In December 2009, my perspective titled “Data Breaches: A Sidewalk Sale of Consumer and Personal Information” detailed the financial, reputational and regulatory implications surrounding a data breach occurrence. Since then, little has changed (other than the fact that the term “data breach” is now commonplace throughout workplaces and households due the continuous increase of breaches worldwide). Organizations around the world ranging from US Bank and Outback Steakhouse to the U.S. Air Force and Sony have experienced (or are currently experiencing) a data breach and the headache of breach notification. Despite numerous attempts to implement federal data breach notification legislation, little has been done on a national level to streamline the process.
This perspective highlights the data breach notification process and how recent legislation proposed by the Obama Administration is hoping to consolidate dozens of diverse state breach notification regulations into one integrated national plan.
Today’s Breach Notification Landscape
I’d say chances are pretty high that right now you may be recalling the last time you were the victim of a data breach (for example, in the U.S., you may have received numerous notifications following the Epsilon data breach). Unfortunately, you’re not the only one! According to the Identity Theft Resource Center, more than 10.8 million records containing sensitive personal information have been released in 186 recorded breaches throughout the US this year alone. And, it’s important to note that it’s only June!
By definition, a data breach is unauthorized access to, or an authorized disclosure of, sensitive information:
- Personally Identifiable Information (PII)
Full name, date of birth, social security number, bank account information, credit/debit card numbers, driver’s license numbers, etc.
- Protected Health Information (PHI)
Medical diagnoses, patient history, medications, etc.
For organizations, the outcomes of a data breach range from minimal impact, to reputation impairment, fines, compliance issues, and lost future business due to a lack of customer confidence/trust. For data breach victims, the fallout can result in identify theft, fraud, loss of savings, or even a destroyed credit score.
While all 50 states pretty much share the same definition of a data breach, the way in which they enforce breach notification and protect their citizens couldn’t be more different. Today in the United States, 47 states have disclosure and notification requirements, all of which vary widely depending on the type of personal information lost during a data breach, required notification process (i.e., timing, recipients and notification approach), remediation documentation, exemptions from disclosure, and penalties for noncompliance. Most challenging is the fact that these statutes are state-specific and based on residency of affected individuals – not the location of the organization experiencing the breach. Complicating matters even more are current federal regulations and legislation, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), which offer industry-specific requirements.
Given the high potential for negative impact on organizations and individuals resulting from a data breach (not to mention the current challenges associated with the breach notification process) federal regulations have been proposed on numerous occasions since 1993 (see timeline below for a full history of proposed legislation) to little avail until May 2011 when the Obama Administration outlined a proposed data breach response and notification process.
Data Breach Notification of Tomorrow (Perhaps)
On May 12, 2011, the White House unveiled a Cybersecurity Legislative Proposal to protect computer networks and critical infrastructure that also includes a national data breach notification mandate for certain organizations. Specific to national data breach reporting, the proposal highlights the following:
“State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements”.
Under Federal oversight, new requirements and terminology will marry existing state regulations in order to better define a data breach and provide for a more effective response:
- Legislation would cover organizations that collect, use, transmit, retain, or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12-month period.
- Organizations already covered by the data breach notice requirements of the HITECH Act would be exempt from the proposed law.
- “Sensitive personally identifiable information” (SPII) would replace today’s de facto PII standards to include name information in combination with any two of the following: individual’s full birth date, home address or telephone number, or mother’s maiden name. In addition, SPII would include a non-truncated Social Security, driver’s license, passport, or other government-issued identification number, biometric data, a unique financial account or payment card number, and other financial information.
- Covered organizations would be required, within 60 days, to notify individuals whose exposed SPII was unsecured by technological means (specific technological means are currently undefined; breaches of encrypted data do not require notification).
- If a required breach notice affects more than 5,000 individuals in any one state, the business—in addition to individual notification—would be required to post notice of the breach in relevant news media outlets.
- Organizations would have to notify the Department of Homeland Security (DHS) if a breach involved:
– SPII of more than 5,000 individuals;
– A database containing such information on more than 500,000 individuals;
– A database owned by the federal government; or
– A database containing SPII of federal employees or contractors.
- Notification of DHS would be required at least 72-hours before providing notice to individuals or within ten days of discovering the breach, whichever comes first.
- Organizations may qualify for a safe harbor notification exemption if their investigation of a breach concludes that “there is no reasonable risk that the security breach has resulted in, or will result in, harm to the individuals whose SPII was subject to the security breach.” Covered businesses would be required to invoke the safe harbor presumption with the Federal Trade Commission (FTC) within 45 days of the results of a risk assessment.
- Organizations would not be required to provide breach notice to individuals if they use or participate in a program “that effectively blocks the use of SPII to initiate unauthorized financial transactions before they are charged to the account of the individual and it provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.”
- No breach notice would be required if the U.S. Secret Service or FBI determined that doing so could “reveal sensitive sources or methods” or damage national security.
Regulated and enforced by the FTC in collaboration with state attorneys general, this legislation would impose civil penalties of up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional.
Recommendations and Conclusion
What does this proposed legislation mean for organizations today? Well, nothing at the moment. While the proposed legislation is the biggest attempt in history of nationalizing data breach response and notification, organizations must continue to proactively plan for a possible data breach and its subsequent response. Organizations should consider the following five issues related to data breach planning, response and notification:
- Establish protocols for discovery, determination and escalation of a data breach
- Identify your data breach response and notification obligations (seek legal advice)
- Establish a cross-functional response team (the business continuity practitioner could champion the planning and response efforts, but not necessarily own them)
- Document and test a response and notification plan to ensure nothing’s missed
- Implement a notification production and call center capability in advance of a data breach in order to meet reporting deadlines and avoid costly fines
As technology continues to advance and the world becomes even more “connected”, data breach poses an ever-present threat to today’s modern organization. The possibility of national data breach response legislation is a welcome change to today’s ad-hoc, state-by-state regulations that cost organizations precious time and money. Further, Federal oversight has the possibility of reducing future data breaches by detecting patterns and trends as they occur throughout the nation and proactively educating organizations on how to better protect their data.
Please refer to the following resources to learn more about data breaches and planning approaches for such a threat: