Variations in State Data Breach Disclosure Laws Complicate Compliance

Wednesday, September 26, 2018

John Moran

6a1fbf6a6315721b9e8931e69112c21e

Incident Response Planning Can Ease the Pain

New data breach notification laws are good news for consumers, better news for attorneys, but not very good news for businesses already struggling to stay on top of a constantly evolving regulatory landscape. For companies, these laws mean increased workloads and expenses.

Local, state, and federal laws governing businesses have been in place for years. While updates to them are often routine and expected, regulatory compliance burdens have exploded over the past few years due to a raft of new consumer protection laws, principally those covering data breach protection.

Just a few months ago, Alabama became the last state to pass a law requiring companies to notify individuals when their personal information is exposed as a result of a data breach.

Even though all 50 states now require businesses and other organizations to notify consumers when a breach occurs, the laws, of course, are mostly different. While people must be notified when their personal information is breached, the definitions of “personal information” vary widely from state to state. Such variation creates more work and cost for businesses.

In addition to the varying definitions of “personal information”, the scope of these laws is also inconsistent. Like GDPR, many state laws apply not only to businesses operating in the state, but also to businesses who suffer a breach which includes personal information belonging to individuals that reside in the state. For example, a company operating in Nebraska may also be subject to the breach notification requirements of Florida, Texas, New Hampshire, Ohio and any other states where their customers reside. This significantly complicates disclosure requirements.

Here’s a glimpse into the variations. While most laws require individuals to be notified when their electronic records are breached,only eight states require notification when paper records are compromised. In some states, companies must report breaches to the Attorney General’s Office even if only one record is breached. In other states, reporting does not apply unless a minimum number of records —250, 500 or 1000 — is breached.

Globally, the legal complexities assume even greater proportions. For example, the European Union’s General Data Protection Regulation (GDPR), which came into effect recently, requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Union.

GDPR applies to all companies operating in Europe and all companies with a website or app that captures and processes the data of EU citizens. Failure to comply with the law could result in substantial fines: up to €20 million or 4 percent of a company’s global revenue, whichever is higher. 

Consumers in the Crosshairs

Consumers, of course, have several good reasons to worry about data breaches and the security of the companies they do business with. Cyber-attacks on huge corporations can result in identity theft, credit card and bank fraud, and even healthcare fraud.

Two cyber-attacks stand out: Equifax and Yahoo. Last year’s attack on credit reporting agency Equifax exposed the personal information of about 143 million people — nearly half of US population.

The Yahoo breaches — dating back to 2013 and 2014 but only disclosed in 2016 —  were perhaps the biggest in US history, and potentially affected 1.5 billion account holders.

These and other breaches have seriously weakened people’s trust in businesses of every size and description.

A recent survey of 5,000 US consumers by CarbonBlack revealed that 72 percent of people would consider leaving a financial institution if it were hit by ransomware. Seventy percent said they would consider leaving a retailer, and 68 percent said they would consider leaving a healthcare provider.

Incident Response and Regulatory Compliance

While there are many elements involved in meeting breach disclosure requirements, incident response (IR) can play a central role. Primarily because it is data-driven, works in real-time, and delivers measurable results.

IR consists of pre-breach planning and post-breach action, both of which can help organizations prevent/detect breaches, comply with breach disclosure laws and regulations, notify all stakeholders within appropriate timeframes, and take appropriate measures.

IR and data breach disclosure spans three distinct phases: detection, investigation, and auditing.

Detection is the most basic element. Many organizations get into deep legal and public relations trouble because they failed to detect a breach that happened two or three months beforehand — and therefore failed to contain and stop the damage.

Following a breach comes the investigation phase. What was breached? When did the breach start? How much damage has been caused? Is the breach still active? These and other vital questions must be answered as soon as possible.

This is where proper auditing comes into play. Without such auditing, an organization is forced to assume the worst — that the breach affected everything.

Post-breach, incident response procedures and processes play an equally vital role. Assuming an organization has a well-documented audit trail of what was breached, when, and where, the next step is to notify all stakeholders as quickly as possible. Those stakeholders include internal and external legal teams, as well as C-level executives.

With the right processes, procedures and technology in place, IR provides the glue to understand, remediate and communicate the details of a data breach. Knowing what happened and what data was impacted if the first and most important step in being able to meet disclosure law requirements and comply with tight notification deadlines.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Possibly Related Articles:
32663
Enterprise Security Policy Breaches
Compliance Incident Response data breach regulations
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.