal information was actually accessed during that time), the business must inform every affected person of the risk through personal phone calls, emails or letters delivered “in the most expedient time possible.” The most expedient time possible may be only a few days or weeks, but it can never be interpreted to be longer than 45 days after the business became aware of the breach or failure of the business’s data security system.
Some very small businesses (with fewer than 10 employees) and some businesses that have experienced huge breaches (with notification costs/expenses expected to total over $250,000) can provide notices of breaches and failures of data security systems in other ways, depending upon the specific circumstance.
If more than 1,000 people are affected or possibly affected by a data breach, the business must also update the three major credit bureaus with information concerning the breach or data security system failure, so the affected people’s credit records can be interpreted with the understanding that those credit records may be inaccurate.
Banks and financial institutions that have responsibilities under federal law in the event of a data breach have different rules governing what those businesses must do in the event of a data breach.
Importantly, businesses cannot contract with customers or employees to not protect personal information. If a business in Ohio possesses personal information, the business absolutely must protect its customers’ and employees’ electronic personal information.
In light of the incredibly burdensome (yet appropriate) sanctions for not protecting the sanctity of people’s personal information, businesses should aggressively avoid losing exclusive control of personal information in the first place.
Although I usually also provide extensive, individualized advice in this context, I typically recommend that my business clients investigate data theft insurance. Appropriate data theft insurance should include protection from the five most common data breach scenarios and provide help with providing all of the legally required notices that must be provided in the event of a data breach.
Lee R. Schroeder is an Ohio licensed attorney at Schroeder Law LLC in Putnam County. He limits his practice to business, real estate, estate planning and agriculture issues in northwest Ohio. He can be reached at Lee@LeeSchroeder.com or at 419-659-2058. This article is not intended to serve as legal advice, and specific advice should be sought from the licensed attorney of your choice based upon the specific facts and circumstances that you face.