Data breach notification not only for Equifax-like catastrophes
Posted on 09/25/2017 at 10:43 AM by Bryan O'Neill
The news is abound recently with seemingly endless stories of data breaches both in Iowa and nationally – the Equifax breach chief among them. However, data breach issues do not always arise in the form of outside cyberattackers gaining access to a company’s computer systems. This blog previously covered how employees can intentionally help fraudster steal.
Employees can also take data for themselves. Take, for example, the hypothetical in which an employee emails himself copies of an employer’s customer lists, which include customer names and social security numbers, prior to departing his employment. Iowa Code section 715C directs when notification to a consumer needs to occur in the event of a security breach.
Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business . . . and that was subject to a breach of security shall give notice of the breach . . . to any consumer whose personal information was included in the information that was breached.
“Breach of security” is defined as “unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.” Under the above scenario, a security breach notification would be triggered. The employee has acquired the customer names and social security numbers in a manner that was not authorized by the company. Regardless of the number of customers who were compromised, a security breach notification would be mandatory. Employers would be wise to have in place internal protocols that would prevent the unauthorized distribution of customers’ personal information and specific guidelines for how employees are to handle customer’s personal information.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- Bryan O'Neill
Categories: Bryan O'Neill, Cybersecurity Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.