Cyber & Data Breach Notification Laws

Topics: Cyber Liability

When your client has discovered their small business has been the victim of a cybersecurity attack, their first impulse might be to panic. There’s a lot at stake, and this is why businesses of all sizes are advised to create a data breach response plan. This is a policy that helps businesses properly respond to any type of cybersecurity attack by providing all the actions needed to be taken in a direct, uncomplicated manner. One of the most vital steps described in the data breach response plan is to notify the proper parties of the incident, explain what happened, what information was involved and the actions being taken to address and fix the situation.

What’s the Cost of a Data Breach? 

There’s no getting around it: a data breach will cost your business monetarily in some way. According to a recent study from IBM and the Ponemon Institute, the average cost of a data breach is on the rise in 2018, up to $3.86 million compared to an average of $3.62 million last year.

The cost of a data breach is also dependent upon the amount of records and information compromised. It’s fairly obvious that the more information stolen, the higher the cost for your company. The IBM study also revealed that the average total cost of a data breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 records stolen. However, the quicker an organization identifies and contains a data breach, the less it could cost in the long run.

What are Data Breach Notification Laws?

Data breach notification laws vary by state, but today, all 50 states do have breach notification laws. Most states have implemented legislation that requires businesses to notify customers of the security breach when it involves personal information. In the state of Ohio, for example, protected information includes a combination of social security numbers, drivers’ license numbers and credit/debit card account numbers.

Additionally, depending on the type of information compromised, each state will have their own specific data breach notification requirements. A business’s legal counsel should be one of the first departments alerted following a cybersecurity attack, as they will research the state’s law on whom to notify in the event of a data breach, and also find out if the breach the business experienced fits the type covered by law.

Some of the parties you may need to notify include:

Local law enforcement

As soon as you realize your business has been the target of a cybersecurity attack, the legal team should notify local law enforcement to report the situation. Time is of the essence, as the sooner the authorities are made aware of the incident, the more effective they can be in stopping it from escalating further. The state office of the FBI can also be of assistance if the local police aren’t familiar with cyber theft investigations. Law enforcement can also help with the timing of the data breach notification you will send to your customers to ensure it’s not obstructing the investigation.


If any of your company’s vendors or business partners were affected by the data breach – for example, if your business stores or collects customers’ personal information like social security or credit card numbers via a third party vendor – legal counsel needs to notify them as soon as possible. This helps ensure they’ll be able to monitor their accounts accordingly to watch for any potential fraudulent activity.


Finally, valued customers should be sent a formal notification of the data breach in the form of an email or letter. In general, the notification should include the following information:
  • How and when the breach occurred
  • What information was stolen and how it may have been misused
  • The steps being taken to address and remedy the situation
  • Actions the customer can do to protect their information
  • Contact number, email or website customers can visit to learn more

Remember, the potential damage to your company’s reputation is one of the most significant issues a data breach can cause. Properly communicating with customers helps protect your relationships and rebuilds the confidence they have in your organization.

Promoting the Awareness of Online Safety and Privacy during National Cybersecurity Awareness Month

National Cybersecurity Awareness Month (NCSAM) kicks off its 15th year this October with the goal of ensuring all digital citizens have the resources needed to stay safer and more secure online, while also protecting their personal information. As an official NCSAM champion, AmTrust recognizes our commitment to cybersecurity, online safety and privacy.

The theme of NCSAM 2018 is “Our Shared Responsibility,” reminding everyone that protecting the internet is a collaborative effort. A strong, cyber secure workforce helps ensures businesses, families, communities and the country’s infrastructure are better protected.

Cyber Liability Insurance from AmTrust Financial

Cyber Liability Insurance policies from AmTrust can help protect small businesses from some of the costs associated with a variety of cybersecurity attacks. Some of the common components of cyber liability insurance include:
  • First Party Coverage that responds immediately after a suspected incident. This coverage includes forensics, legal analysis, notification and credit monitoring, and also public relations.
  • Third Party Coverage that provides a defense in the event of litigation against your client.

AmTrust appointed agents focuses on providing small and mid-sized businesses with affordable, effective Cyber Liability insurance policies tailored to their clients’ specific needs. Your clients will feel confident knowing they have coverage for losses incurred following a data breach. 

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors.

Time Zones