Data Breach Compliance Legislation Is Coming: Are You Ready?
Not every headline coming out of Washington this month is about the debt ceiling and the budget. Lawmakers have also been moving ahead with legislation that would require companies to notify customers about data breaches that affect them. That’s not a surprise when you consider that 2011 may already be the “Year of the Data Breach.”
While it’s impossible to say where the next major data breach will happen, it’s a sure thing that data security compliance is only going to get more, not less, important in the coming months and years. While governments are cracking down on organizations about how they reveal data breaches, the costs of these breaches continue to add up. For example, the costs of the Sony PSN breach are soaring past the $171M mark, and Nasdaq announced last week that it is going to spend a significant amount of money on proactive cyber security measures:
"...the company (Nasdaq) boosted 2011 cost projections, in part because of higher information security expenses. Expenses should now total $950 million to $965 million this year, up from the $920 million to $940 million estimated in February."
These costs can be unsettling, but the additional question is how your business might be affected by data breach compliance and resulting penalties. In part one of this series I’ll take a look at current and pending data breach regulations, and in part two I’ll review what companies can be doing to get ready for them.
Overview: Data Breach Compliance Regulation in the United States
First, let’s take a look at what is currently being proposed in the U.S. Congress. It is important to understand at the outset that nearly every state has a data breach notification law on its books. Congress is attempting to simplify this with a national standard — think Sarbanes-Oxley for data breach compliance. The Center for Democracy & Technology has a comprehensive rundown of the bills:
At present, there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches.
Each of these bills focuses on the need to encourage better cyber security and notification policies in order to reduce the number of breaches and ultimately protect citizens’ information. And while all of them differ in scope and specifics, each would make it necessary for organizations to take a much closer look at:
- Network and data center security, at the device, system, and application levels
- Appropriate notification triggers of a data breach and, subsequently, the ability to make these notifications to the correct regulatory authorities
- Data collection and information sharing in order to provide regulators with the right level of information after a breach
- Posting of a data breach “certification” that adequate measures have been taken to secure the organization’s data from a future breach
Finally, whatever national law is put into place must work in congruence with state laws, or be strong enough to replace them outright.
Fragmented Data Breach Regulation in the European Union
Painful and costly lessons in the United States and Japan are also forcing change throughout the European Union. In many aspects, the EU has taken the global lead in data breach protection, notification, and regulation with its current ePrivacy Directive. This directive requires ISPs and telecom providers to keep data safe and notify authorities in a timely fashion after a breach. Unfortunately, some parts of this directive do not work with the laws of individual nations, which has led to conflicts among member states. Additionally, the directive only regulates ISPs/telcos and not online gaming companies, banks, ecommerce sites, and other targets.
The EU member states are currently in a review mode until September 9, 2011, when they will suggest potentially major changes to the ePrivacy Directive. These changes could have a very large impact on European organizations, as well as on multinational corporations headquartered in the United States that do big business in Europe. To complicate matters, this may happen in the same time frame that we see some of the current U.S. legislation move forward.
Global Data Breach Regulation Is a “When,” Not an “If”
We know data breach regulation will become a national reality in the United States at some point. And regulations will be strengthened in the EU as well as throughout parts of Asia. The result will be companies and agencies scrambling to comply, but also an increase in penalties — including fines, business cessation, and lawsuits.
This year’s historic string of data breaches — Sony, RSA, Citigroup, the FBI, the IRS, etc. — has raised public consciousness of the problem. It is only a matter of time until data breach regulation — strong regulation — is in place.
What is your company doing today to prepare? Or are you in a “wait and see” mode?
blog comments powered by Disqus