One Crucial Thing You Probably Don't Know About Security Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.statesman.com/feed/business/personal-finance/one-crucial-thing-you-probably-dont-know-about/fXHJP/

Ever tried to parse the law on how to properly notify customers if hackers
steal data from your company? You're in for a real treat.

Any business that assumes its data security is beyond question only has to
read the news to dispel that notion. First Target had its mammoth breach
during holiday shopping. Then Neiman Marcus had a breach last year that ran
from July to December.

A complete PR debacle, of course. And people in the industry are wondering
how to prevent or at least mitigate a similar problem, maybe by using
smartcards to make credit card cloning tough. But entrepreneurs that store
customer personal information need to consider something else: if it
happened to you, how would you handle notifying customers?

Here's where it gets thorny...

Because data security and privacy laws are enacted by state, there is no
one single standard of when a company has to notify customers about data
loss. Instead, you come under the laws of each and every state in which
people have done business with you.

Breach notifications are the rule rather than the exception, as two
attorneys from law firm Jenner & Block write on Bloomberg Law:

Currently, 46 states, the District of Columbia, Guam, Puerto Rico, and the
Virgin Islands have notification requirements for breaches of "personal
information." The only four states without a data breach notification law
are Alabama, Kentucky, New Mexico, and South Dakota.

These state notification laws cover not only the companies that own or
license a consumer's personal information, but also companies that maintain
or control personal information they do not own, such as a vendor that
manages a database of subscription information for a magazine. In the event
that a company that maintains, but does not own, personal information
suffers a breach, the company that actually owns or licenses the
information is still responsible for proper notification to consumers.

And the rules can vary wildly by jurisdiction. Another law firm,
BakerHostetler, put together acompendium of laws, with sections on which
states had broader definitions of personal information, which states
require notification triggered by information access, which set an
electronic and/or security breach alone as the trigger, the states that
insist on a harm analysis, the ones that mandate customer notification
within a given period of time, and the governments that require
notification of the attorney general. Whew.

For example, the general definition of "personal information" would include
an account number along with a security or access code needed to access the
account. In Massachusetts, financial account information without the
password or security code is considered personal. Other areas have
different definitions. North Carolina includes fingerprints or biometric
data.

Such states as Alaska, Connecticut, Idaho, and Missouri only require
notification if there is a sufficient degree of material harm or risk that
could happen to consumers. Seven areas impose specific time frames for
notification, although they can depend on law enforcement agreeing that
disclosure would not compromise an investigation.

If you're a smaller company, trying to follow the array of requirements
will be tough. Maybe the only sane approach will be to find the most
stringent rules and, as much as possible, apply them to all states.

But now is the time to do it, especially as 17 areas in total allow injured
consumers to sue the company.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!