It can be as simple as a misplaced mobile phone, a UBS drive that falls out of a pocket, a stolen laptop, or a system breach caused by a criminal. The common factor is data that is no longer in your firm’s control. You can have all the “best practices” in place to avert a cyber crime only to have it happen anyway.

Who ya gonna call: Ghostbusters?

New laws answer that question. State, federal and international laws govern your actions when your company faces a data breach. With the passage of California Assembly bill 1710 on Sept. 30, the list of “Who ya gonna call” includes a fraud alert service. The legislation requires that under certain circumstances an organization or person who experiences a data breach provide identity theft protection services to individuals whose personal information has been compromised. The statute requires a company that loses information to “offer affected individuals identity theft prevention and mitigation services … at no cost to the affected person for at least one year.” This requirement triggers ONLY when an individual’s name is tied to a social security number, a driver’s license number or a California ID number that has not been encrypted and has been acquired by an unauthorized person as the result of a data breach.

The new legislation also expanded the classification of California companies that fall under the statute: those who “maintain” personal information are legally required to implement reasonable security practices “appropriate to the nature of the information to protect data from unauthorized access, distribution, use, modification or disclosure.”

“Maintain” is defined as retention of personal information as part of the business’ “internal client or customer account for the purpose of using that information in business […]