There is no national standard for how a company must notify its customers in the wake of a data breach. Instead, companies must navigate a complex web of 47 different, often conflicting, state data breach notification laws in the aftermath of a breach.
It can be nearly impossible for companies to determine which state laws apply when a breach occurs. Small businesses suffer from an immense financial compliance burden trying to comply with all these laws, and the tangled web of laws also delay getting data breach information into the hands of those who need it most: the customers whose data was taken.
During the TechVoice D.C. Fly-In, a panel of industry and legislators discussed the challenges of forming one federal data breach notification (DBN) law. Scott Barlow, vice president of sales at Reflexion and chair of CompTIA’s IT Security community, said, “Small businesses face the same challenges as an enterprise would face, but they don’t have the same resources to prepare. IT security is no longer just a firewall.”
“California passed the first state DBN law in 2002,” said Eric Haren, counsel, Office of Senator Dianne Feinstein (CA), Senate Committee on the Judiciary. “Feinstein introduced the first federal bill on DBN. She believes people deserve notification when their data is breached. She is working toward one federal law.”
Graham Dufault, counsel, Office of Congressman Lee Terry (NE), said, “Most [on Capitol Hill] agree we need a single federal DBN law, but there can be dissension on what constitutes a definition of PII [personal identifiable information]. One of the other contentious parts of one of the proposed bills also put satellite, telecom and cable companies under the FTC’s review, instead of the FCC.”
Haren also said that in state DBN laws, 27 states took a broader view of what is PII.
The panel also said that encryption has been debated as being a part of a federal mandate, but Congress doesn’t agree yet on what’s an acceptable level of encryption. We also need to train end-users on what they can and cannot do in order to reduce human error in cybersecurity. Proper cybersecurity training is just as important as encryption.
Also at the TechVoice D.C. Fly-In, Senator Mark Pryor (D-Ark.) stated the three main principles that need to be in a federal DBN law:
- Companies should be required to implement reasonable protocols to protect consumer data.
- Companies should be required to notify their consumers if there is a data breach.
- Companies should notify law enforcement when a data breach occurs so that we can attempt to stop the criminals from attacking again.
A national standard for data breach notification would provide consumers and businesses with consistency and predictability on how consumer notice must be provided. In the wake of the national attention the Target data breach has received, the timing is perfect to finally pass a Federal Data Breach Notification Law. To make your voice heard on this issue, visit TechVoice today.