How a Data Breach Can Impact Your Health Club
Most states have data privacy laws placing the responsibility for safeguarding certain types of employee and consumer information firmly on the businesses holding the information. In the event of a data breach, it is you the business owner, that will have to respond.
Data breaches can cost businesses real money. The Ponemon Institute—which tracks the cost of data breaches—reported the average total cost of a data breach in 2018 was $3.86 million and the average cost per stolen or lost record was $148.
If your club has 2,000 members and half become victims of a data breach, it could cost your business up to $148,000. Add to this the damage to your reputation and the loss of trust from your members, and you can begin to see the severe damage a data breach can cause your business.
So what do you do now? Well, you have discovered the problem and believe it or not, that is a big first step.
Best Practices in Response to a Data Breach
Investigate & Remedy
As soon as you become aware of the breach, you need to launch an investigation. Go to the scene of the incident, interview employees, and try to establish what has happened and how.
You are seeking to determine:
- What information was compromised?
- Was it a hack (an intentional act with likely criminal motives)?
- Was it a mistake (e.g., an employee left their laptop unattended, and it was stolen)?
- Was it a process failure (a gap in security practices compromised the information)?
Understanding the nature of the breach will allow you to take immediate actions to contain or remedy the situation and help you identify the appropriate next steps.
If your investigation leads you to believe you have been the victim of hacking, you should notify the police.
Identify and Follow State Data Breach Laws
There is no federal law governing what happens in the event of a data breach. Federal law is generally restricted to specific industries like healthcare and financial services. Your focus should be on knowing state law.
Every state has a data breach law laying out the steps businesses must take to respond to a data breach. Every state law is different, including what is considered protected information—commonly referred to as personally identifiable information (PII)—and what activities are considered a breach.
While definitions of PII vary by state, they commonly include:
- medical information,
- biometric information,
- financial information,
- an individuals' name plus social security number or driver's license number.
North Carolina and North Dakota are good examples of the different twists states can put on the law. In these states, the law considers your mother's maiden name PII, because bank accounts and employee files frequently use it as a security question.
Does the Data Breach Trigger a Notification?
If the compromised data is considered PII under the law, you need to figure out if your incident is one that triggers a notification requirement. Identify which data breach notification laws apply to your situation, and determine if what has happened is considered a "breach" under the law. If it is, you will need to notify any affected individuals.
This is where it can get a little tricky. Businesses must follow notification requirements based on the data breach law of the state in which affected individuals—including both employees and consumers—reside, not the location of the business. If affected individuals reside in several different states, figuring out the proper notifications to send out can get complicated quickly. You may need to consider getting legal counsel.