Variations in State Data Breach Disclosure Laws Complicate Compliance


Incident Response Planning Can Ease the Pain

New data breach notification laws are good news for consumers, better news for attorneys, but not very good news for businesses already struggling to stay on top of a constantly evolving regulatory landscape. For companies, these laws mean increased workloads and expenses.

Local, state, and federal laws governing businesses have been in place for years. While updates to them are often routine and expected, regulatory compliance burdens have exploded over the past few years due to a raft of new consumer protection laws, principally those covering data breach protection.

Just a few months ago, Alabama became the last state to pass a law requiring companies to notify individuals when their personal information is exposed as a result of a data breach.

Even though all 50 states now require businesses and other organizations to notify consumers when a breach occurs, the laws, of course, are mostly different. While people must be notified when their personal information is breached, the definitions of “personal information” vary widely from state to state. Such variation creates more work and cost for businesses.

In addition to the varying definitions of “personal information”, the scope of these laws is also inconsistent. Like GDPR, many state laws apply not only to businesses operating in the state, but also to businesses who suffer a breach which includes personal information belonging to individuals that reside in the state. For example, a company operating in Nebraska may also be subject to the breach notification requirements of Florida, Texas, New Hampshire, Ohio and any other states where their customers reside. This significantly complicates disclosure requirements.

Here’s a glimpse into the variations. While most laws require individuals to be notified when their electronic records are breached,only eight states require notification when paper records are compromised. In some states, companies must report breaches to the Attorney General’s Office even if only one record is breached. In other states, reporting does not apply unless a minimum number of records —250, 500 or 1000 — is breached.

Globally, the legal complexities assume even greater proportions. For example, the European Union’s General Data Protection Regulation (GDPR), which came into effect recently, requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Union.

GDPR applies to all companies operating in Europe and all companies with a website or app that captures and processes the data of EU citizens. Failure to comply with the law could result in substantial fines: up to €20 million or 4 percent of a company’s global revenue, whichever is higher. 

Consumers in the Crosshairs

Consumers, of course, have several good reasons to worry about data breaches and the security of the companies they do business with. Cyber-attacks on huge corporations can result in identity theft, credit card and bank fraud, and even healthcare fraud.

Two cyber-attacks stand out: Equifax and Yahoo. Last year’s attack on credit reporting agency Equifax exposed the personal information of about 143 million people — nearly half of US population.

The Yahoo breaches — dating back to 2013 and 2014 but only disclosed in 2016 —  were perhaps the biggest in US history, and potentially affected 1.5 billion account holders.

These and other breaches have seriously weakened people’s trust in businesses of every size and description.

A recent survey of 5,000 US consumers by CarbonBlack revealed that 72 percent of people would consider leaving a financial institution if it were hit by ransomware. Seventy percent said they would consider leaving a retailer, and 68 percent said they would consider leaving a healthcare provider.

Incident Response and Regulatory Compliance

While there are many elements involved in meeting breach disclosure requirements, incident response (IR) can play a central role. Primarily because it is data-driven, works in real-time, and delivers measurable results.

IR consists of pre-breach planning and post-breach action, both of which can help organizations prevent/detect breaches, comply with breach disclosure laws and regulations, notify all stakeholders within appropriate timeframes, and take appropriate measures.

IR and data breach disclosure spans three distinct phases: detection, investigation, and auditing.

Detection is the most basic element. Many organizations get into deep legal and public relations trouble because they failed to detect a breach that happened two or three months beforehand — and therefore failed to contain and stop the damage.

Following a breach comes the investigation phase. What was breached? When did the breach start? How much damage has been caused? Is the breach still active? These and other vital questions must be answered as soon as possible.

This is where proper auditing comes into play. Without such auditing, an organization is forced to assume the worst — that the breach affected everything.

Post-breach, incident response procedures and processes play an equally vital role. Assuming an organization has a well-documented audit trail of what was breached, when, and where, the next step is to notify all stakeholders as quickly as possible. Those stakeholders include internal and external legal teams, as well as C-level executives.

With the right processes, procedures and technology in place, IR provides the glue to understand, remediate and communicate the details of a data breach. Knowing what happened and what data was impacted if the first and most important step in being able to meet disclosure law requirements and comply with tight notification deadlines.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2zuzLux"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more