prevent breaches, and thus avoid the need for disclosure, it will be well worth the effort. This requires addressing the issues noted above in connection with the duty to provide security. Also worth noting is the fact that most security breach notification statutes apply only to the compromise of unencrypted personal information. Thus, to the extent reasonably feasible, encryption of all relevant personal information may well avoid the need to make any embarrassing disclosures.
It is also important to recognize that, as part of a comprehensive security program, companies need a well thought out and legally compliant incident response plan. In other words, how will it respond if a breach does occur? Such plan should ensure that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken both in terms of responding to the breach (e.g., to stop further information compromised and to work with law enforcement), and in terms of notifying appropriate persons who may be potentially injured by the breach.
Such a plan should also clearly address how the company will comply with the requirements of the applicable security breach notification laws (which, unfortunately, do vary somewhat from state to state). This includes addressing issues such as whether a triggering event has occurred, how the affected individuals will be identified, the content, form and style of the notices, how notices will be communicated to the affected individuals, coordination with law enforcement (where relevant), and coordination with credit reporting agencies. It is also worth noting that some breach notification laws provide a safe harbor for companies that maintain internal data security policies that include breach notification provisions consistent with state law.
Finally, such planning needs to consider personal information in the control of third parties, such as outsource providers. Outsourcing information processing to a third party does not relieve a company of its obligations with respect to the security of the information outsourced, or its obligations to make disclosures in the event such information is the subject of a security breach. As a consequence, businesses will need to look carefully at the security measures of the outsource providers with whom they contract, and the measures in place, contractual and otherwise) to respond to breaches..
At some level, security breaches may be inevitable. But appropriate security can do a great deal to prevent them from occurring in the first place, and appropriate incident response planning can do a great deal to mitigate their effects and to limit both the legal damage and the reputation damage that would normally follow from such breaches.