Pennsylvania Senator Pat Toomey and four other Republican colleagues have introduced the Data Security and Breach Notification Act in a move to replace 46 different state laws with a comprehensive federal standard. Although similar consumer protection strategies have ultimately stalled in Congress over the past decade, there is renewed optimism that this attempt could gather the requisite support from concerned citizens and cooperation from covered entities.
A breach of trust
As cybercriminal motives and administrative complexity continue to make data breaches a more frequent occurrence, affected stakeholders have been less than thrilled with resolution efforts.
Earlier in the month, researchers from the Ponemon Institute discovered that 67 percent of consumers who remember receiving a data breach notification letter believe they did not receive enough information regarding the incident. In fact, 44 percent felt that they were left in the dark as to what type of data had been lost or stolen, never mind the scope or method of the breach.
This inconsistent track record of data stewardship has led to several unfortunate side effects. For instance, nearly half of consumers receiving notification suggested that they believed the company was concealing key facts. As a result, four in 10 surveyed patrons contemplated terminating a business relationship, while another 15 percent explicitly did so.
While demand for stiffer fines and larger payouts may take longer to fulfill, Ponemon analysts agreed that simplified explanations of how incidents occur and where primary risks lie will be a crucial first step toward regaining consumer confidence.
"When companies are making the decision to notify and determining how to notify, they should take into consideration that if they were the affected party in the breach, how they would like to be communicated with," research coordinator Michael Bruemmer explained in a related interview with InfoSecurity. "A federal data breach notification law will help tremendously and that will also create a more level notification playing field."
Consolidation and innovation
It appears that Bruemmer's words have struck a chord in the halls of Congress as senators consider cutting through the confusion of 46 unique state data breach notification laws and establishing a national standard.
According to the Hill, the proposed bill would require original data owners, as well as the government intelligence community, to be notified of data breaches "as expeditiously as possible." Such disclosures must include a clear explanation of how the information was stolen and how affected individuals can contact the compromised company for further guidance. The legislation would explicitly identify covered data – from login credentials to Social Security numbers – and manage a compliance framework with punitive fines approaching $500,000 dollars.
The bill would also hold third-party service providers to stricter standards, a key provision considering the collaborative nature of modern data management.
"If a service provider becomes aware of a breach of security involving data in electronic form containing personal information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing or providing intermediate or transient storage of such data, such service provider shall notify the covered entity who initiated such connection, transmission, routing or storage if such covered entity can be reasonably identified," the proposal states.
But although the bill has already gained endorsement from Verizon and CTIA – The Wireless Association, among others, the classic debate over state sovereignty and federal regulation persists. According to the Information Law Group, Connecticut and Vermont have each diligently updated their data security protocols in recent weeks. Similarly, several components of the federal bill have been modeled after progress made by California legislators last year.
Data Security News from SimplySecurity.com by Trend Micro