Is a National Data Breach Law Closer to Reality?
A national data breach notification law is a few steps closer to being passed – but not there yet.
According to a recent report, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act but the chairman said the legislation is not ready for a vote by the full House of Representatives.
In January, President Obama called for a national law to better protect Americans whose personal and financial information has been compromised in a data breach. It is part of a larger effort to support data security and protection – and the timing is perfect considering 2014 has been dubbed the ‘year of the breach’.
The 2nd Annual Study on Data Breach Preparedness by Ponemon showed that the average cost of a data breach increased 15% in 2014 to 3.5 million; also, 43% of companies have had a data breach in the past year, up 10% from the year before. As an industry expert pointed out in a Forbes.com article: “that number is staggering and shows no sign of retreat.”
According to a White House factsheet, the proposed data protection act would establish a 30 day notification requirement from the discovery of the breach. It would also provide businesses with a single national standard.
Currently there is a “patchwork” of 47 state breach notification laws that vary in how personal information is defined and who has to be notified and when.
Companies can spend millions of dollars complying with all the state laws, said one security firm executive in a scmagazine.com story. “Tack on the cost of a breach, the cost of cleanup, lost revenue and lost market share, and there’s a very strong sentiment in the business community to finally get something done this year.”
At the same time, some people argue that a national breach notification standard would “scale back our state’s essential safeguards against cybercrime,” according to one Massachusetts representative in a Thehill.com report.
Interestingly, amendments added to the bill include a requirement for breached third-party vendors to notify affected consumers and a requirement for the Federal Trade Commission (FTC) to provide education for small businesses regarding data security, according to an Integrated Solutions for Retailers report.
Regardless of when a national data breach law is passed, all organizations are encouraged to be prepared for a data breach. Here is a checklist.
Have a data breach response team in place.
Appoint a Chief Information Security Officer – having senior executives will improve data breach response, according to the data breach preparedness study by Ponemon.
Review, update, and regularly train employees on the data breach preparedness plan.
Invest in the latest IT software and protection.
Use risk assessments to identify valuable data – and protect those assets.
Ponemon research shows that practice drills will improve the effectiveness of a data breach response plan.
Consider cyber insurance.
Find out how secure document management and destruction is part of security crisis planning too.