Data Breach Laws: Changes to Notification Rules Are Up in the Air
The business of data breach laws and breach notification can be very confusing.
Earlier this year President Obama introduced national breach legislation that would tighten notification. If passed, companies would have to notify consumers of a data breach within 30 days of confidential information being stolen. The proposed national standard would replace the 'patchwork' of 47 state breach notification laws.
But now there’s a new proposal before Congress that would allow companies to decide whether or not they even notify customers about a consumer data breach. According to a recent Wall Street Journal report, the law would ease data breach alert laws, giving companies time to analyze everything before determining next steps. If the breach could lead to serious identity theft or fraud, the company would have to notify customers quickly; if not, they could keep the incident to themselves.
Of course, what is known for sure is that information breaches are costly. Ponemon's 2015 Cost of Data Breach Study found that the cost of each lost or stolen record containing sensitive and confidential information increased 6% from a consolidated average of $145 to $154.
In 2014, a record 1.1 billion personal and sensitive records were compromised across 3,014 incidents, according to the 2014 Year-End Data Breach Quick View Report by Risk Based Security.
What are the current notification best practices for a cybersecurity breach and other data breaches?
Notification is managed by a dedicated Incident Response team with a Chief Information Security Officer (CISO) in charge. A comprehensive IR policy includes notification steps, timelines and checklists.
There is a system in place to stay informed about all the privacy laws that affect your business. Multiple state laws may apply to one data breach because jurisdiction depends on where the affected individuals reside, not where the business is located, warned the Data Breach Response Guide by Experian, 2013-2014 Edition.
Legal counsel is involved. You may not need to notify, for example, “if data was encrypted or an unauthorized employee accidentally accessed but didn’t misuse the data,” according to the Experian guide. Or, you may have to delay notification if it will hamper an investigation, according to the Best Practices for Victim Response and Reporting of Cyber Incidents from the U.S. Department of Justice.
There is a single voice message about the breach for potential victims, employees and the media. “A firm's best chance of survival after a breach is to limit rumors and enhance trust,” said security expert Jibey Asthappanin an online article. Apologize and offer free identity theft protection and credit monitoring services.
The timing is appropriate. In the same article, business consultant Bill Rosenthal said: “You'll get points for promptness -- and brickbats for delays.”
Issue the apology from senior management and express personal remorse. Rosenthal said notification can help to rebuild public trust. That’s important because one of the biggest costs of a data breach is the hit that reputation takes.
To improve compliance across the board, integrate secure document destruction and a Shred All Policy into the workplace as part of your document management policy.