<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Security Risk Management

An Update on Data Breach Notification

Ben Fagan | June 11, 2014

187528612In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet,  just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.

Here are some recent events surrounding data breach notification laws and reform:

  • Last week, the government of New Zealand released a fact sheet (pdf) that outlines proposed changes to data privacy laws. In the event of any material data loss, organizations would be obligated inform the Office of the Privacy Commissioner. For more serious breaches, entities not only have to notify the Privacy Commissioner but will likely have to disclose this information to affected consumers. Interestingly, there is no definition for what constitutes a material  breach, or what makes a breach “serious.” It will be interesting to see how these proposals advance in the New Zealand legislative process and what sort of clarification comes in a final draft of a bill.

  • California already has a data breach notification standard that requires companies to disclose (to the government and consumers) of any breach of unencrypted information that affects more than 500 state residents. A new bill that was recently passed by the House and is being sent to the Senate, A.B. 1710 (pdf), would heighten the standard for exceptions. Currently, entities do not need to report stolen information that is encrpyted. This bill would mandate that businesses disclose all stolen information unless encryption meets NIST Advanced Encryption Standards. While many business groups are in opposition to this ruling, it would heighten the California laws to be one of the stricter state notification standards in the country.

  • Florida passed some major changes its data breach notification law in the state. The Florida Information Protection Act of 2014 (pdf) makes entities disclose breaches within 30 days to consumers and, if the breach affects more that 500 Floridians, to the Department of Legal Affairs. This 30 day window is actually shorter than the current 45 days businesses have to notify consumers and the government about a breach. Perhaps the most interesting piece of these reforms is the expanded definition of personal information. Under the new rules, emails and usernames (when used in a password or security question login), and first and last names, when used in conjunction with health insurance policy numbers, are all considered forms of personal information. This bill was passed by the Florida legislature at the end of April, and is expected to be signed into law by Republican Governor Rick Scott imminently.

Data breaches are becoming increasingly commonplace on the nightly news cycle. Just in the past two weeks, we have learned of breaches affecting Lowe’s employees and internet retailer eBay. It becomes clear that no sector or company can claim complete immunity to the increasingly sophisticated threats facing enterprises today. While state initiatives indicate that legislators (and consumers) are increasingly aware of data security, the United States should follow the example of other nations and implement a national standard. A national data breach notification standard will simplify the processes that businesses must follow to ensure compliance with a multitude of varied state regulations, effectively cutting costs and logistical hurdles for businesses that suffer a breach. But, more importantly, as our Co-Founder and CTO Stephen Boyer concluded in an opinion piece published in SC Magazine in January, “Transparency and accountability will breed improved security, which will benefit all.”

 

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.