data breach header


Provided by CSR

The loss of personally identifiable information (PII) is on the rise as technology, like laptops and USB drives, becomes more portable. While DataSafe protects records sent offsite, there are many other forms of PII that are not sent offsite and are vulnerable to a breach.

DataSafe is partnering with CSR, an industry leader in risk management, to help businesses respond quickly to a data breach. The CSR Breach Reporting Service™ ensures your company complies with legal requirements to report a loss or breach of PII within your company to an ever-increasing number of authorities, your consumers, and other affected individuals. There may be as many as 300 authorities in the U.S. and Canada involved. Many require reports immediately or within 24-72 hours after an incident.

Once enrolled, in the event of an actual or suspected loss, breach or compromise of PII within your company, a member of the CSRPS team of privacy professionals initiates the evaluation of the incident to determine and inform you if authorities and consumers must be notified. Reports are filed with authorities in a timely fashion as stipulated by law and consumer notification can be prepared with your input.

For more information on Breach Reporting Services, please Request a Quote or call 800-275-SAFE.

View the CSR Breach Reporting Service Video.
View CSR Case Studies.

Frequently Asked Questions


Why do businesses need this service? View
All organizations that have employees, customers or vendors must, by law, comply with requirements to report and notify consumers of the loss, or suspected loss, of personally identifiable information.

If organizations don't have this service, what could happen? View
Failure to report actual or suspected data loss - whether accidental or criminal, within legally mandated time frames may lead to fines, as well as civil and criminal sanctions.

For example, Visa can assess fines of up to $100,000 per breach against businesses that fail to properly report an incident. Lost trust means lost sales. The fallout of data breaches has caused businesses to close their doors. The FTC and Visa recommends that businesses plan ahead to reduce risk.

Why companies shouldn't try to do this themselves View
Liability rests entirely with you, as well as civil and criminal sanctions, on both state and federal levels. Penalties for missing just one report to authorities can be $15,000-100,000.

New rules continue to take effect, types of data that must be protected increase, and additional agencies pile on new requirements. Short time frames to meet requirements make the learning curve unrealistic.

Trained, certified privacy professionals use a proprietary system to evaluate your circumstances against hundreds of rules and regulations to determine whether reports need to be filed and/or consumers, consumer credit bureaus, and other entities notified.


What is personally identifiable information? View
The simple answer is it's anything that can be used to identify you. The loss of this information leads to identity theft.

Types of personal information include: name, address, phone, email, birth dates, Social Security numbers, driver's license, bank account and credit card information and the list continues to grow with new and revised legislation and court rulings.

Other personal information includes health information, medical records, Vehicle Identification Numbers, license plate numbers, login credentials and passwords, school records as well as voice recognition files. Fingerprints, retina scans, and handprints are also considered personal information.

What is the difference between PCI and personal information? View
PCI data is just one type of personally identifiable information. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code.

What is a breach of personally identifiable information? View
The unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual.

What is data breach reporting? View
When a breach occurs the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident.

What is consumer notification? View
Almost every state has enacted a data breach notification statute. These laws generally require businesses that have personal information about residents within a state notify those residents when that data is compromised.

What are some examples of a breach? View
A breach can occur in many ways, including through lost laptops or smart phones, improper disposal of paper records, or intrusion into your network or PC by hackers. The definition continues to expand.

Who do you need to report a breach to? View
Over 100 countries, as well as 300 federal, state and local authorities in the U.S. and Canada require reporting. Reports may also need to be filed to Visa, MasterCard and other non-governmental entities.

What laws govern personally identifiable information? View
Here are a few examples of the hundreds of laws and regulations that relate to the protection of personally identifiable information and requirements to report suspected or real loss.
  • Gramm-Leach-Bliley Act (GLBA)
  • Fair Credit Reporting Act (FCRA)
  • Drivers Privacy Protection Act (DPPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic Clinical Health (HITECH) Act
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Family Educational Rights and Privacy Act (FERPA)
  • 47 state data breach laws

Who are the enforcement agencies and others who might be involved after a breach? View
Enforcement officials include various federal and state agencies as well as attorneys general, commissioners and others. Here are a few examples:
  • Federal Bureau of Investigation (FBI)
  • US Secret Service
  • Federal Trade Commission (FTC)
  • Dept. of Health and Human Services/Office of Civil Rights
  • Card brands like Visa, MasterCard, etc.
  • State Attorneys General

What if personally Identifiable information under my care is encrypted, redacted, or masked? View
Even if the material is encrypted, redacted, or masked, various regulations still require you to report. If it is encrypted, and the encryption key has been potentially compromised, reporting is required and/or notification is required.


Who is CSR? View
CSR Professional Services, Inc. is a leading provider of award-winning data life cycle management and expert services for businesses domestically and around the globe. CSR enables compliance with Personally Identifiable Information (PII) requirements while facilitating best practices to reduce the business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of data.

How many companies use this service? View
Hundreds of thousands of businesses have enrolled in this breach reporting service.

What qualifications do these "experts" have to collect this information and file reports? View
These experts have all received and maintain one or more certifications from the International Association of Privacy Professionals. Specialties vary from U.S., Canada, Europe, to IT, Government and the CIPM designation for Certified Information Privacy Manager.

Request Quote


data breach pdf