Education is your best defense in guarding against professional liability claims. Sign up for our Email Newsletter and receive Alerts, Articles, and White Papers on protecting and managing your practice.
What to do if you have a Data Breach
Personal information (social security numbers, credit card numbers, bank account numbers, even name and address) has become a leading target of cyber criminals. With your client's personal information in your possession, understanding your state privacy laws and having a timely response plan is essential.
So, what do you do if you have a Data Breach and some of your clients personal information is compromised?
First, review your State Security Breach Notification Laws. At this time, all but four states (Alabama, Kentucky, New Mexico, and South Dakota) have enacted Data Breach Notification Laws.
Second, determine who should be notified:
Law Enforcement - When the compromise could cause harm to a person or business, you should first contact your local police department.
Your Insurance Carrier - Your insurance policies likely state that if you are aware of circumstances that could potentially lead to a claim you must notify them at your earliest convenience. When in doubt, contact NAPLIA for assistance.
Affected Businesses - The compromise may impact businesses other than yours including banks or credit issuers
Individuals - early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information.
The FTC has excellent resources to assist you in making these determinations and "Dealing with a Data Breach", http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
The following is a template notification letter and an FTC Alert (typically sent to the clients along with the letter), which you may utilize to notify your clients.
According to Attorney, and CPA, Ralph Picardi, "you may have competing obligations: a professional obligation to notify your client and a contractual obligation to your insurance carrier to refrain from harming the defense of a future claim. Because not notifying the client would only increase the severity of a future claim, there is an even greater motivation to notify the client ASAP. The key is to include only the most important facts in the initial letter, without including too much detail about the event or characterizing the data breach in terms of blame or fault. Let the client draw its own conclusions from the facts. So, for example, it would be better to say simply that there was a theft of a laptop computer than to say that, and, in addition, to say that the computer was in the unlocked back seat and that the staff accountant should never have left the laptop in the car in the first place. "
This information is intended solely for general educational purposes. It is not intended for the purpose of providing specific legal, accounting, or other professional advice to any particular recipient or with respect to any particular jurisdiction. NAPLIA (1) makes no representations, warranties, or guarantees as to its technical accuracy or compliance with any law ( federal, state, or local) or professional standard; and, (2) assumes no responsibility to any recipient of this document to correct or update its contents for any reason, including changes in any law or professional standard.