Cyber attacks: When to notify your customer

Modern technology is an amazing asset for businesses in Louisiana and nationwide.  The ability to digitally store customer information and utilize “cloud based” services makes for a more efficient and effective business. However, as with all advances in technology, there are dangers. With the advent of modern methods of storage of customer data, there has been a flood of breaches in data security by criminals seeking to steal and sell a company’s customer information. Companies as large as Target and Home Depot have recently been the victims of large data breaches, with cybercriminals obtaining unfettered access to the personal information of a massive number of customers.

Every business should have a plan to minimize the risk of, and the damage from, a potential cyberattack and data breach. However, regardless of the precautions a business takes to prevent a data breach, it is always possible that one can occur. There is no guaranty of absolute data security. For that reason, businesses operating in Louisiana need to be aware of their obligations to their customers under state law in the event that a data breach occurs. Following such a breach, businesses in Louisiana are legally required to notify their affected customers.

Notification of customers is governed by the Louisiana Database Security Breach Notification Law. The law applies to corporate entities as well as any person, partnership, or group that conducts business in Louisiana and retains their Louisiana customers’ personal information.

Following a data breach, businesses must quickly notify their customers that their data is at risk, but the law does allow time for businesses to determine the scope of the breach, try prevent further disclosures, and restore the reasonable integrity of the data system. However, notice must generally be given within 60 days from discovery of the breach. Under the law, a customer can bring a civil action against a business to recover damages resulting from the failure to notify in a timely manner. 

Data security is a relatively new problem facing businesses, but it is a problem that appears will be with us for quite some time. Businesses not only need to have protections in place to try and prevent data breaches, but they should also have a plan for letting their customers know if  their data is at risk. Putting a notification plan in place ahead of time can mean one less thing a business has to worry about in the wake of a cyberattack.

Luke D. Whetstone, attorney at Cook, Yancey, King & Galloway. He is licensed to practice law in Louisiana and Arkansas and his practice includes cyber security and liability and labor and employment.