Breach, Data Security

The breach notification debate

The new year continued where it left off in 2013 – with a massive retailer breach.

The Target, Neiman Marcus and Michaels incidents made headlines around the world. However, there was one positive outcome from these events – the discussion regarding a potential federal breach notification law was brought back to the forefront among government leaders.

It's no secret that electronic personal information is a hot commodity for cyber criminals. While mega-retailers like the aforementioned have budgets to implement state-of-the-art security bells and whistles, miscreants always find a way in, circumventing controls and silently siphoning sensitive financial data. Although that may be inevitable, the quicker individuals are notified of a breach, the better chance they have to take proper measures and protect their assets.

Outside of specific industries, breach notification laws are enforced at the state level, with 46 states having notification requirements in place, according to the “Global Guide to Data Breach Notifications, 2013,” a study by the World Law Group (WLG), a network of 53 independent law firms.

The current patchwork of requirements gives a lot of different committees “skin the game,” says Doug Johnson, VP of risk management policy at the American Bankers Association. He believes these jurisdictional issues are big hurdles that have impeded the development of a federal standard.

“What you have is the individual states having the latitude to do their own thing,” Johnson says. “[This] makes it really difficult and makes for a cry for an adoption of a national standard.”

While politicians have taken a crack at drafting overarching legislation, such as the Personal Data Privacy and Security Act of 2014, the Data Security and Breach Notification Act of 2014, and Data Security Act of 2014, as of press time, all have stalled in committee.

Just like the requirements at the state level, the proposed federal drafts differ in defining a breach. Mark Schreiber, chair of the privacy and data protection group at law firm Edwards Wildman Palmer, and chair for the WLG, believes that while this is a part of the problem, it is easily resolved.

“Whatever definition [is] used, it would be better than the current polyglot of numerous state definitions, many of which don't square up with each other,” he says. “There's got to be a better solution than what we've got now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.