Reed Smith has launched a free app to help companies work through the legal implications of a data breach. In just a few clicks, you can determine whether state data breach notification laws may apply to your data loss.
We’re not sure whether to be relieved or terrified. Terrified because an app like this needs to exist in the first place. The rate of data breaches, and the breadth of information compromised, is the stuff of nightmares.
Relieved because the app may help more people take these breaches more seriously and, hopefully, encourage companies to recognize the legal responsibilities that can flow from a breach.
Clicking Your Way to Quick Risk Analysis
The global law firm describes the app, Breach RespondeRS (get it?), as the “first app of its kind prompting companies to answer basic fact questions and immediately get a response as to the likelihood that notification is required.” There’s even a cute video to go with its release.
We gave it a spin. If you have information about your data breach at hand (we made our answers up), it can be pretty quick to get through the firm’s web app. The website is essentially a digitized decision tree. It asks users some questions about their breach in order to determine what state notification laws could be triggered.
At the end, users are presented with an initial assessment regarding whether state breach notification laws may apply to the facts given. (This, Reed Smith notes, is not legal advice, but simply reference material.)
Importantly, the app also reminds users that state data breach notification laws aren’t the only things they should be focusing on. Federal laws, contractual requirements, insurance notification requirements and more could all be implicated by a data breach.
What the app didn’t do, at least when we tried it out, is tell users exactly which laws may apply to their situation or how to comply with those laws. For that, you may need an actual lawyer.
Getting Serious About State Data Breach Laws
The release of Reed Smith’s new app is well timed. Just last month, Target agreed to pay $18.5 million to settle claims brought by attorneys general in 47 states and the District of Columbia. The settlement brought an end to state investigations into the store’s 2013 data breach. That breach saw cyberthieves make off with the credit and debit card information of an estimated 40 million customers. The initial breach has been traced back to an email attack against one of the retailer’s vendors, a small HVAC company in Pennsylvania.
The attorneys general had been investigating Target for violating state data breach notification laws, among others. Under the terms of the settlement, Target will implement a host of security improvements, including encrypting card information and segmenting its cardholder data from the rest of its computer network.
The deal brings the total cost of the breach to over $200 million, the company said.
But it’s not just the biggest companies that need to worry about data breaches, or winding up on the wrong side of a state data breach law. Last Thursday, attorneys general from 15 states issued a warning to the eCommerce hosting company Aptos Inc., after it said that online retailers are not required to inform some customers of breaches, according to Law360.
The same day, a healthcare company in Long Island agreed to pay $130,000 for violating New York’s data breach notification law. CoPilot Provider Support Services waited more than a year to notify consumers that over 200,000 patient records had been exposed in a data breach, according to the New York AG. The healthcare company will institute improvements to its notification and legal compliance programs, in addition to the six-figure fine.
If only they’d checked the app.