• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Data Breach Laws: What Security Professionals Need To Know

Author avatar of Stephen LynchStephen Lynch
Updated — March 11, 2020 • 3 minute read
View blog >

According to David Inserra, a research associate in The Heritage Foundation’s Allison Center for Foreign and National Security Policy and Paul Rosenzweig, former Deputy Assistant Secretary for Policy in the Department of Homeland Security, the high-profile onslaught of private-sector security breaches over the past few years warranted legislation to improve the country’s cyber security posture. In an article on cybersecurity regulation posted last fall, Inserra and Rosenzweig pointed out that the government itself also was hit with its own less publicized cybersecurity breaches and failures – 23 separate incidents across several different agencies in 2013 and 2014.
shutterstock_224885950
Fast forward and following this year’s State of the Union address, President Obama in fact did outline new legislation that will determine when and how consumers and businesses are informed about data breaches that expose their personally identifiable information (PII). As recent as last week, two more bills covering data breach notification were reintroduced into the House and Senate. In both cases, the federal legislation would replace what was described as a “patchwork” of existing state data breach notification laws.
Now that the cards are falling where they may, what do businesses need to know about this proposed legislation?

Proposed Federal Laws: How They Could Impact Your Business

The proposed legislation’s effectiveness is debatable, as well as the potential impact on consumer privacy. But as a practical matter, what do these laws mean for your business? Below, we’ve summarized several analyses and commentaries on the proposed legislation, collected over the past two weeks.shutterstock_228052165 (1)
Would every company be affected by the proposed bill?
The proposed legislation would not affect non-government contracted businesses that collect records on less than 10,000 individuals in the course of a year.
Also, if your company stores health care information, you are already subject to The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and other rules that govern health records. However, several states’ attorneys general have said companies that hold health care information not currently under HIPAA would no longer be affected by state data breach laws that currently dictate a notification timeline.
How will notification laws change?
The proposed legislation provides for a 30 day window for notification to consumers. One major change, however, is the law also requires businesses to notify the media when a breach exposes the PII for more than 5,000 individuals.
How would this affect my work as a security professional?
The proposed federal law allows for a risk assessment to prove that, despite data theft or loss, “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.”

Existing State Laws: Preparing for the Worst Case Scenario

The 2014 Verizon Data Breach Investigation Report (DBIR) lists over 1,367 confirmed data breaches over a one-year period. Any company operating in multiple states would have to navigate dozens of wildly different laws to determine when, why, and if customers should be notified. Additionally, dozens of legal websites summarize data breach notification laws state-by-state (here’s one example). These sites can give you a starting point to understanding existing laws, but they’re no substitute for actual legal counsel.
To put the issue into perspective, this Bureau of National Affairs article outlines the dizzying variety of “personally-identifiable information” as defined in state law–some states include insurance information, others biometric data, and still others include login credentials and passwords.
Tom Hash, director of security engineering at OpenDNS, concurs that these laws can be very difficult for security experts to track. “[Security professionals] are faced with 47 different state laws that can change when they’re not paying attention,” he said. “In some cases, the companies I talk to end up having to figure out their notification guidelines under these laws after the breach has happened.”
Many security professionals already plan for the worst possible scenario. This means assuming they will have to respond in the tightest notification time-frame (Connecticut’s five days to notify regulators or Maine’s seven days to notify consumers) and under the most stringent definition of PII provided in any applicable state law. Professionals should also account for special circumstances, like California, where the law applies to any company storing a state citizen’s data, even if the business does not operate within that state.

The Bottom Line

While the Personal Data Notification & Protection Act is not yet actual law, it is imperative that companies prepare for it or another law that may be very similar.
Such preparation requires a huge collaborative effort between your company’s IT department, security team, marketing team, and legal counsel. It is a good idea to lay out an internal and external communication and action plan, and put those plans into practice.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella