Data breach preparedness for NH businesses
A look at the legal responsibilities specific to Granite State firms
Businesses today are collecting and storing more personal information than ever before, but their data security systems may not have kept pace.
Data security plans are especially important for businesses in the Granite State, which has specific laws mandating certain notifications be made in the event of a data breach. As a result, New Hampshire businesses large and small need to right-size their security systems and create data security plans that fit their needs.
Perhaps the most important component of a data security plan is having a response plan. Even with the best security systems, breaches do occur, whether because of hacking or the loss of a briefcase, smartphone or laptop containing personal information. It’s critical for business owners to plan ahead by understanding the law and having a response team in place.
Enact a plan
State law requires any person doing business in New Hampshire to notify, as soon as possible, those individuals who are affected by any security breach of computerized data that contains personal information that is wholly or partially unencrypted.
Affected individuals and the appropriate government agency must be notified if the business experiencing the security breach determines that misuse of the information has occurred or is reasonably likely to occur or if the business is unable to make such determination.
Notification can be done in writing, by telephone, or via electronic communication such as email, and must include a description of the incident, the approximate date of the breach, the type of personal information accessed and the telephone contact information of the affected business.
Regulated businesses, such as financial institutions, must also notify their primary regulator, while all other businesses must notify the New Hampshire Attorney General’s office. When notifying a government agency, businesses must mention how many individuals were affected by the breach and the anticipated date that those individuals will be notified. For breaches involving more than 1,000 affected individuals, a business may also be required to notify all national consumer reporting agencies.
In New Hampshire, the consequences for noncompliance with this law include a personal right of action, with treble damages available for willful or knowing violations of the law. Those who do not comply are also subject to enforcement. In addition, all security breach notifications to the Attorney General’s office are listed publicly on its website.
In the event of a data breach, business owners also need to comply with relevant notification laws in their customers’ home states. This is significant for New Hampshire businesses, as large numbers of out-of-state customers flock to the Granite State to enjoy its zero-percent sales tax and abundant recreational opportunities. Therefore, an important part of developing a response plan is to determine the complete list of states in which the business’s customers reside and ensure the company’s notification procedures will satisfy those states’ data breach notification laws as well.
Have a team in place
The moment when a data breach occurs is not the moment to begin assembling a response team. Business owners in New Hampshire should take the initiative and establish relationships in advance with a group of professionals that can respond appropriately in the event of a breach.
A response team typically includes executives with decision-making authority, as well as information technology professionals who can assess the extent of the breach and stop any unauthorized access. The team might also include public relations personnel who can communicate with customers and the media, customer service representatives who can handle concerned calls or emails from customers, and human resources personnel who can manage security breaches that affect employee records.
If a security breach involves health information, assistance from persons who specialize in this area should be considered.
Business owners should also consider the counsel of compliance or legal professionals who can ensure that all legal response requirements are fulfilled. In addition, business owners should research insurance coverage options. Although most general commercial policies exclude coverage for data security breaches, specialized policies are available.
In our digital era, nearly every business collects personal information that needs to be kept secure. As a result, these businesses face potential financial and reputational damage from a breach. New Hampshire business owners should take the time to understand the laws that apply to them and have a response team in place as part of a broader data security plan designed to protect the business and its customers over the long term.
Arthur T. Corey is of counsel at Hinckley Allen. Nancy R. Wilsker is a partner at Hinckley Allen and chair of the firm’s Privacy and Data Security Law Group.