Your Fitness Business Suffered a Data Breach. Now What?

The term "data breach" is usually one of the last things a health club owner or operator wants to hear happened at their club. It's enough to break the savviest business owner into a sweat. Before your heart rate bursts out of the red zone, remember to breathe. There are some best practices you can use to respond to a data breach.

You had already taken all the right steps to protect your members’ and employees’ sensitive, confidential, or otherwise protected data. Although, even if you do everything right, things can still go wrong. Which is why before you can respond to a data breach, it's crucial to understand how it can impact your business.

How a Data Breach Can Impact Your Health Club

Most states have data privacy laws placing the responsibility for safeguarding certain types of employee and consumer information firmly on the businesses holding the information. In the event of a data breach, it is you the business owner, that will have to respond.

Data breaches can cost businesses real money. The Ponemon Institute—which tracks the cost of data breaches—reported the average total cost of a data breach in 2018 was $3.86 million and the average cost per stolen or lost record was $148.

If your club has 2,000 members and half become victims of a data breach, it could cost your business up to $148,000. Add to this the damage to your reputation and the loss of trust from your members, and you can begin to see the severe damage a data breach can cause your business.

So what do you do now? Well, you have discovered the problem and believe it or not, that is a big first step.

Best Practices in Response to a Data Breach

Investigate & Remedy

As soon as you become aware of the breach, you need to launch an investigation. Go to the scene of the incident, interview employees, and try to establish what has happened and how.

You are seeking to determine:

• What information was compromised?
• Was it a hack (an intentional act with likely criminal motives)?
• Was it a mistake (e.g., an employee left their laptop unattended, and it was stolen)?
• Was it a process failure (a gap in security practices compromised the information)?

Understanding the nature of the breach will allow you to take immediate actions to contain or remedy the situation and help you identify the appropriate next steps.

If your investigation leads you to believe you have been the victim of hacking, you should notify the police.

Identify and Follow State Data Breach Laws

There is no federal law governing what happens in the event of a data breach. Federal law is generally restricted to specific industries like healthcare and financial services. Your focus should be on knowing state law.

Every state has a data breach law laying out the steps businesses must take to respond to a data breach. Every state law is different, including what is considered protected information—commonly referred to as personally identifiable information (PII)—and what activities are considered a breach.

While definitions of PII vary by state, they commonly include:

• medical information,
• biometric information,
• financial information,
• an individuals' name plus social security number or driver's license number.

North Carolina and North Dakota are good examples of the different twists states can put on the law. In these states, the law considers your mother's maiden name PII, because bank accounts and employee files frequently use it as a security question.

Does the Data Breach Trigger a Notification?

If the compromised data is considered PII under the law, you need to figure out if your incident is one that triggers a notification requirement. Identify which data breach notification laws apply to your situation, and determine if what has happened is considered a "breach" under the law. If it is, you will need to notify any affected individuals.

This is where it can get a little tricky. Businesses must follow notification requirements based on the data breach law of the state in which affected individuals—including both employees and consumers—reside, not the location of the business. If affected individuals reside in several different states, figuring out the proper notifications to send out can get complicated quickly. You may need to consider getting legal counsel.

Some states require notification if an unauthorized person accesses the PII. A hacker or thief using a stolen employee's computer are two examples of an unauthorized person accessing protected data.

Other states base their notification requirements on what is called a “risk of harm analysis.” What is the likelihood of harm to the affected individual from the loss of the data? Risk of harm analysis considers things such as the use of encryption, and other precautions that may make it less likely a thief could effectively access the PII.

In such a case, you might determine that the risk of harm to the individual is low and no notification is required. If you decide not to notify, you usually have to document that decision and keep it on record for a specified number of years.

Also, be sure to check your vendor agreements to see if any clause triggers a notification in the event of a data breach.

Who Receives Notification

If you determine you need to notify your members of a data breach, the appropriate state law will tell you who should receive the notice. These laws will also stipulate the timing and enforcement of the notice. Typically, states require businesses to provide written notice to affected individuals. In more than 30 states, businesses are required to provide notice to either the state attorney general or another state agency—typically a consumer protection agency.

If the compromised information is health information protected under HIPAA, you may need to notify the U.S. Department of Health and Human Services.

Content of Notice

Some states require you to provide certain information and use specific language in a data breach notification. For example, the California breach notification statute outlines the format and content of a notice. While notification requirements differ state to state, as a general rule, notifications should include:

• Type of personally identifiable information breached
• Date of the breach
• General description of the breach

Timing of Notice

Similarly, the timing of sending a notification varies from state to state, but states generally follow one of two approaches.

The first requires that affected individuals be notified “in the most expedient time possible, without unreasonable delay.” The meaning of this varies on a case-by-case basis. It usually depends on when the business became aware of the breach and when it had an opportunity to investigate.

The second requires notification within a set number of days or weeks. If the state requires the business to notify the state attorney general or other state agency, that notice usually has to be sent within a set time frame. The timing of giving notice can often be delayed if your breach is the result of a suspected criminal act and the police are investigating the incident.

Enforcement

Some states grant enforcement power over the notification law to the attorney general. Meaning the attorney general is responsible for determining whether the business complied with the law and if not, what the fine should be.

Others provide a private right of action, which allows individuals affected by the data breach to sue the business responsible for damages, opening the floodgates for class-action lawsuits.

Risk Mitigation Steps

You suffered a data breach. You did your investigation. You provided the required notices. Now what?

The final step is to reassess your data security practices and processes. Make sure you are following best practices and strengthen any areas of identified weakness. The best way to avoid the cost and reputational damage from a data breach is to do everything you can to prevent the data breach in the first place.