7. If Customer Data is Stolen or Lost — What to Do Next

Legal Requirements

Federal Laws

The Gramm-Leach-Bliley Act ("GLBA") and the American Recovery and Reinvestment Act require that certain financial institutions as well as health care providers, or businesses that provide services to health care providers, notify patients and the government if the security of the personal information that they maintain is breached.

You should consult an attorney to determine if you are covered by one of these statutes.

State Laws

Almost every state and territory, including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, has enacted a "data breach notification" statute. Although statutes vary between states, data breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information.

You should consult an attorney to determine which state data breach notification statutes apply to your business, and what the specific requirements of those statutes might be.

• GLBA Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
  www.occ.treas.gov/consumer/Customernoticeguidance.pdf
• Links to state data breach notification statutes
  www.ncsl.org/Default.aspx?TabId=13489
• Summary of federal state data breach and privacy statutes
  www.krollfraudsolutions.com/understanding-id-theft/legislation-identity-fraud.aspx
• Summary of state data breach notification statutes
  www.consumersunion.org/campaigns//financialprivacynow/002215indiv.html