According to David Inserra, a research associate in The Heritage Foundation’s Allison Center for Foreign and National Security Policy and Paul Rosenzweig, former Deputy Assistant Secretary for Policy in the Department of Homeland Security, the high-profile onslaught of private-sector security breaches over the past few years warranted legislation to improve the country’s cyber security posture. In an article on cybersecurity regulation posted last fall, Inserra and Rosenzweig pointed out that the government itself also was hit with its own less publicized cybersecurity breaches and failures – 23 separate incidents across several different agencies in 2013 and 2014.
Fast forward and following this year’s State of the Union address, President Obama in fact did outline new legislation that will determine when and how consumers and businesses are informed about data breaches that expose their personally identifiable information (PII). As recent as last week, two more bills covering data breach notification were reintroduced into the House and Senate. In both cases, the federal legislation would replace what was described as a “patchwork” of existing state data breach notification laws.
Now that the cards are falling where they may, what do businesses need to know about this proposed legislation?
Proposed Federal Laws: How They Could Impact Your Business
The proposed legislation’s effectiveness is debatable, as well as the potential impact on consumer privacy. But as a practical matter, what do these laws mean for your business? Below, we’ve summarized several analyses and commentaries on the proposed legislation, collected over the past two weeks.
Would every company be affected by the proposed bill?
The proposed legislation would not affect non-government contracted businesses that collect records on less than 10,000 individuals in the course of a year.
Also, if your company stores health care information, you are already subject to The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and other rules that govern health records. However, several states’ attorneys general have said companies that hold health care information not currently under HIPAA would no longer be affected by state data breach laws that currently dictate a notification timeline.
How will notification laws change?
The proposed legislation provides for a 30 day window for notification to consumers. One major change, however, is the law also requires businesses to notify the media when a breach exposes the PII for more than 5,000 individuals.
How would this affect my work as a security professional?
The proposed federal law allows for a risk assessment to prove that, despite data theft or loss, “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.”
Existing State Laws: Preparing for the Worst Case Scenario
The 2014 Verizon Data Breach Investigation Report (DBIR) lists over 1,367 confirmed data breaches over a one-year period. Any company operating in multiple states would have to navigate dozens of wildly different laws to determine when, why, and if customers should be notified. Additionally, dozens of legal websites summarize data breach notification laws state-by-state (here’s one example). These sites can give you a starting point to understanding existing laws, but they’re no substitute for actual legal counsel.
To put the issue into perspective, this Bureau of National Affairs article outlines the dizzying variety of “personally-identifiable information” as defined in state law–some states include insurance information, others biometric data, and still others include login credentials and passwords.
Tom Hash, director of security engineering at OpenDNS, concurs that these laws can be very difficult for security experts to track. “[Security professionals] are faced with 47 different state laws that can change when they’re not paying attention,” he said. “In some cases, the companies I talk to end up having to figure out their notification guidelines under these laws after the breach has happened.”
Many security professionals already plan for the worst possible scenario. This means assuming they will have to respond in the tightest notification time-frame (Connecticut’s five days to notify regulators or Maine’s seven days to notify consumers) and under the most stringent definition of PII provided in any applicable state law. Professionals should also account for special circumstances, like California, where the law applies to any company storing a state citizen’s data, even if the business does not operate within that state.
The Bottom Line
While the Personal Data Notification & Protection Act is not yet actual law, it is imperative that companies prepare for it or another law that may be very similar.
Such preparation requires a huge collaborative effort between your company’s IT department, security team, marketing team, and legal counsel. It is a good idea to lay out an internal and external communication and action plan, and put those plans into practice.
You may also want to look into your state government’s recommendations. For example, California’s Office of the Attorney General has a list of best practices and recommendations here.