If we have learned any lessons from the last few years, it is that data breaches present a significant business risk to organizations, often resulting in high financial cost and impact on public opinion. According to a recent study, the average cost of a data breach incident is approximately $3.5 million. With reputation management and a complex regulatory landscape as additive organizational concerns, security and risk professionals face the tough task of ensuring their companies successfully manage the aftermath of a data breach.
A crucial aspect to data breach preparedness is having a strong understanding of the legislative and regulatory framework around data breach notification. However, set against a patchwork of 47 existing laws from nearly every U.S. state, risk and compliance professionals are challenged with understanding and communicating rights for their business and customers. The recent mega breaches experienced by several large companies in the United States has resulted in heightened consumer, media and policymaker awareness and concern, making the potential for new requirements and legislation a hot topic.
Currently, legislation that would establish a national data security and breach standard remains undefined. However, there has been a renewed focus from policymakers and support from the Obama administration to adopt a national notification requirement – offering clarity and guidance for organizations following a data breach. While legislation awaits, experts expect continued data breach enforcement from the federal level, such as the FTC, alongside state governments.
Additionally, as more data is being stored in the cloud and shared across international borders, standard data breach notification requirements are also being evaluated and established on a global level. For example, the European Union’s (EU) new data breach requirements for telecommunication operators and internet service providers (ISPs) were implemented in August 2013. Now, these entities are required to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. Based on that legislation, the EU is now also considering expanding the 24-hour notification requirement be applied to all commercial sectors as part of the larger update of the region’s data protection law.
A federal standard is likely on the horizon, but in the meantime, there are a few recommended steps risk managers should evaluate now as part of their preparedness plan:
- Understand the current notification requirements and enlist legal counsel. Once the details of a data breach are identified, organizations will need to assess which laws apply to the incident. Identifying the right group of experts, including outside privacy counsel, ahead of time can help risk managers quickly navigate this process. However, be aware that within the United States, certain state laws have consumer notification requirements as short as 30 or 45 days. This means there is no time to waste verifying consumer addresses; writing, printing and mailing notification letters; or setting up a call center and other services for affected individuals. To complicate things further, multiple state laws may apply to a single data breach due to the jurisdiction of the affected individuals, not where the business is located. For more information on notification requirements, Experian has developed a guide with tips on data breach response available for download at http://www.experian.com/data-breach/response-guide.
- Have a practiced response team in place. A recent report from Ponemon and IBM reaffirms the importance of data breach preparedness. The report found that companies that have a strong security posture are able to reduce the cost of data breaches by as much as $14 per record. Arguably, the strongest part of a data breach response plan is the team that implements it during and after an incident. Risk management professionals should ensure the response team is familiar with security protocols and notification processes in advance. In addition, to be prepared for a data breach at any given point, we recommend practicing the response plan every six months.
- Offer identity theft protection. Though laws and industry regulations vary regarding if and when an organization needs to notify victims following a data breach, affected consumers have also expressed their expectation that organizations will offer credit monitoring and identity theft protection services in the aftermath of an incident. In fact, 63% of respondents from a recent survey indicated breached companies should be obligated to provide free identity theft protection to affected customers. Organizations that provide fraud monitoring and identity protection are better positioned to improve compliance and maintain consumer’s trust. Policymakers have also made clear as they evaluate data breach legislation that they expect for companies to take steps to further protect consumers from identity theft following a breach.
As legislation for data breaches continue to be shaped, risk managers preparing for their response plans should ensure they partner with legal counsel to understand various notification requirements, across national and international borders. It is also important to remember data breaches cannot be managed solely as a compliance issue, and to take into account consumer needs and expectations. As part of having a well-practiced pre-breach preparedness plan, risk professionals should focus on clear notification and guidance, along with offering identity theft or fraud protection to protect consumers and ultimately maintain their trust following a breach. With these measures in place, regulators will likely recognize that a company is demonstrating established and responsible procedures for managing and responding to a breach.