Data Break Jigsaw
More than 1,300 data breaches were reported last year at companies around the world, according to the 2014 Data Breach Investigations Report from Verizon. A breach was defined as “an incident that results in the disclosure or potential exposure of data.” Other studies identified significantly more than 1,300. Either way, the number of unreported breaches likely dwarfs the number of reported breaches.
Companies are obligated to report such data breaches to affected parties as well as to regulatory agencies under most state laws. Since California became the first state to enact a data breach notification law in 2002, 46 other states have followed suit with Kentucky becoming the most recent when it approved a data breach notification law in April of this year. Only three states–New Mexico, South Dakota, and Alabama–do not have such a law. The New Mexico House of Representatives unanimously passed a data breach bill in February. However, the state’s Senate failed to act on the bill.
According to Judith Germano, a senior fellow at the NYU School of Law, Center on Law and Security, and a founding partner at GermanoLawLLC, state data breach notification laws are safeguards for customers whose data may have been compromised. “The focus is on providing consumers and other affected parties with information in the event of a data breach, to let them know in a timely manner so that they can take action, whether it’s by changing PIN numbers or checking credit reports, or otherwise protecting their personal information,” she tells Security Management.
In addition to damaging a brand’s reputation, the legal consequences of failing to comply with data breach notifications are daunting. “There’s also a host of wide-ranging litigation that companies can face….and then they also have to prepare for…liability brought by regulators as well as civil litigants,” she notes.
The patchwork of state legislation, along with varying industry standards and requirements, poses a challenge for companies that operate in multiple jurisdictions. “That is the challenge with not having a federally mandated breach notification,” says Chad McManamy, assistant general counsel at Guidance Software. “There isn’t that consistency. Most breached companies are dealing with individuals across state lines, it’s not like they’re going to be limited to one particular jurisdiction. So they’re going to have to weigh and balance the notification laws of individual states.”
Experts point to the Target security breach in December 2013 as a recent example of the difficulties organizations face in the absence of a federal law. “It’s difficult for companies like Target who face big data breaches to comply right now because there’s not one single uniform standard they can look to for clear direction,” says Todd Hinnen, partner with the privacy and security practice at Perkins Coie law firm and former head of the national security division at the Department of Justice. “They have to try and interpret the standards of 47 different states, which vary with respect to what triggers them, and what kind of information is protected….”
Currently no federal framework for national data breach notification legislation is poised to become law. Several bills have been introduced in Congress in the past that include federal data breach notification requirements, such as the Data Accountability and Trust Act, and Personal Data Protection and Breach Accountability Act, both introduced in early 2014. (Neither of the two bills has been considered since their introduction.)
Hinnen points out that recent efforts by Congress have attempted to lump data breach notification into broader cybersecurity legislation, a move that makes it more difficult to pass national breach notification laws. “It’s gotten caught up in the broader discussion of cybersecurity and what the government’s role is with respect to that, and I think that’s unfortunate,” he says. “This should be a pretty clear task for Congress to accomplish, and it certainly would be helpful to companies to give them the clarity of a uniform standard.”
In lieu of a federal standard, states continue to bolster their own requirements to better deal with incidents like the Target breach. For example, two California lawmakers introduced a bill in February that would hold retailers liable if a California resident’s data is compromised. The bill, coined the Consumer Data Breach Protection Act, would require businesses in possession of sensitive customer information, such as Social Security numbers and payment card data, to reimburse the “reasonable and actual costs” of the data breach.
The Department of Justice has been involved in a push for a federal standard. In February, Attorney General Eric Holder called for Congress to pass a national data breach notification law that would require companies to quickly alert consumers when a breach occurs. There is also lobbying for a federal data breach notification standard among industry groups. One such organization, the Computing Technology Industry Association (CompTIA), lobbied Congress in July of last year to pass a federal standard, arguing that it would incentivize growth in the IT sector.
Varying privacy laws from state to state also pose a difficulty for companies when dealing with data breach notification. “One of the challenges we have in the United States is the sort of patchwork laws related to privacy, and depending on the type of information it is, it is covered by different laws. It makes it difficult to overlay legislation on top of that for data breach or cybersecurity because we have such a diversified framework of privacy laws,” says McManamy.
For example, what constitutes personally identifiable information in one state may be different in another. Normally the information consists of names, addresses, Social Security numbers, and credit or debit card data.
With the varying state frameworks, Germano says companies can follow a few best practices to ensure they’re complying with the laws. “Usually, the best practice for clients is to go to the state with the most stringent requirements and make sure that they comply with those nationwide, and that helps to protect them under all the laws,” she says.
Hinnen notes that there are steps companies should take before a breach occurs to ensure they’re prepared for any contingency. “The best thing that companies can do is know their data and know their network. They need to know what valuable data they’re in possession of, how they store it, how they secure it, how they use it, how they share it, and they need to know where on their network it lives and what security controls it’s subject to.” He adds that knowing which third party vendors have access to what aspects of company data is critical to securing sensitive information.
Hinnen advises companies to take a holistic approach to their data security program, seeing it as more than just an IT function. “Data security is also a legal function, and a risk management function, and an internal governance function, and a compliance function. And unless companies are organized to bring all of those resources to bear on their data security issues, then they don’t have an effective and holistic data security program in place.”