Frequently asked data loss and breach reporting questions

breach reportingWhat is data breach reporting?

When a breach occurs the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident.

What is personally identifiable information or PII?

The simple answer is it’s anything that can be used to identify you.
Types of personal information include name, address, phone, email, birth dates, Social Security numbers, driver’s license, bank account, and credit card information.
The loss of this information leads to identity theft.
Other personal information includes health information, medical records, Vehicle Identification Numbers, license plate numbers, login credentials and passwords, school records as well as voice recognition files. Fingerprints, retina scans, and handprints are also considered personal information.

What is a breach of personally identifiable information?

The unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual.

What are some examples of a breach?

A breach can occur in many ways, including through lost laptops or smartphones, improper disposal of paper records, or intrusion into your network or PC by hackers. The definition continues to expand.

Who do I need to report a breach to?

More than 100 countries, as well as 300 federal, state and local authorities, require reporting. In addition, reports may need to be filed to Visa, MasterCard, and other non-governmental entities. Who you need to report to in the event of a particular breach may depend on multiple factors, including where customers locations and what kind of PII was involved in the breach.

Who are the enforcement agencies and others who might be involved after a breach?

Enforcement officials include various federal and state agencies as well as attorneys general, commissioners and others. Here are a few examples:

  • Federal Bureau of Investigation (FBI)
  • US Secret Service
  • Federal Trade Commission (FTC)
  • Dept. of Health and Human Services/Office of Civil Rights
  • Card brands like Visa, MasterCard, etc.
  • State Attorneys General

What laws govern personally identifiable information?

Here are a few examples of the hundreds of laws and regulations that relate to the protection of personally identifiable information and requirements to report suspected or r

  • Individual laws by 47 states and Washington DC
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Gramm-Leach-Billey Act (GLBA)
  • Dept. of Health and Human Services/Office of Civil Rights
  • Fair Credit Reporting Act (FCRA)
  • Health Insurance Portability and Accountability Act (HIPAA)

What is the difference between PCI and personal information?

PCI data is just one type of personally identifiable information. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code.

What does this service do?

It helps you fulfill your mandated requirement to comply with federal, state and other laws to report the loss of personally identifiable information.

How does this service work?

It’s a simple process. If you lose, or even suspect you may have lost, personal information, just call the Breach Reporting Hotline, professionally managed by CSR. Privacy professionals take the information and file any mandated reports, if they are required.

What are the hours of your service?

CSR operators accept calls 24 / 7. Calls received between 9 AM – 6 PM Eastern will be returned by a privacy professional the same business day within 2 business hours. Calls placed after 6 PM Eastern will be returned the next business day by a privacy professional.

What qualifications do the CSR “experts” have to collect this information and file reports?

CSR personnel have all received and maintain one or more CIPP (Certified Information Privacy Professional) certifications from the International Association of Privacy Professionals (IAPP). As a company, CSR is certified in every concentration available, which includes the CIPP U.S., Canada, Europe, and Government, the CIPM designation for Certified Information Privacy Manager, and the CIPT designation for Certified Information Privacy Technologist

What number do I call in the event I think I have lost personally identifiable information?

In the event you believe you may have lost personal data, call the Breach Reporting Hotline number you receive from us. If you’ve misplaced the number, please call us.

Do I have to file the reports?

No, our service will file reports, as necessary, on your behalf.

What if I’m not sure whether I have lost data?

You should still call the Hotline. Leave it to the privacy professionals to determine whether any reports need to be filed.

Will you share the details of my reports?

The privacy professionals are not allowed, by law, to relate what you tell them to anyone other than the authorities who mandate reporting.

Can I opt out of the program if I don’t want it?

We don’t recommend it. We provide this service at an affordable price to enable you to comply with mandated reporting in the event of an incident. You’ll have privacy experts who will relieve you of this burden. If you opt out, you increase your risk of liability, including civil and criminal sanctions, from failing to meet the reporting requirements.

Can I opt out later after I see how it goes?

You can opt out at any time, but remember you will increase your risk of liability, including civil and criminal sanctions, from failing to meet the reporting requirements.

I already have this service from someone else.

It is highly unlikely. The CSR award-winning, patented, services were designed and developed by CSR privacy experts. It is not insurance. If you are not sure, provide us with information on the other provider and we will review it to compare.

Click here to learn more about our data loss preparation and breach reporting services.


Request Your Quote


  • This field is for validation purposes and should be left unchanged.

About our team

Arkansas Records Management is a professional service company based in Hot Springs, Arkansas. We serve organizations throughout the state including Little Rock. Our staff eats, sleeps, and breathes files, indexed fields, retention schedules, audit trails, scanning, and shredding.

As records become more and more complex, and the task of properly managing your firm's documents become overwhelming tasks, we have the solutions to solve those issues and free up your staff and resources to do more of what you do best.