[BreachExchange] Data Breach Laws are Increasingly Common, do they make a Sufficient Difference?
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jun 11 19:38:26 EDT 2018
https://www.infosecurity-magazine.com/next-gen-infosec/
data-breach-laws-common-sufficient/
It's every consumer's worst nightmare: You open your email to discover a
data breach notice from a company that you don't even remember creating an
account with. You certainly appreciate receiving the heads up, but is it
really enough? Some consumer advocates and business leaders might argue
that an apologetic email message falls far too short.
As of this article's publication, data breach laws have been implemented or
passed in all 50 US states and many modern nations. Unsurprisingly, many
private citizens and professional consumers assume that this means their
information is safe.
In reality, the law doesn't necessarily incentivize companies to keep data
secure. Are lax regulations failing our information-driven society?
Rules Need Consequences
New data protection policies would be meaningless without sanctions for
brands that fail to comply with them. All of these policies have stringent
fines for organizations that fail to take adequate measures and these fines
are likely to be strengthened as more data breaches get national attention.
Rules only work when they stop people from doing bad things. For instance,
Alabama's 2018 Data Breach Notification Act prohibits companies that
experience breaches from leaving affected users in the dark. Instead,
organizations that collect, store or process data must take steps like
maintaining safeguards and designating responsible employees to oversee and
manage security measures.
The safeguards need to be updated over time as technology progresses. One
of the biggest changes is the growth of the Internet of Things (IoT).
Brands need to understand how to develop an IoT framework with security in
mind.
Too much wiggle room?
The problem with many data breach rules is that they lack the bite
necessary to be effective. For instance, the National Law Review points out
that even though Alabama's legislation lets the state attorney general fine
noncompliant companies and file consumer lawsuits, there are no
predetermined or mandatory criminal penalties.
In other words, a company can easily get away with sidestepping meaningful
punishment as long as it has money to burn on fines and lawyer fees.
The Perils of Weak Enforcement
The idea that data security laws lack punch isn't just idle speculation. In
2017, Equifax told the American public that it had exposed the data of 148
million people, or about half of the entire US population.
About six months later, a US Senate report revealed that the Consumer
Financial Protection Bureau, or CFPB, had received 20,000 complaints about
Equifax since the initial breach announcement.
While some might say that the CFPB simply hasn't had sufficient time to
act, observers note that things don't look good for consumers. CFPB head
Mick Mulvaney is on the record as being against regulations aimed at
businesses. Even more damning, he said that he wanted to make the CFPB's
complaints portal private.
If this proposal goes through, the general public could soon lose the
ability to hold companies and regulators publicly accountable for their
actions without Equifax ever having paid the price for its misdeeds.
The Outlook for Companies
Imagine that you were a point-of-sale software vendor. If your products
were implicated in one of the many retail data breaches in the past few
years, then your credibility would have suffered along with your clients'
reputations.
Consumers might not come to regard you with the same hate they hold for
Equifax or Facebook, but the business community would be well within its
rights to blacklist you.
Consumer goodwill ultimately demands trust, and time has proven that you
can't always trust companies to do the right thing. Even though some people
automatically assume that more regulations are always bad for business,
this view lacks nuance, especially for those whose business models depend
on safe data products.
If your company relies on a third-party user credential service, do you
really want to run the risk that your provider didn't secure their
databases because they thought they could get away with slacking off?
Comprehensive security governance is far less expensive than having to
rebrand or close up shop for good after your consumers come to hate you.
While it's tempting to lobby against tighter data security legislation, it
has the potential to make the IT industry more accountable overall, and
that's never a bad thing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180611/1c49ddfb/attachment.html>
More information about the BreachExchange
mailing list