Responding To Inadvertent Disclosures Of Employee And Consumer Personal Information
Business owners increasingly store employee and consumer personal data in a digital format. This development holds numerous advantages for owners, including offsite storage of otherwise voluminous documents and searchable databases of information. However, this development has also led to an increase in inadvertent disclosures of personal information and data breaches as those seeking to wrongfully obtain the information become more sophisticated. The Office of the Indiana Attorney General reports an increase in reported security breaches from 396 breaches in 2014 to over 600 in the first four months of 2017.
The inadvertent disclosure of employee and consumer information can come in many forms:
- External hacking of private servers;
- Phishing attacks (the act of sending a fraudulent request for information from a person who claims to be a trustworthy source or individual);
- Internal employee error; or
- Targeted data theft by internal source.
Cybercriminal email attacks are becoming more common. These typically happen in two ways.
First, a criminal can hack into a business or personal email account and draft phishing requests for information (and divert the response to their email account) or review past email transactions for employee or consumer personal information. Alternatively, the criminal can create a fake email account and pose as a company official or executive. Using the fraudulent account, the criminal will send phishing requests for protected information.
Independent of how the disclosures occur, a business has certain reporting duties upon discovery of the breach of data (for example of its employees or customers) (referenced in this article as “affected individuals”). Failure to properly adhere to these duties is cause for action from the Office of the State Attorney General, fines of up to $150,000 for each “deceptive act,” and additional costs. If private financial or credit card information is disclosed, the business will be subject to other obligations and fees/penalties under laws protecting financial privacy as well as the contractual requirements of credit card issuers.
What to do in the Event of a Data Breach
Each state has different reporting requirements and many individual states have separate requirements dependent on the number of affected individuals residing in that state. Importantly, a disclosure must be reported to the state of the affected individual’s residence, rather than such person’s state of employment or patronage. For larger businesses, this could necessitate determining the reporting requirements of numerous states. Determining the residency of all affected individuals is important to do as early as possible because the reporting requirements of different states are varied and even contradictory, making the task of drafting one cohesive acknowledgement letter to consumers or employees difficult.
This article will explore generally the requirements a business faces following the disclosure of personal information of an Indiana resident only.
1. Take quick action, but do not rush.
Indiana law requires that reporting of any breach be made “without unreasonable delay.” Beyond the legal requirement, the business has a duty to protect its employees and consumers from further harm. Notifying the affected individuals as early as possible allows those affected individuals to take personal action to protect their interests (such as reporting the breach to their financial institutions, cancelling credit cards, and placing fraud alerts or freezes on their accounts). Quick reporting makes the best of a bad situation by allowing loyal employees and consumers the ability to mitigate their own losses. Failing to quickly report the disclosure may cause additional losses and cost the company goodwill.
However, “without unreasonable delay” does not call for immediate reporting. The business obviously will want to avoid a marketing nightmare if it fails to comply with all relevant requirements and is forced to issue repeat or corrective notices. For reasons addressed below, the business first needs to compile facts surrounding the breach and review the appropriate notice requirements before reporting the disclosure. The business may also involve other authorities during this investigation period, but in doing so the business should be aware that the law enforcement agency may issue a report (to the public or which may become public) which could present a more negative effect than the business making the disclosure. If possible, the business should try to coordinate publication with any agencies that are helping with the matter.
2. Determine the scope of disclosure.
The Indiana reporting requirements increase if the disclosure affects 1,000 or more Indiana residents. If this threshold is met, the business must notify not only the affected individuals but also the three major credit reporting agencies: Equifax, Experian, and Transunion. The business must also provide information necessary to assist the reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of security. If the business is required to report the disclosure to 500,000 or more Indiana residents, the business may elect to use different notification methods that are more conducive to large scale disclosure.
Although, this article addresses Indiana law, it is noteworthy that at least one other state requires the business to provide a period of credit monitoring at no cost to the affected individuals depending on the cause of the breach. This is also a voluntary consideration the business may want to explore offering.
3. Draft an appropriate disclosure statement.
After reviewing the facts surrounding the breach, the business must craft a disclosure statement to be provided to all affected individuals as follows:
Method of Reporting
The business must provide notice by mail, telephone, facsimile, or email. Notice must be provided to each affected individual. If the business is required to report disclosure to 500,000 or more Indiana residents, the business can choose to provide notice by the above methods, or by using both conspicuous posting on the business’ website and providing notice to major news reporting media in the area of the affected individuals’ residences.
The business must provide, generally, a description of the information accessed in the security breach and the date of access.
Most states have enacted various data breach statutes that require slightly different forms of reporting. Although each state generally requires the same information be reported to affected individuals, several states specifically prohibit providing certain information in the disclosure statement. For example, in Illinois a business cannot include information on the number of residents affected, and in Massachusetts the business cannot describe the nature of the breach. These may require residents of those states be sent a slightly modified notice (from that sent to the majority of affected individuals). Due to the complexities in the statutes of each state, it is recommended that any business attempting to draft a disclosure statement to notify affected individuals who are residents of multiple states seek expert guidance as soon as a breach is discovered.
Notice to Third Parties
As referenced above, a business that has revealed personal employee or consumer information of Indiana residents must report the breach to the Office of the Indiana Attorney General. Failure to report to the Office of the Indiana Attorney General is cause for legal action and fines of up to $150,000 per deceptive act. If the breach affected 1,000 or more Indiana residents, the business must provide notice to the three major credit reporting agencies:
- Equifax equifax.com or 1-800-525-6285
- Experian experian.com or 1-888-397-3742
- TransUnion transunion.com or 1-800-680-7289
Steps That Businesses can Take to Prevent Data Breaches
Unfortunately, there is no magic remedy to prevent data breaches. Most disclosures are inadvertent or the result of a targeted attack. However, there are steps that businesses can take to help prevent data breaches and inadvertent disclosure:
- Do not use “autofill” when drafting emails. If an individual has sent an email to a company account fraudulently using the name of an executive or official, the email platform may suggest the incorrect email address after an employee has typed the first letters of the name. Always type the full address, or hover the cursor over the suggested name to ensure the email address is correct.
- Make a phone call to any party requesting personal information by email. Phishing scams utilize email because of the ease of impersonating a person on that platform (the email will often appear to be from a supervisory level person or officer – who might be less likely to otherwise be ‘questioned’). A quick confirmation phone call to the requesting party will reveal if the request was real or fake before the disclosure occurs. The more unusual the request, the more it should raise flags to the recipient.
- Do not open attachments from unknown senders.
- Establish proper firewalls and anti-virus protocols for all computers used for the business.
- Keep software updated. Software updates often contain security patches meant to address new threats.
- Train personnel on correct reaction to a suspected breach. Employees should quickly notify their management. Quick reaction is the best business tool following disclosure.
Parties seeking to profit from these disclosures are always creating new ways to access the information. As such, this is a developing area in technology and law; reporting standards will also likely change to keep up with necessary protectionary measures. Any company faced with the event of a data breach or other inadvertent disclosure would be well advised to review the law or seek expert counsel expeditiously.
 Identity Theft Protection, Office of the Indiana Attorney General, IN.gov/attorneygeneral/2874.htm.
 Ind. Code § 24-4.9-4-2
 While not the subject of this article, breaches involving financial data should prompt business owners to seek counsel in order to learn of applicable legal or contractual requirements beyond those addressed herein.
 Ind. Code § 24-4.9-3-4(b)
 For example, see California. Cal. Civ. Code § 1798.82(a)
 Ind. Code § 24-4.9-3-4(a)
Author Drake T. Land
Drake T. Land is a litigator practicing in multiple substantive areas. Drake represents employers in defense of employment-related and worker’s compensation claims brought before state and federal courts and administrative agencies. Drake also represents a variety of healthcare providers in the defense of medical malpractice claims and medical licensing complaints, and counsels businesses with litigation matters.
Prior to joining Riley Bennett Egloff, Drake served as a Deputy Attorney General for the State of Indiana, where he prosecuted medical licensing actions before the State Board of Pharmacy, Medical Licensing Board, and State Board of Nursing. While serving as a Deputy Attorney General, he reviewed and prosecuted over one hundred medical licensing cases in all stages of administrative review. Additionally, Drake pursued civil recovery of Medicaid overpayments under the Indiana False Claims Act.
© Riley Bennett Egloff LLP
Disclaimer: Article is made available for educational purposes only and is not intended as legal advice. If you have questions about any matters in this article, please contact the author directly.
Permissions: You are permitted to reproduce this material in any format, provided that you do not alter the content in any way and do not charge a fee beyond the cost of reproduction. Please include the following statement on any distributed copy: “By Drake T. Land© Riley Bennett Egloff LLP – Indianapolis, Indiana. www.rbelaw.com”
Posted on May 09, 2017 by Drake T. Land