June 02, 2015

9 Reasons Why It’s Not Easy to Implement Data Breach Laws

You would think that legislated data security standards are pretty straight forward, but they’re not.

Here are 9 reasons why it’s not always easy to implement data breach laws.

  • State privacy laws differ. There is a ‘patchwork’ of state data security and breach laws in the U.S. Since California passed the first one in 2002, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have passed legislation that requires organizations to notify individuals of security breaches involving Personally Identifiable Information (PII).  
  • Definitions. ‘Personally Identifiable Information’ is defined differently by different states. Sometimes insurance information is included; other times, biometric data. And, others include login credentials and passwords.
  • It can be confusing. According to a mediapost.com story, legislators are currently supporting more than half a dozen data breach and data security bills, and there are more in the works. “None of the bills spell out detailed data security standards." An industry expert in a SCmagazine.com article concludes: “It’s especially difficult for a small business owner to have a good understanding of this maze and be able to implement the rules if needed.”
  • Constant flux. According to the National Conference of State Legislatures, in 2014 at least 23 states introduced or considered amendments to existing security breach laws.
  • Geography. Any company operating in multiple states has to navigate dozens of different laws to determine if, when, and why customers should be notified.
  • A national law? A national data breach law that would pre-empt state laws is still being debated. Those against it argue that a federal standard would weaken existing consumer protections.    
  • Industry matters. Some privacy legislation is dependent on the industry. If a company stores health care information for example, it is subject to The Health Insurance Portability and Accountability Act (HIPAA).
  • Lack of understanding. A recent study by security firm Software Advice showed that only 33% of small businesses feel “very confident” in their understanding of their states’ breach disclosure legislation; 34% feel “moderately confident”, and 14% feel “not at all confident”.
  • Other complications. The Software Advice study noted that other aspects of security laws may vary from state to state. For example, the security law around the amount of time that can elapse before customers have to be informed about a breach can range from “without unreasonable delay” to very specific time limits of two to 45 days.

While there are a lot of loose ends, what is clear about data breaches is the cost and damage to reputation and bottom line. According to the 2014 Cost of Data Breach Study: Global Analysis by Ponemon, U.S. companies had the most costly data breaches at $195 per record. The U.S. also had the highest total cost – $5.85 million – of all the countries in the study.

While being compliant is critical, it shouldn’t take the threat of legal action to put safeguards in place. Today, every organization should be committed to protecting private information in the workplace. That means investing in security incident assessment and reporting solutions that follow state and federal laws. It also means implementing a culture of security in the workplace with clear information management and information destruction polices.

A Shred-All policy is a great example of a workplace policy that can help an organization comply with data breach laws.