There is no question about the need for increased Federal Reform for transparency regarding the ripple effects of major data breaches recently. This is evident when we consider the very recent Target breach. Security experts, including BitSight CTO Stephen Boyer, have been calling for a regulated data breach notification standard that would simplify the numerous state laws currently on the books. Mirroring these calls, many government officials, including the Chair of the Federal Trade Commission and Attorney General Eric Holder, have stated that uniform standards are necessary for the economic and cyber health of the country.
As we know data breach notifications have been on the minds of lawmakers in DC, many of whom have been asking for answers on the state of corporate cybersecurity in the U.S. Recently. Committees in both the House and Senate conducted hearings on data breaches trying to understand the reasons behind the breaches and what could be done to prevent future incidents of data breach.
Early steps on the road to reform
Here is a quick overview of some recently introduced bills in Congress:
Sens. Rockefeller (D-WV), Feinstein (D- CA), Pryor (D-AR) and Nelson (D-FL) have introduced the Data Security and Breach Notification Act of 2014, a piece of legislation that focuses on post-breach reporting. This bill sets a firm deadline of 30 days for businesses to notify consumers, authorities and third parties. This bill also mandates that third party business partners and vendors are informed in the event of a data breach, a key component to increased transparency.
The Personal Data Protection and Breach Accountability Act of 2014, sponsored by Sens. Blumenthal (D-NY) and Markey (D-MA), is written to regulate the way a data breach is handled and to hold companies accountable for their cyber health. This bill tasks organizations to notify consumers, law enforcement and third parties once the breach has been identified. While there are some exceptions, such as national security concerns, the process includes written, email, telephone, electronic and media notice so as to communicate and share information quickly. The proposed law also touches on the post-breach protections that should be offered to consumers, such as credit monitoring. In many ways, this bill sets guidelines for proper reporting techniques with requirements for time lines, compensation and general standards.
While the Democrats seem to be heading the charge on the legislative efforts surrounding data breach reporting, the newest bill introduced to the Senate has bipartisan sponsorship from Senators Carper (D-DE) and Blunt (R-MO). This bill, the Data Security Act of 2014, focuses on minimum standards that must be met by entities in different industries, such as HIPPA for health care providers. Moreover, it outlines certain guideline for notification, with any data breach affecting more than 5,000 people to be reported to both consumers and the federal government.
One thing is clear: the time line on the future of federal breach notification policy is uncertain. Nevertheless, businesses and organizations can take it upon themselves to implement a comprehensive security risk management program now. First, this suggests working to exceed industry standards of compliance, regardless if is PCI, HIPPA or OCC guidelines, and working to make sure their “house” is in order. A recent study published by BitSight found 82% of S&P 500 companies had an externally-visible security event, suggesting that there is work to be done to better the security posture of companies across many sectors and industries. Making sure systems are properly configured and the necessary protections are in place, and ensuring that your third party providers are doing so as well, is a first step in battling the increased threat of cyber attacks.
These early actions indicate that lawmakers are paying attention to the importance of corporate cybersecurity, but there are challenges ahead to the passage of comprehensive legislation.
A recent Politico article notes that some state Attorney Generals, primarily in states with stricter notification regulations, want to ensure that current laws could supersede any federal regulations. Others note that the complexity of definitions and appropriate time frame for notification may be impediments to federal reform.