7. If Customer Data is Stolen or Lost — What to Do Next

U.S. Legal Requirements

Federal Laws

The Gramm-Leach-Bliley Act ("GLBA") and the American Recovery and Reinvestment Act require that certain financial institutions as well as health care providers, or businesses that provide services to health care providers, notify patients and the government if the security of the personal information that they maintain is breached.

You should consult an attorney to determine if you are covered by one of these statutes.

State Laws

Almost every state and territory, including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, has enacted a "data breach notification" statute. Although statutes vary between states, data breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information.

You should consult an attorney to determine which state data breach notification statutes apply to your business, and what the specific requirements of those statutes might be.

40% of data breaches occur at the small business level.

Source: 2013 Verizon Data Breach Investigations Report