About Tony Hadley and Michael Bruemmer

Tony Hadley is senior vice president of government affairs and public policy for Experian. Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group.

Navigating Data Breach Regulatory Requirements

Data breach

Amidst the gridlock on Capitol Hill and in State Houses across the country on many policy priorities, there seems to be one issue related to corporate governance that brings both parties together. In response to a tidal wave of security incidents, both policymakers and regulators are passing and debating new rules regulating how companies must respond to a data breach.

Along with managing internal expectations from the rest of the C-suite and board on how a data breach needs to be handled, risk managers now face a continually shifting regulatory landscape. It is essential that risk managers are up to speed on the latest policy developments and understand how they will influence how a company responds to an incident.

In a policy white paper released by Experian, we found the following to be some of the most significant trends changing the regulatory landscape.

State Laws and Regulator Expectations 

Today, when a data breach occurs, risk management professionals need to take into account 49 different laws and regulations across states, the District of Columbia and Puerto Rico. The nuances between each law require careful review, especially for businesses that operates in multiple locations. Further complicating matters, many states are actively making updates to their laws:

  • Oregon recently signed a law requiring that notification of a data breach be provided to the state attorney general if a company experiences a breach that affects more than 250 consumers.
  • Connecticut added a requirement that companies provide credit monitoring for at least 12 months to impacted parties, as well as provide notice of a breach within 90 days of the incident’s discovery.
  • Rhode Island now requires consumer notice no later than 45 days after breach discovery and expanded the definition of personal information to include email addresses combined with passwords.
  • Illinois is considering legislation that would move the definition of personal information to include marketing data.

State attorneys general are also increasingly scrutinizing how companies respond to a data breach, and are often vocal if they think a company is not taking the proper steps to protect affected constituents. In addition to conducting more official investigations, state attorneys general are leveraging the power of the press to make their point.

Congress Looking to Reach Consensus

The current complexity caused by evolving state laws could soon become a non-issue if Congress is able to pass a comprehensive federal data breach notification bill. Lawmakers have made passing a national federal data breach and data security standard a priority in the current Congressional session. One bill, the Data Security and Breach Notification Act of 2015, has already been passed by the House Energy and Commerce Committee and could make its way to a full vote. In the Senate, there are also a number of competing pieces of data breach legislation being debated that are fighting for support.

This is not the first time Congress has attempted to pass a comprehensive bill. Several bills were previously introduced and passed by House and Senate committees, but were unable to make it any further in the process due both to lack of support and not being high on the priority list. However, while reaching consensus may not come easy, there is pressure today on federal lawmakers to pass a bill, which is driving more action in the space.

Lending to the cause, President Obama is also a vocal advocate for a national uniform breach notification standard. He explicitly referenced the need for comprehensive legislation during his latest State of the Union Address, and gave a speech to the FTC in January 2015 that outlined his version of a draft data security bill – the Personal Data Notification and Protection Act. In addition to data breach law, recent high profile security incidents also led Obama to encourage Congress to pass legislation that regulates and supports voluntary sharing of cyber threat information between companies and the government. With attention and support from the executive branch on cyber security, it is much more likely we will see progress on the topic from Congress.

Staying Informed and Prepared

The reality is that data breaches pose a risk that will always need to be addressed, and until the U.S. passes comprehensive data breach notification legislation, the responsibility falls to risk managers and relevant colleagues to track policy changes. This is why it is important to enlist outside experts such as legal counsel familiar with the evolving regulatory landscape. Understanding the landscape is not enough, however. Companies must ensure that any new rules or regulatory agency expectations are accounted for and updated in data breach response plans. As a best practice, companies should review plans at least twice a year.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

U.S. Policymakers Renew Focus on Data Breach Laws

If we have learned any lessons from the last few years, it is that data breaches present a significant business risk to organizations, often resulting in high financial cost and impact on public opinion. According to a recent study, the average cost of a data breach incident is approximately $3.5 million. With reputation management and a complex regulatory landscape as additive organizational concerns, security and risk professionals face the tough task of ensuring their companies successfully manage the aftermath of a data breach.

A crucial aspect to data breach preparedness is having a strong understanding of the legislative and regulatory framework around data breach notification. However, set against a patchwork of 47 existing laws from nearly every U.S. state, risk and compliance professionals are challenged with understanding and communicating rights for their business and customers. The recent mega breaches experienced by several large companies in the United States has resulted in heightened consumer, media and policymaker awareness and concern, making the potential for new requirements and legislation a hot topic.

Currently, legislation that would establish a national data security and breach standard remains undefined. However, there has been a renewed focus from policymakers and support from the Obama administration to adopt a national notification requirement – offering clarity and guidance for organizations following a data breach. While legislation awaits, experts expect continued data breach enforcement from the federal level, such as the FTC, alongside state governments.

Additionally, as more data is being stored in the cloud and shared across international borders, standard data breach notification requirements are also being evaluated and established on a global level. For example, the European Union’s (EU) new data breach requirements for telecommunication operators and internet service providers (ISPs) were implemented in August 2013. Now, these entities are required to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. Based on that legislation, the EU is now also considering expanding the 24-hour notification requirement be applied to all commercial sectors as part of the larger update of the region’s data protection law.

A federal standard is likely on the horizon, but in the meantime, there are a few recommended steps risk managers should evaluate now as part of their preparedness plan:

  • Understand the current notification requirements and enlist legal counsel. Once the details of a data breach are identified, organizations will need to assess which laws apply to the incident. Identifying the right group of experts, including outside privacy counsel, ahead of time can help risk managers quickly navigate this process. However, be aware that within the United States, certain state laws have consumer notification requirements as short as 30 or 45 days. This means there is no time to waste verifying consumer addresses; writing, printing and mailing notification letters; or setting up a call center and other services for affected individuals. To complicate things further, multiple state laws may apply to a single data breach due to the jurisdiction of the affected individuals, not where the business is located. For more information on notification requirements, Experian has developed a guide with tips on data breach response available for download at http://www.experian.com/data-breach/response-guide.
  • Have a practiced response team in place.  A recent report from Ponemon and IBM reaffirms the importance of data breach preparedness. The report found that companies that have a strong security posture are able to reduce the cost of data breaches by as much as $14 per record. Arguably, the strongest part of a data breach response plan is the team that implements it during and after an incident. Risk management professionals should ensure the response team is familiar with security protocols and notification processes in advance. In addition, to be prepared for a data breach at any given point, we recommend practicing the response plan every six months.
  • Offer identity theft protection. Though laws and industry regulations vary regarding if and when an organization needs to notify victims following a data breach, affected consumers have also expressed their expectation that organizations will offer credit monitoring and identity theft protection services in the aftermath of an incident. In fact, 63% of respondents from a recent survey indicated breached companies should be obligated to provide free identity theft protection to affected customers. Organizations that provide fraud monitoring and identity protection are better positioned to improve compliance and maintain consumer’s trust. Policymakers have also made clear as they evaluate data breach legislation that they expect for companies to take steps to further protect consumers from identity theft following a breach.

As legislation for data breaches continue to be shaped, risk managers preparing for their response plans should ensure they partner with legal counsel to understand various notification requirements, across national and international borders. It is also important to remember data breaches cannot be managed solely as a compliance issue, and to take into account consumer needs and expectations. As part of having a well-practiced pre-breach preparedness plan, risk professionals should focus on clear notification and guidance, along with offering identity theft or fraud protection to protect consumers and ultimately maintain their trust following a breach. With these measures in place, regulators will likely recognize that a company is demonstrating established and responsible procedures for managing and responding to a breach.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.