As if having to deal with the rising threat of data breaches weren’t already enough for retailers, many continue to struggle to make sense of today’s rough patchwork of federal and state data breach laws.
Fortunately, while legislation that would establish a national data breach standard has yet to gain significant traction, the Obama Administration and Congress are ramping up joint efforts to establish a uniform, national law that would replace the current fabric of state requirements.
For retailers across the country who sit in the direct line of fire for cyber intruders, this is welcome news.
The current regulatory jigsaw puzzle has simply fallen short of creating a cohesive data breach notification standard that can be applied to all personally sensitive information. Instead, when retailers experience a data breach, they’re forced to navigate a labyrinth of state laws — 47 of them — each with unique requirements for items ranging from how consumers are notified to the types of breached information that would trigger the notification. In other words, maintaining compliance and minimizing confusion amongst customers has become a steep challenge for businesses across the retail sector.
Change is on the Horizon
To-date, the Obama administration has pushed for the adoption of a national uniform breach notification standard through multiple venues, including its April 2013 policy statement on H.R. 624 — the Cyber Intelligence Sharing and Protection Act — which aims to improve cyber security standards.
What’s more, by way of a cyber-security draft proposal in May 2011, the White House offered a data breach provision that gave the Federal Trade Commission (FTC) authority to determine the types of personal information that would trigger a breach, require consumers to be notified within a certain timeframe and empower state attorneys general to bring civil actions to recover certain penalties.
Meanwhile, state legislatures continue to craft proposals to modify their existing data breach notification policy. State attorneys general have also joined the fray to handle oversight of breach notices. As a result, a number of states have proposed a new requirement to report breaches to the attorney general’s office. Proposals have ranged from notification in the event of any breach, no matter the size, to setting thresholds, such as the information of 500 individuals breached.
In addition to meeting the breach notification requirements outlined by current state breach laws, policymakers now expect organizations that experience a breach to take deliberate and immediate steps to protect consumers from identity theft following the breach.
In a 2012 report on data breaches , the office of California Attorney General noted that providing identity theft protection services, such as credit monitoring, could help to protect consumers who have had their sensitive information breached. The report states “Protective measures that can limit the victim’s risk in this type of breach include credit monitoring services and a security freeze.”
California seems to be at the forefront of addressing data breaches as recently the state introduced the Consumer Data Breach Protection Act, AB 1710, which would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers' financial damages.
At the federal level, a 2008 report by the President’s Identity Theft Task Force found “any comprehensive information security program — whether in the public or private sector — must include policies for responding to a data breach…. Such policies should address whether, how, and when to inform affected individuals of the loss of their data, and whether to offer services such as free credit monitoring to those individuals.”
The key message for retailers is that data breaches cannot be managed solely as a compliance issue. Companies must consider their customers and take the necessary steps to make them feel taken care of after an incident.
What’s In Store for 2014?
When it comes to data breach policy, things are definitely looking up. It appears Congress is poised to seriously consider legislation that would enact a national data breach notification requirement to replace the current segmented system of state laws. At the same time, state legislators will continue to look for ways to refine their existing statutes.
Still, as Congress works to form a national data breach standard, organizations must ensure compliance with existing breach notification laws. First and foremost, retailers should implement pre-breach plans, which are often viewed as a good defense, and demonstrate they have established reasonable procedures for addressing a data breach.
Regardless of the legislative outlook, data breaches present a significant business risk for retailers. Preparation is vital. Creating a security incident response plan and identifying the proper outside legal counsel, forensics experts and data breach resolution specialists ahead of time can do wonders to help mitigate the fallout from a breach.
Tony Hadley is SVP of government affairs and public policy for Experian. He leads the corporation’s legislative, regulatory and policy programs relating to consumer reporting, consumer finance, direct and digital marketing, e-commerce, financial education and data protection. Hadley leads Experian’s legislative and regulatory efforts with a number of trade groups and alliances, including the American Financial Services Association, the Direct Marketing Association, the Consumer Data Industry Association, the U.S. Chamber of Commerce and the Interactive Advertising Bureau. Hadley is chairman of the National Business Coalition on E-commerce and Privacy.
Michael Bruemmer, CHC, CIPP/US, is VP with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.