What is data breach reporting?
When a breach occurs the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident.
What is personally identifiable information or PII?
The simple answer is it’s anything that can be used to identify you.
Types of personal information include: name, address, phone, email, birth dates, Social Security numbers, driver’s license, bank account and credit card information.
The loss of this information leads to identity theft.
Other personal information includes health information, medical records, Vehicle Identification Numbers, license plate numbers, login credentials and passwords, school records as well as voice recognition files. Fingerprints, retina scans, and handprints are also considered personal information.
What is a breach of personally identifiable information?
The unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual.
What are some examples of a breach?
A breach can occur in many ways, including through lost laptops or smart phones, improper disposal of paper records, or intrusion into your network or PC by hackers. The definition continues to expand.
Who do I need to report a breach to?
Over 100 countries, as well as 300 federal, state and local authorities require reporting.
In addition, reports may need to be filed to Visa, MasterCard and other non-governmental entities. Who you need to report to in the event of a particular breach may depend on multiple factors, including where you are located and what kind of PII was involved in the breach.
Who are the enforcement agencies and others who might be involved after a breach?
Enforcement officials include various federal and state agencies as well as attorneys general, commissioners and others. Here are a few examples:
Federal Bureau of Investigation (FBI)
US Secret Service
Federal Trade Commission (FTC)
Dept. of Health and Human Services/Office of Civil Rights
Card brands like Visa, MasterCard, etc.
State Attorneys General
What laws govern personally identifiable information?
Here are a few examples of the hundreds of laws and regulations that relate to the protection of personally identifiable information and requirements to report suspected or real loss.
Gramm-Leach-Bliley Act (GLBA)
Fair Credit Reporting Act (FCRA)
Drivers Privacy Protection Act (DPPA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic Clinical Health (HITECH) Act
Payment Card Industry Data Security Standard (PCI-DSS)
What is the difference between PCI and personal information?
PCI data is just one type of personally identifiable information. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code.
What does this service do?
It helps you fulfill your mandated requirement to comply with federal, state and other laws to report the loss of personally identifiable information.
How does this service work?
It’s a simple process. If you lose, or even suspect you may have lost, personal information, just call the Breach Reporting Hotline, professionally managed by CSR. Privacy professionals take the information and file any mandated reports, if they are required.
What are the hours of your service?
CSR operators accept calls 24 / 7. Calls received between 9 AM – 6 PM Eastern will be returned by a privacy professional the same business day within 2 business hours. Calls placed after 6 PM Eastern will be returned the next business day by a privacy professional.
What qualifications do the CSR “experts” have to collect this information and file reports?
According to CSR, CSR personnel have all received and maintain one or more certifications from the International Association of Privacy Professionals. Specialties vary from U.S., Canada, Europe, to IT, Government and the CIPM designation for Certified Information Privacy Manager.
What number do I call in the event I think I have lost personally identifiable information?
In the event you believe you may have lost personal data, call 866.853.7553.
Do I have to file the reports?
No, our service will file reports, as necessary, on your behalf.
What if I’m not sure whether I have lost data?
You should still call the Hotline at 866.853.7553. Leave it to the privacy professionals to determine whether any reports need to be filed.
Will you share the details of my reports?
The privacy professionals are not allowed, by law, to relate what you tell them to anyone other than the authorities who mandate reporting.
Can I opt out of the program if I don’t want it?
We don’t recommend it. We provide this service at an affordable price to enable you to comply with mandated reporting in the event of an incident. You’ll have privacy experts who will relieve you of this burden. If you opt out, you increase your risk of liability, including civil and criminal sanctions, from failing to meet the reporting requirements.
Can I opt out later after I see how it goes?
You can opt out at any time, but remember you will increase your risk of liability, including civil and criminal sanctions, from failing to meet the reporting requirements.
I already have this service from someone else.
Please provide us with information on the other provider. We will review it and get back to you.