Data breach laws spread through states: Keys for Finance

New data breach laws being passed across the country give Finance pros even more reason to make sure employees’ confidential personnel data stays secure.

Texas is one of the latest states to strengthen its data breach regs, and more states will likely follow suit.

Here’s the latest info you’ll need to know to stay in compliance.

Data breach reporting

Effective Sept. 1, 2021, HB 3746 updates Texas’ existing data breach laws, which required businesses to notify both affected individuals and the state attorney general about any data breaches that occur.

Now, Texas companies that experience a data breach must include the number of affected state residents whom they notified about the breach by mail or other type of direct communication in their notification to the attorney general.

The Texas attorney general must be notified if data breaches impact 250 residents or more. The official notification also needs to include other details about the breach, such as a description of how it happened, the steps the company took to solve the problem and info about any pending legal investigations.

In addition, the attorney general will now maintain a public list on its website of any data breach notifications received from employers.

States that currently have similar requirements include California, Maine and Washington.

California’s law requires people to be notified of breaches. But the attorney general only needs notice of breaches affecting 500 workers or more. Washington’s law is similar. Maine maintains an online database of data breach notifications that impact state residents.

Each state has an online form businesses can complete if they need to report data breaches.

Prevention protocol

Being cautious with employee info can help Finance pros avoid the hassle of having to report data breaches. This is especially true when working with third parties.

Plus, it can help companies save money on the “damage control” required to mitigate the effects of breaches, including notifying affected workers and offering them data protection services.

Following critical cybersecurity measures is key to protecting workers’ data. Avoid opening any unfamiliar emails. Keep passwords to internal systems and payroll software secure and hard to guess. And work with IT to make sure your computer is regularly updated and has current antivirus software running.

Also, you may want to ask IT to implement stronger security features to access finance systems and software. This includes multifactor authentication when logging in and passwords that automatically expire.

Response strategy

If the unthinkable happens and a data breach occurs, acting ASAP is the best way to protect yourself and your company.

Companies should create a data breach response team immediately after a breach occurs, according to the Ponemon Institute, an industry leader in data protection for employers.

Your data breach response team should have members from various departments, such as A/P, Payroll and HR. Its goal should be to evaluate the breach’s impact on every aspect of the company. It should also notify those affected by the breach. Then, it should come up with an action plan to avoid similar issues in the future.

Additionally, the team should create a risk assessment plan. The plan should look at specific data security issues in your company and lay out steps to prevent data breaches.