Even though cybersecurity isn’t a “hot topic” in the current presidential debate, the data breaches of 2013-2015 set the stage for some major data security legislation. Last year, according to the Identity Theft Resource Center, there were 781 data breaches. With breaches affecting large retailers, hotel chains, healthcare offices and too many SMB’s to count, it’s no wonder politicians in Washington are starting to take payment and data security more seriously.
Big industries that have typically handled sensitive information, such as banking and healthcare, have always had to comply with specific regulations to keep this information secure. But in today’s world, these security issues are also a concern for retail, education and even small to medium-sized businesses. In addition to the laws and policies most states have in place to protect personal data, there are a number of efforts being made to take information protection to the national level.
In 2015 alone, eight bills were introduced to Congress that included policies for securing personal information and instructions on what should be done in the event of a breach. Of these, there are two important initiatives with versions currently in the House of Representatives and the Senate. These are the Data Security Act of 2015 and the Data Security and Breach Notification Act of 2015. The bills are similar, but they approach security in different ways and will mean different things for your business if they’re passed into law.
Data Security Legislation: The Data Security Act of 2015
The Data Security Act (S. 961/H.R. 2205) aims to better protect consumers from identity and data theft by creating a uniform set of standards and policies that all companies must adhere to when it comes to data security. It would require all businesses and organizations that store nonpublic personal information to maintain better standards of security.
Protection measures suggested in these bills can be tailored to individual businesses, making them scalable to lessen the burdens security measures can place on small businesses. These measures take into account the size, scope and type of financial information businesses hold.
Should a breach occur, organizations would be required to investigate each instance of a cyber attack to determine the reach of the breach, whether data was potentially or definitely accessed by hackers, and the likelihood that stolen information could lead to fraud or identity theft.
Under this legislation, companies would need to create a plan to store and protect sensitive information, and have a specific employee responsible for updating and maintaining security standards in accordance with changes in available technology. This employee would also be responsible for analyzing all security breaches and determining the level of risk associated with each.
If a breach is determined to be high risk, the company must contact federal government agents, law enforcement officials and individuals affected by the breach. National consumer reporting agencies must also be contacted for any breaches affecting more than 5,000 people.
The bottom line:
If the Data Security Act is passed, your company might have to make significant changes to the way you store and protect personal information. Though the necessary security procedures are scalable to help small business, there are some measures (such as requiring a chosen employee to undergo a costly background check) that could be difficult for smaller companies to comply with.
You would also bear the weight of determining how destructive a potential breach might be — with the possible consequence of a customer taking you to court to recover damages if you fail to make the right call.
Data Security Legislation: The Data Security and Breach Notification Act of 2015
The Data Security and Breach Notification Act (S. 177/H.R. 1770) may be something you’ve heard about, as it’s gotten quite a lot of media buzz in the past year. The bills in the House and Senate are very similar, but they differ in a few key ways that could signify big differences for companies.
Much like the Data Security Act, it is up to each business to determine how much harm could result from a system breach. Consumers only have to be notified if there is a reasonable risk of identity theft, fraud or other “unlawful conduct” — though H.R. 1770 only considers identity theft or economic harm to be worthy of notification.
S. 177 allows the Federal Trade Commission to outline specific security protocols that businesses must adhere to, including a security plan, a specific employee to oversee security, vulnerability assessment and a process for destroying data. On the other hand, H.R. 1770 only requires businesses to maintain reasonable security measures, but doesn’t specify what those are.
Companies who protect information with encryption technology benefit from this legislation, because the bill assumes there is no risk for encrypted data — meaning you won’t have to change existing security measures.
The bottom line:
There’s currently a lot of concern connected to these bills, as they would override existing state laws that currently provide for protection of personal information, and many feel the state laws may be harsher. Though, at first glance, this may seem like a win for businesses, remember a lapse in security that leads to a data breach could severely tarnish your company’s reputation — so data security is not the place to cut corners.
However, companies can benefit from encryption today with technologies such as Bluefin’s PCI-validated Point-to-Point Encryption (P2PE), which protects consumer credit card data.
Businesses can only benefit from increasing cybersecurity. Regardless of whether this legislation passes, keeping your customers safe from data theft should be a top priority. Don’t be the next data breach statistic — contact us today to learn more about how you can protect your customers.