Congressional Proposals: Data Breach Notification Law
News | 10 Feb 2015
Featured blog by Patrick Zanella, AVP, Security, Compliance and Product Practice Head at Zensar At his State of the Union address on January 20, President Obama called on Congress to pass a national law that would require organizations to notify customers of data breaches, in an effort to protect consumers’ personal information. And, Congress has named helping organizations improve their cyberdefenses as one of its “top priorities” for 2015. Today, 47 states have varying levels of cybersecurity-related laws, which has led to a lot of confusion. By creating one uniform federal regulation, the government will be able to provide clarity and accountability for the security of confidential information. This legislation comes at an important time, as 2014 was a break out year in terms of the sheer number of data breaches across all vertical industries, as well as the emergence of more “mega-level” breaches. This resulted in millions of credit card numbers and personal data being leaked into the wrong hands from a variety of sources.
Today, many consumers have resigned themselves to the fact that it’s not a matter of if but when their data will be leaked. But why do these data breaches keep happening? For one, the explosion of online transactions from Internet-connected devices – from phones, to tablets to refrigerators – has created numerous avenues by which personal information can be hacked. In addition, companies that possess personal information are not taking substantial enough measures to mitigate these risks. In many cases, this is simply due to limited IT budgets or a lack of time and resources necessary to review and analyze potentially nefarious traffic. However, certain steps can be taken at the employee-, organizational-, consumer-, and governmental-level, to prevent major data breaches from occurring.
For example: The federal government should impose significant fines on organizations who do not take the appropriate steps to secure personal data. Employees should understand how to take data breach prevention into their own hands. For example, they should know the red flags to look for which can signal links to malware in emails, whether on personal or work devices. It’s the organizations responsibility to provide security trainings and frequent updates to employees. Organizations should take steps to further secure data through encryption. They should then implement a method to copy or translate that data in a way that allows the deletion of source data without losing the content. This would be similar to what tokenization does for credit card transactions. Finally, consumers should take a step back before sharing personal information, and ask themselves if it’s really needed. For example, is it really necessary to obtain my phone number to access a free music streaming service? Consumers should have the option to “opt out” of having to provide non-pertinent personal data for such transactions. Hacker’s methods are constantly evolving, and the threat of data breaches will not entirely disappear. As such, it’s important that security professionals engage in open dialogue and work to remove the stigma of data breaches. By discussing new threats and sharing real-world best practices, the good guys can start to win the data security battle. The conversations that are happening in Washington right now will go a long way in bringing data security to the forefront of conversations.
These potential new government regulations, coupled with organizations’ security measures, and consumers’ knowledge, will help to identify potentially-damaging data breaches at the onset, or even mitigate them entirely.