A federal data breach law is picking up steam. There are those who tell us that a data breach law at the federal level would clear up the differences between the states. The differences in the laws between the states at this point are significant. As large companies are usually doing business in multiple states, the cost of a data breach notification can be significant. They all vary in how and when to notify victims.
In January of 2015, President Barack Obama previewed a new data breach notification law in a speech to the Federal Trade Commission. In his speech, he called for a 30-day deadline for notifications of a data breach. This notification period starts after the discovery of a breach. Currently, in Connecticut, companies have a 5 day period in which to notify those affected by a breach. In many other states, however, companies have as many as 45 days to notify those affected.
President Obama said: “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies -- and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days.”
While there has been some criticism about reducing the time frame to 30 days, it certainly is better than attempting to do so in five days. However, Companies and security experts, like Evidence Solutions Digital Evidence Division, prefer to observe hackers for a while to determine how the breach occurred and just how extensive the hack is. This allows for better analysis and remediation of what allowed the hack to happen in the first place.
In general, a hack would include but not be limited to: Lost media, including backup media, external access to and theft of data, and insider theft of data. Interestingly in most states, Encrypted data is exempt from the state notification law. It will be interesting to see if the federal law follows suit. Also at large is whether or not the company has to prove that personal information had actually been viewed.
Most security organizations and companies agree that individuals whose information has been exposed have the right to know as soon as practicable to allow them to protect themselves. However, it is important to note, companies have usually been breached for months before the organization discovers the breach. Companies need to step up breach detection. And move faster to study the attack and then resolve the problem.
