After the Cyber-Attack: Do You Know the Notification Laws?

Cyber attacks have been growing numbers and altering in sophistication for some time now. But even with more controversy surrounding cyber threats and the lack of protection around them, some companies do not take the necessary steps after being hacked. One of those steps is to inform investors right away if they’ve suffered a cyber-attack deemed to be material.

The Securities and Exchange Commission first advised public companies to tell investors if they’ve fallen victim to breaches about seven years ago, but only recently issued an updated cybersecurity guidance plan this past spring. However, there are still some companies that do not know the right steps to take, especially since state notification laws can vary.

The Report and Fallout

The S.E.C.’s report details a state-by-state look at the different notification laws that exist now. It warns public companies, no matter the size, to make “timely” disclosure as a cyber crime can pose a grave threat to investors and the capital markets. But going public about cyber attacks isn’t always an easy call to make for companies, especially small businesses. The risk is that the hackers in question will be tipped off of investigations and make efforts to clean up the mess. Even some law enforcement offices encourage companies to not disclose these kinds of issues.

This is why knowing the laws in each state is important because even if your company is based in one state, say California where the state has some of the strictest notification laws, it may have customers throughout the country where laws may be more lax. If you don’t follow the laws in your state, you may become a target of harsh penalties. This leaves you vulnerable to increased liability, which will jeopardize your business reputation and personal finances.

With that in mind, it’s important for business owners to look into cyber insurance, like bank cyber insurance for local banks that handle very sensitive financial information of their customers. Bank cyber insurance will financially protect a small regional bank in the wake of a cyber attack.

Breaking Down State Notification Laws

As mentioned, some states have a firmer grip on notification laws than others. If your small business is in Alabama, Maryland, New Mexico, Oregon or Ohio, you would have 45 days to notify individuals. In South Dakota, there’s up to 60 days. And over in Tennessee the state allows up to 90 days.

Most of the states require a written notice to be sent out within specific time frames, as mentioned above. However, some states do allow for electronic notices. Phone calls can be made or emails. For the latter, the consumer must prefer to receive notifications this way, and signatures need to be consistent.

Furthermore, in some states, only the state’s attorney general may direct an action for a violation of the law in the state. Other states permit a private cause of action by an affected individual. For businesses who operate in multiple states, say e-commerce sites, small banks or franchise companies, they must be alert to the requirements in the various jurisdictions and the evolving trends in recent amendments.

No matter the state you’re in, it’s important to know the laws and adhere to them so the information of your investors and customers/clients isn’t further hurt. Companies may face irate money managers and advisers or customers, and without being candid about a cyber threat, companies, especially small businesses, face the risk of messing up their operations moving forward due to depleted funds or a broken reputation.

About Financial Guaranty Insurance Brokers

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for entities of all types. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (626) 793-3330 to speak with one of our professionals.