The slew of highly publicized data breaches over the past few years has brought the issue of cyber-security truly to the mainstream -- most recently reaching our living rooms through President Barack Obama’s State of the Union address on Jan. 19.
“And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information," the president said. "If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
The legislation the president references is currently in the form of a proposal introduced last week seeking to create a unified, federal breach-notification standard that would streamline the requirements for companies in the face of a breach. More specific details can be found on whitehouse.gov.
Breach-notification laws are not a new phenomenon. Currently, 47 states and the District of Columbia have enacted some form of breach-notice legislation. Each of these laws has its own set of triggers for when and who must be notified in response to an event that constitutes a “security breach” (note: there is also no unified standard for what events constitute a security breach).
Breach events routinely trigger multiple state laws. Complying with this patchwork of varying standards in the face of a breach is a challenge for any company, large or small.
The proposed legislation would effectively override the current patchwork of state breach-notice law standards, requiring companies to notify affected individuals within 30 days of discovering a breach incident. This means companies would no longer be bound by more stringent state law requirements.
Among other stricter standards, shorter timeframes for notice would no longer apply. The proposal also omits certain categories of health data that are currently regulated under state laws but not subject to the federal HIPAA law, eliminating any notice requirement for those types of information.
While streamlining the notification process may be helpful to the company in assessing its response to a breach, it is unclear how a law that loosens existing notification requirements “better meets the evolving threat of cyber-attacks.”
We are sure to see this proposal debated and revised before it is finalized.
For entrepreneurs and startups, here are a few tips to keep in mind when addressing cyber-security risk concerns:
- Appoint personnel to oversee data privacy and security for the company. Depending on the company’s size and operations, these do not have to be full-time roles. Having a point person who understands the company’s data assets, and who can help with workforce education, is invaluable.
- User error is a major source of data breaches. Take simple steps to educate your workforce on security basics such as password creation and management, and identifying email spoofing and phishing attempts.
- Have a data-incident-response policy that educates personnel on what to look for, whom to call, and how to respond in the event of a suspected data breach.