Three data breach policy developments every risk manager should know
August 2015 | EXPERT BRIEFING | FRAUD & CORRUPTION
Take any company’s board of directors and you can bet that cyber security is one of the biggest issues dominating their discussions about risk. Not only are boards discussing how prepared the company is to manage a data breach, but even more so, how the policy and regulatory landscape is changing. Unfortunately, there are evolving expectations from regulators instead of a clear roadmap, which is concerning for good reason. We’ve seen more movement in the last few years with the real potential for a universal federal data breach notification law, increased action by state attorneys general and changes to international regulations, that makes preparing for and managing a data breach even more challenging. The good news is that understanding where the policy landscape is today and where it is likely going tomorrow can greatly help prepare companies to manage a breach. The following are the most important policy developments that risk managers need to know as they continue to update and improve their preparedness program.
Lawmakers closer on national data breach standard
To date, several efforts have been made toward the creation of a national data breach and data security law that would simplify notification requirements. However, despite speculation that Congress could finally pass a federal standard, obstacles remain that make consensus just beyond the grasp of policymakers. That leaves businesses facing a framework of 47 evolutionary state laws and the challenge of meeting varied expectations from state regulators on how to best notify and protect customers in the event of a data breach.
Backed by recent high-profile data breaches at nationwide retail, healthcare, entertainment, public sector and financial service organisations, Congress and the Obama Administration continue to push for the adoption of a national uniform breach notification standard through multiple venues. Several bills have been introduced and passed by Congressional committees aimed at forging a national data breach standard, however lack of consensus on specific issues related to the pre-emption of state laws, the types of personal information that would trigger notification requirements, as well as battles for jurisdiction, have left current proposals in a perpetual stalemate. At this time, however, continued media coverage of national incidents keeps the topic top of mind for lawmakers, and increased debate on the issue is expected during the 114th Congress.
In the interim, organisations need to prioritise understanding current state laws and expectations from state attorneys general to protect consumers’ personal information. Even though most states have existing laws on the books regarding data breach notification, state legislatures continue to consider proposals to modify them – meaning companies cannot expect data breach requirements to be the same year-over-year.
Regulator expectations continue to evolve
As state attorneys general become more involved in the oversight of breach notices, a number of states have proposed a new requirement to report breaches directly to the attorney general’s office. Proposals have ranged from notification in the event of any breach, no matter the size, to setting thresholds, such as notification in the event of at least 500 individuals breached. State legislation also dictates timing of when notices are sent out, from as soon as reasonably possible, to a more prescriptive number of days. To accommodate these changes and stay up-to-speed on current requirements, risk managers should work to establish an ongoing relationship with local regulators, in addition to enlisting outside legal counsel. While general counsel is often tasked with leading an organisation’s data breach preparedness plan, they can benefit from breach experts given the nuances and complexity of state laws.
Data breach legislation: a global policy trend
Adding to the complex legal framework for data breaches, policymakers in the European Union (EU) and Brazil are considering new approaches to notification that could impact businesses that engage in global commerce. There are also signs that the Australian government will renew a push to enact a data breach notification standard. Following the recent passage of the data retention law — which requires telecommunication service providers to keep customer metadata for two years to aid in law enforcement — the Australian Government signalled that passing a mandatory data breach notification law by the end of 2015 is a top priority.
Statistics show that global breaches are increasing rapidly. There were 3014 worldwide breaches reported in 2014, representing a 28.5 percent increase in the number of breaches disclosed in 2013. Cross-border data breaches also become more of a reality as organisations store information in the cloud, which allows data to be accessed and shared more easily across state and country borders.
Businesses operating internationally also need to take into account cultural and language differences that may impact a customer’s response to a data breach and notification materials. When possible, risk and compliance teams should look to engage local public relations consultants and call centre providers to ensure their company understands the local climate and expectations. For example, some countries may not have the same ‘data breach fatigue’ we are faced with in the US, in which case consumers may be looking for more prescriptive guidance in the event a data breach occurs.
Regardless of the legal requirements applicable to various types of breaches, domestic or international, it is important that risk managers not view data security as solely a compliance issue, and above all prepare to prioritise customer needs. Too often companies manage communication well with forensic investigators, legal counsel and law enforcement during a data breach, but neglect investment in quality consumer engagement, resulting in diminished brand reputation and financial loss. According to the Ponemon Institute, the growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach greatly contributes to lost business. The average cost associated with lost business following a data breach increased from $1.45m in 2014 to $1.5m in 2015.
While understanding the shifting legal landscape is critical, companies need to be careful to balance requirements from regulators and consumer needs, and should ask their data breach resolution vendor about the optimal timeframe and process for notification. Being prepared for any situation by creating and practicing a comprehensive incident response plan with proper legal counsel ahead of time will help enable risk managers to mitigate reputation risks and navigate the complicated world of data breach compliance until a national standard is created.
Michael Bruemmer is vice president at Experian Data Breach Resolution. Mr Bruemmer can be contacted on +1 (949) 294 8886 or by email: firstname.lastname@example.org.
© Financier Worldwide
Experian Data Breach Resolution