Are You Having A Technology Emergency?

JS Business Solutions Blog

How Are We Still Unsure of What Makes a Data Breach?

How Are We Still Unsure of What Makes a Data Breach?

Since the first of July 2017, over 10 million records containing personal information have been stolen each day. Are you one of these people? If you’re not, you might know someone who has been affected by these data breaches. Considering how high this rate is, it’s natural that you would want to take steps to protect your personal information, as well as any data stored by your business.

Have you ever considered the process that takes place when a major data breach occurs? How are you notified, and how do you know whether you’ve been affected? We’ll help you wrap your head around the various laws surrounding the notification of data breach scenarios, as well as identity theft and unauthorized account access.

There’s more than a reasonable chance to expect a breach of personal or business information, but the legal waters surrounding these situations are somewhat obscure. Even if it has ethical complications, companies that expose your personal information to a data breach are often under no legal obligation to inform you of the event. Even the information considered “personal” can vary, depending on the state. Naturally, this will lead you to question whether you can count on your organization being notified in the event of a data breach.

Legal Definitions of Personal Information
Each state has its own laws and policies concerning data breaches and notification requirements. All of these policies, however, give a general idea of what personal information is. At a minimum, the following can be considered personal information:

  • First name (or first initial) and last name.
  • One or more of the following elements: Social Security number, driver’s license, state ID number, financial information.

This information is generally considered the foundation of any legislation concerning data breaches. Some states even go further than these standards, going as far as a stolen PIN being considered a breach of personal information, but ONLY if the PIN was included in the same breach as its associated account number. Therefore, you’ll only be notified if both were found during the same breach, and not necessarily if it was just the PIN that was stolen and not the card number.

Some states, like North Carolina and Nebraska, even include biometrics and fingerprint information as part of personal information. Other states, like Missouri, have specific and detailed laws that make taking legal action somewhat difficult regarding personal data. Laws concerning health and medical information are generally covered under the United States’ federally mandated Health Insurance Portability and Accountability Act, or HIPAA. Some states do include health-related information in their definition of personal information.

Once the number of records stolen has exceeded a certain threshold, consumers must be notified of the instance, as well as the attorney generals of all states that are home to victims. This number generally sits somewhere between 1,000 and 5,000.

Regarding sectoral legislation, decisions are generally made in favor of the information holder, rather than the individual who has actually been affected by the breach. Here are even more ways that data breach laws work:

  • Encryption: Some states specify that data that was encrypted and stolen doesn’t necessarily constitute personal information. However, they don’t include information about what happens to encrypted data that’s cracked after the theft.
  • Questionable Non-Personal Information: Some information is not quite personal enough to constitute personal information. An example of this is the last four digits of your Social Security number. Remember all of those accounts that only ask you to confirm those same last four digits? Yeah--that’s not personal or anything.
  • Good-Faith Acquisitions: A good-faith acquisition is defined as the recipient of the sensitive data being involved on the internal team, a vendor, or a partner. This could be either with or without your consent, but as long as the data isn’t misused, it’s usually not pursued legally. However, the most notable thing about these types of situations is that there are no requirements concerning notification.
  • Risk of Harm Analysis: Around half of the states in the United States include laws that allow an information-holding organization to run what’s called a Risk of Harm analysis. This is a method used to determine how likely the information is to be compromised. If there is minimal risk involving the data, the state attorney general doesn’t need to be notified regarding a breach, and neither does the party whose personal information has been stolen.

Does your organization understand the laws surrounding notification for data breaches and other sensitive information being lost? If so, JS Business Solutions can help you prepare for the day that it inevitably happens. To learn more, reach out to us at (781) 715-1900.

The Cloud Can Effectively Be Used For File Sharing
PINs Distributed By Equifax Increases Risk


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, December 12 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Latest Blog

There is no denying that a Google account is a very valuable thing to have today, and if valuable doesn’t seem like the right word to use, let’s say practical. Business and casual users alike use the wide variety of services for many purpos...

Latest News & Events

JS Business Solutions is proud to announce the launch of our new website at The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our ser...

Contact Us

Learn more about what JS Business Solutions can do for your business.

Call Us Today
Call us today
(781) 715-1900

10 South Main Street
Suite 202-204

Attleboro, Massachusetts 02703