Last modified: 4/17/2024

This is an internal document for employees and officers at Celeritas Technology Holdings, LLC (Celeritas). This document serves as a roadmap for legal requirements and suggested best practices for what to do in the event of a data breach. Data breaches happen to both large and small firms for a variety of reasons. The consequences for such a breach include both the loss of goodwill from consumers and the potential for massive fines. It’s imperative to have a plan in place for what to do in the event of a breach.

In the user facing document—Project: Osprey – Data Privacy and Security Policy—there’s a place to put an email address for people to use to report data breaches. This needs to be an actively monitored email address.

Procure data breach insurance

We strongly recommend purchasing a data breach insurance policy.

Data breach insurance can help cover the cost of dealing with a data breach. For some sophisticated attacks, it can be difficult to ascertain what happened and why. Insurance can help cover the cost of hiring forensic experts and the related costs of determining the cause of a breach and how best to move forward. Coverage can vary greatly from insurer to insurer and some policies contain problematic exclusions. Make sure you select a plan that makes sense for your business model.

Federal Trade Commission rules 

The Federal Trade Commission (FTC) recently enacted rules that will go into effect May 13, 2024.

The rules require reporting data breaches that impact over 500 individuals’ data. For a data breach affecting over 500 individuals, Celeritas will have to report the breach to the FTC.

This rule applies to companies that deal directly with consumers. While your business may not currently do this in the event that you do this reporting rule is important to follow if there is a data breach.

The FTC also has a data breach response protocol available online here. This document is a suggested guide to help companies respond to data breaches. Not all of it is legally necessary and may be situation dependent. But it’s a good document to review when figuring out how to structure an internal response plan to a data breach.

State reporting requirements

Almost all states have a reporting and penalty scheme in place for data breaches. This map can give you a brief overview of what’s required in each state and on what timeline.

California, for example, has reporting requirements to the state attorney general for data breaches affecting over 500 individuals. This involves submitting a sample notice form to the attorney general and notifying affected users. The timeline for notifying affected users in California is the most expedient timing possible without unreasonable delay.

For other jurisdictions the timeline for notifying users can be as short as 24 hours. When a breach is discovered there needs to be a mechanism in place to quickly identify affected users and notify them immediately.

What is not included in this document and the Data Privacy and Security Policy document 

These documents do not cover what to do with health data breaches or Financial Industry Regulatory Authority (FINRA) rules. If you plan in the near future to collect health data or participate in FINRA regulated industries—like buying and selling securities, acting as a broker, or a funding portal—please let us know and we will update these documents to reflect your business model and activities.

What To Do If There Is A Data Breach
If a data breach does occur, loop us in immediately. We can help you navigate what to do and how to mitigate the damage, while also ensuring you meet all the different reporting requirements.