At BitSight, we’ve taken interest in the need for transparency and the ripple effects of major data breaches following the recent data loss events hitting major US retailers. Many security experts, including our own CTO Stephen Boyer, have been calling for a regulated data breach notification standard that would simplify the numerous state laws currently on the books. Echoing these calls, many government officials, from the Chair of the Federal Trade Commission to Attorney General Eric Holder, have said that uniform notification standards are necessary for the economic and cyber health of the country.
These issues have also been on the minds of lawmakers in Washington, many of whom have been calling for answers on the state of corporate cybersecurity in America. Recently, committees in both the House and Senate hosted hearings on data breaches to try and understand the reasons behind the breaches and what could be done to prevent future incidents of data loss. Now, lawmakers have been reviving old legislative efforts and launching new ones to address this issue that has affected over a third of the United States population in 2013.
Early steps on the road to reform
Here is a quick overview of some recently introduced bills in Congress:
The Personal Data Protection and Breach Accountability Act of 2014, sponsored by Sens. Blumenthal (D-NY) and Markey (D-MA), sets out to regulate the way that a data breach is handled and to hold companies accountable for their cyber health. This bill tasks organizations to notify consumers, law enforcement and third parties once the breach has been discovered. While there are some exceptions, such as national security concerns, the process includes written, email, telephone, electronic and media notice so as to disseminate information in a timely manner. The proposed law also touches on the information that must be provided and the post-breach protections that must be offered to consumers, such as credit monitoring. In many ways, this bill sets guidelines for proper reporting techniques with requirements for time lines, compensation and general standards.
Sens. Rockefeller (D-WV), Feinstein (D- CA), Pryor (D-AR) and Nelson (D-FL) have introduced the Data Security and Breach Notification Act of 2014, a piece of legislation that focuses on post-breach reporting. Notably, this bill sets a firm deadline of 30 days for businesses to notify consumers, authorities and third parties. This bill also mandates that third party business partners and vendors are informed in the event of a data breach.
While the Democrats seem to be leading the charge on the legislative efforts surrounding data breach reporting, the newest bill introduced to the Senate has bipartisan sponsorship from Sens. Carper (D-DE) and Blunt (R-MO). This bill, the Data Security Act of 2014, focuses on minimum standards that must be met by entities in different industries, such as HIPPA for health care providers. Moreover, it outlines certain guideline for notification, with any data breach affecting more than 5,000 people to be reported to both consumers and the federal government.
The challenges ahead
These early actions indicate that lawmakers are paying attention to the importance of corporate cybersecurity, but there are challenges ahead to the passage of comprehensive legislation. While cross-party wrangling may be expected with any bill that comes before Congress, individual states may also be taking a stand against federal changes. A recent Politico article notes that some state Attorney Generals, primarily in states with stricter notification regulations, want to ensure that current laws could supersede any federal regulations. Others note that the complexity of definitions and appropriate time frame for notification may be impediments to federal reform.
One thing is clear: the time line on the future of federal breach notification policy is uncertain. Nevertheless, businesses and organizations can take it upon themselves to implement a comprehensive security risk management program now. First off, this means working to exceed industry standards of compliance, whether it be PCI, HIPPA or OCC guidelines, and working to make sure their "house" is in order. A recent study published by BitSight found that 82% of S&P 500 companies had an externally-visible security event, suggesting that there is work to be done to better the security posture of companies across many sectors and industries. Making sure that systems are properly configured and the necessary protections are in place, and ensuring that your third party suppliers and vendors are doing so as well, is a first step in combating the growing threat of cyber attacks. Beyond that, entities can prepare to defend against attacks by consistently and continuously monitoring their extended enterprise to be sure they are wholistically working to mitigate their security risk from all angles.