Proposed Data Breach Notification Changes: What’s the Potential Enterprise Impact?

Proposed data breach notification legislation in Congress could have huge impacts on consumers and organizations alike, across the United States. The proposed legislation aims to “tackle the nation’s growing data security threats and challenges” with the goal of implementing “a comprehensive plan to help safeguard sensitive consumer information, and shield Americans from the harmful consequences of cyber-attacks.” While this sounds beneficial in theory, it would actually override and therefore weaken far more effective laws that are already in place in 47 states across the country. In fact, established legislation would be pre-empted and put out of practice. Following the guidelines of the new proposal, companies will have the power to decide whether they disclose data breach details to consumers or not, as they will only be required to provide notification of breaches they deem a “serious” enough financial and security risk.
For a clearer example of the potential harm these changes would cause, let’s look at a few of the existing laws it would impact. California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction, would be pre-empted, as would Connecticut’s outlawing of public posting of any individual’s Social Security number. And, Florida’s privacy law, which includes a consumer’s username and password combination in its definition of personal information, would also be overruled. This illustrates a clear disconnect with the proposed bill, which attempts to separate privacy from data security.
Lower security standards, coupled with tax notification policies, will create a dangerous environment in which breaches will become even more prevalent, and furthermore, consumers will often not be aware when their personal information ends up in the wrong hands. However, this is not only a consumer risk. In an increasingly bring your own device (BYOD) world, corporate data residing on consumers’ devices can be easily breached without widespread monitoring and control on behalf of the organization. This results in a potentially massive issue for both organizations and their employees.
Despite the huge risk posed to organizations, many will not take the appropriate steps to protect personal and corporate data -- the primary reason being financial. It costs a company approximately $10 million to keep information secure, while an actual breach costs approximately $6 million in total revenue. These numbers cause the organization to perform a cost/risk analysis, and ultimately decide that the potential risk of consumer breaches outweigh the cost of protecting consumers.
Smart organizations will combat these risks by following a standard process that identifies the data that needs to be protected. It’s not just about locking down devices or networks – regardless of whether they are corporate or personally owned -- it’s about the data itself. Organizations must determine critical data that cannot be accessed by unauthorized means, and then administer constant vigilance and monitoring of this data by qualified individuals. The execution of a single nationwide data breach notification law, in theory, is a step in the right direction. However, with the proposal potentially weakening existing laws put forth by a majority of individual states, there is no doubt that it would cause more harm than good. If the proposed changes do go into effect, it will be the responsibility of savvy organizations to protect employee and corporate data to ensure it is not as risk of being breached.