What to do in Case of a PII Breach

With each company’s work processes becoming increasingly integrated and fast-paced through the internet, many companies have found that they are alarmingly vulnerable to cybersecurity breaches.

Both business-to-business and business-to-consumer companies are increasing the amount of information they request and store. Most of this information is personally identifiable information or PII.

What is a PII breach?

A PII breach is a loss of control, compromise, unauthorized disclosure or unauthorized access to Personally Identifiable Information that is stored digitally.
PII is information that can be linked to a specific individual. Next to vital personal information such as name, social security number, credit card number, and so on, information on internet users’ online activities can be regarded as PII as well.

In this case, there are two elements. First, it contains information about a user’s actions or activities online. Next, it contains information by which that specific user can be identified. Say, a company obtains information about shopping habits. If it does not connect this information to a specific consumer, their data is not considered PII. But, in case that connection is made – and the information is deemed PII as a result – the company now has a specific duty to treat the information in a confidential and secure manner.

Even if the company has made efforts to keep PII safe and secure, PII breaches can (and do) occur. Of utmost importance is to take the correct actions when such a breach occurs, making sure any damage is limited and the source of the breach is found and secured promptly.

These actions allow for the company involved to reduce the change of being sued or prosecuted, thereby reducing costs and limiting reputation damage.

Have a plan in place

In order to minimize financial or any other loss, it is important for any company which deals with PII to have a plan in place in case of a breach. Indeed, in spite of all preventive measures the company may have undertaken, it is still quite likely for a breach to occur – and as such, it is important not to be caught by surprise.
The plan should include a definition of PII, what constitutes a PII breach, when and how a PII breach should be dealt with internally, and what external parties (usually clients or customers and the Attorney General) should be notified. Next, to this, the plan should lay out in fine detail what kind of forensics will be carried out and by whom. Forensics can be done by the Attorney General, an insurance company or an external forensic expert.

Notify in accordance with the law
Almost all states in the U.S. have specific rules and procedures in place with regards to notifying the relevant parties in case of a PII breach.

The exact stipulations differ, but most laws mention the following:

    • Specific time frames for the notification and other actions to occur. These often range from five days to sixty days, depending on the state.
    • Which citizens should be notified and how many. This can range from citizens being directly affected by the breach to a wider group of citizens.
    • Which regulators should be notified. This can include consumer reporting agencies and the attorney general’s office.
    • Which appropriate actions may be undertaken by the Attorney General as a penalty in order to ensure future compliance with the law and the recovery of economic damages.

States have been known to change these laws regularly to respond to the ever-evolving threats. As such, it is important to always check with your legal advisor before starting any notification processes.