Everyone knows there are many different privacy laws in place that specify data security and privacy requirements.
But there isn’t a national data breach law in the U.S. – and many people think there should be.
In fact, over the past year there’s been an increase in support for national data breach notification legislation by both government officials and information security experts.
How would a national standard for data breaches improve information security?
- It would target retail. With the escalation of mega breaches in the retail industry, it’s important to have national standards on data security and breach notification. According to the Privacy Rights Clearing House, over 59 million records were exposed in 43 reported breaches by retailers in 2014 compared to just 224,478 records exposed in 107 reported breaches in 2012.
- Privately-held companies would be accountable. While public companies have to inform consumers of a security breach (as long as there’s no interference with law enforcement investigations), the national standard would make privately-held companies accountable too.
- Consumer data would be safer. Cyber criminals know retailers handle a lot of consumers’ personally identifiable information. A cyber security policy would make retailers more responsible for this information.
- EMV Chip. National information security regulations would complement the imminent chip-and-PIN technology.
- Notifications would be quicker. A national standard would stipulate quickly alerting consumers whose information may be compromised, said former Attorney General Eric Holder in this Washington Post blog. Currently, different state laws are a mish-mash of rules and regulations. This video includes a privacy law compliance checklist.
- Consumers could better protect themselves. Holder said the faster people are made aware of a breach, the sooner they will be on the lookout for any suspicious activity in their various credit card and other accounts.Here are guidelines for damage control after a security breach.
- It would help catch criminals. Law enforcement can only get involved if and when information is divulged. Plus, compromised entities would be held accountable when they fail to keep sensitive information safe, said Holder.
- It could save money. In an article, Rachel Thomas of the Direct Marketing Association said: “Businesses could save money if they didn’t have to call on lawyers to help ensure they’re complying with various laws.” Also, the 2014 Cost of Cyber Crime Study by Ponemon showed the average cost of cybercrime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014.
- Where a person lives won’t matter. “You shouldn’t have more or less protection because of the state you reside in,” commented Eva Velasquez, chief executive of the Identity Theft Resource Center in San Diego, in the Washington Post blog. There are differing standards for data breach notifications and data security depending on what state you are in. For example, in Virginia, reporting depends on the level of exposure of the data. In Delaware, a new data destruction law means companies doing business there are obliged to completely destroy consumers’ personal identifiable information when those records are no longer retained. Every organization should implement these data destruction best practices.
Staying up-to-date on privacy laws and legislation can be a challenge. Here are steps to help your company stay compliant.