Federal Data-Breach Bills: The Tip Of The Iceberg - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
11/13/2009
09:45 PM
50%
50%

Federal Data-Breach Bills: The Tip Of The Iceberg

The Senate is considering two bills designed to revamp federal consumer data-privacy rules. But anyone who thinks these bills represent a wake-up call has already been sleeping way too long.

The Senate is considering two bills designed to revamp federal consumer data-privacy rules. But anyone who thinks these bills represent a wake-up call has already been sleeping way too long.The Data Breach Notification Act and the Personal Data Privacy and Security Act would apply to companies that suffer data breaches involving sensitive consumer information, such as financial records. Both bills would require firms to report significant data breaches -- most likely involving more than 5,000 individuals -- to government regulators, credit reporting agencies, and affected consumers.

Both, however, will also include exemptions to the reporting rules for companies that take measures to protect customer records. The use of approved encryption methods to protect consumer data, for example, could exempt a company from at least some of the disclosure rules.

A health-care technology reform package passed as part of a massive federal stimulus bill last February included similar data-breach disclosure provisions and exemptions. The current bills would extend the same sort of regulations to all sensitive consumer data, although they will probably not be as strict.

This isn't the sexiest topic, but it is one that could cost your company a ton of money if it gets caught unprepared.

Here's the real problem: Your company may already be subject to similar, and in some cases even more stringent, data-breach notification laws.

Today, 46 states already have laws in place that regulate how companies must respond to consumer data breaches. Some compel firms that discover a data breach to notify consumers and state regulators; others, such as a Massachusetts state law, actually require firms to encrypt sensitive consumer data stored on laptops.

If and when a federal law takes effect, it is likely to preempt many of these state laws. Until that happens, however, your company could face serious penalties if it fails to understand and to follow state data-breach notification laws. As always, ignorance is no excuse.

If you're looking for a good place to begin your company's research into this question, try CSO online. It has a fairly complete list of state by state data breach notification laws, currently covering 43 states (including a subsequent update article).

If your home state isn't on CSO's map, don't assume that you're out of the woods. Its list seems to be missing at least a couple of more recent state laws. If your state looks like an exception to the rule, I suggest running a Google search or simply calling your local Chamber of Commerce to make sure that is really the case.

Even if these laws don't apply to your business, encrypting sensitive customer records is always a good idea. Encryption is a quick, cheap, insanely simple security measure that could spare your company fines, litigation costs, and loads of negative publicity.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll