Thirty-Day Data Breach Notification Is a Good First Step

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://adage.com/article/guest-columnists/thirty-day-data-breach-notification-a-good-step/296918/

During his State of the Union address earlier this month, President Barack
Obama called for legislation to guard against cyber attacks, identity theft
and to "protect our children's information." Earlier in January, his
administration proposed a national breach notification law that requires
companies to notify consumers within 30 days of discovering that their
personal information was hacked. This legislation in various forms has
floated around Congress for years, but the recent outbreak of high profile
security breaches at companies like Sony and Target could be the impetus
needed for the bill to finally pass.

Every state's laws are unique and so any business operating across state
lines has to navigate through a tangled and confusing web of regulations.
In the age of ecommerce, this is a challenge faced by millions of
businesses. This federal law is an effort to create a minimum standard and
more cohesive policies that make it easier for businesses to adhere to
breach notification laws across states.

The 30 days is sufficient time to identify the impact of a breach, but how
to best notify the consumer when a breach occurs will still take time to
iron out.

Actually getting the bill through Congress remains a challenge. Republicans
in Congress have long pushed back against measures like this one because
they call for additional regulations and requirements for businesses. The
most likely scenario is that the law will be a very basic federal mandate
which sets a floor that states can't go under, but which allows states to
set the ceiling on how the laws can be applied.

What would really muddy the waters? If the federal legislation mandates
that the business follows the data breach laws of the state where the
consumer lives or was at the time of purchase, as opposed to the location
of the company's legal entity. The former case would do little to make the
breach notification process less of a burden, which is the whole point.
Businesses would still have to consider several sets of rules instead of
one.

The 30 day deadline is a good start, the reality of commerce today is that
things happen much faster. Technically speaking, a consumer's data could
start being used as soon as 7 days after a breach occurs. There is a gaping
window between 7 days and 5 months in which a tremendous amount of damage
can be done, to retailers and consumers. This is why it is so important
that retailers go to great lengths to protect their customer data with a
number of security protocols, lines of redundancy, and data analytics.

I would also venture a guess that consumers who exclusively purchase online
are more inclined to check their bank account more often via a website or
mobile app. They are more aware of their balances and more likely to get
banking notifications via email, text, or pushes that would alert them to
fraudulent activity immediately and give them time to react. Months could
become minutes. For these reasons, breach notification laws will actually
have a greater impact on consumers who purchase most of their goods
in-store, not online.

Notification Fatigue?

Beyond complying with the regulations, businesses will also have to figure
out the best approach for delivering breach notifications. Too many
notifications could desensitize consumers to the problem or cause
unnecessary panic. The good news is that in today's interconnected, digital
world, companies have a range of channels to communicate with their
customers. With email, mobile apps, and text messages at their disposal,
sharing information is not a technological problem, it is cultural one.
Businesses have been reluctant to share information about a breach in the
past because of how it could hurt their image and share price. However, the
scope of the recent attacks and the increasing sophistication of online
security technology are putting heavy pressure on bricks-and-mortar
retailers to step up their game.

Regardless of what happens with the bill, I predict that every company that
handles customer data will begin to make security and transparency a
priority out of competitive necessity. The key thing to remember is that 30
days is the "floor." It is a good baseline, but not substantial enough to
protect customers who are exclusively buying online, where threats and
breaches can be identified at a much faster pace. The best way to navigate
around uncertainty and varying regulations is to surpass the federal floor,
as well as the states' ceilings, in terms of security and notification
policies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!