[BreachExchange] Data Breach Notification Laws: Is it Time for a Uniform Standard?

[Destry Winant]

https://securityboulevard.com/2018/09/data-breach-notification-laws-is-it-time-for-a-uniform-standard/

State data breach notification laws had two primary aims in mind. The
first was to potentially embarrass organizations to improve their data
security by forcing them to disclose certain data breaches publicly.
The second was to help consumers have a fighting chance against
identity theft by arming them with the information they needed to
adequately respond to a data breach and protect their accounts and
identities from theft.

As we covered in “Changes to Data Breach Notifications in the Air,”
since the first data breach law went into effect in 2003, there has
been controversy surrounding what types of data being exposed should
trigger data breach notifications, who should be notified and how
quickly they should be notified.

While it’s been more than 15 years since California set a precedent,
these laws have proliferated around the world, and in the United
States. They have been becoming more prescriptive about the type of
data that must trigger a notification and the time frames in which
notification must be done.

Today, just about every state has created its version of the data
breach notification law, which some contend has created a hodgepodge
of state laws that all organizations that hold data must comply with.
This is why there have been calls for a uniform federal data breach
law by such groups as the National Retail Federation and the Financial
Services Roundtable. Security firm Digital Guardian created a detailed
data-breach disclosure law infographic that is available here.

Would a standard federal data breach disclosure law be beneficial? The
idea garners mixed reaction among security experts.

“A national data breach disclosure law is a great idea. Since state
compliance isn’t standard, and corporations’ home states can vary from
their data center locations altering reporting requirements, consumers
deserve a uniform notice of what happened, when, where and how,” said
Paul McGough, founder and CTO of Qwyit. “Not only will this facilitate
law enforcement by creating a true, shared database of activity, it
also will raise the bar on arriving at strong, uniform cybersecurity
protection methods. Consumers, companies, enforcement and protection
all benefit. There is no drawback to awareness and enlightenment.”

Jake Kouns, CISO at Risk Based Security, said a national breach law on
the surface seems positive, but he has some concerns. “There are
currently several states including Massachusetts, California and even
Florida that have laws in place that are quite strong for requiring
notification for any residents that are impacted by a data breach, but
also requirements for businesses to have a solid information security
program in place,” Kouns said. “The main concern is that if a federal
law replaces the current state legislation, then instead of picking
the most strict law to protect U.S. residents, it would default to the
least amount of notification and security requirements available and
reduce some of the great works that are currently in place.”

Many of experts are also mixed. “I believe that there are two parts to
your questions one is procedural, and the other is substantive,” said
Benjamin Dynkin, a cybersecurity attorney in New York. “As a matter of
procedure, the national data breach notification law is certainly
good. It will provide uniformity, predictability and ease of
compliance. Rather having to comply with any number of existing laws,
a company will only need to focus on a single standard for compliance.

“The second piece is a substantive question,” he continued. “A
national data breach notification law will require setting a national
threshold for data breach notification. Depending on what standard is
chosen, it will either be stricter than many existing laws or looser
than many existing laws. This will not be a huge issue for large
entities, but for small and mid-sized businesses (if the law is
stricter) it can pose meaningful challenges for compliance.
Additionally, if the law is looser than existing standards consumers
may feel that their particular interests are not being sufficiently
cared for.

“The issue can best be summed up by the late Justice Brandeis, who
observed that the states are the laboratory for democracy,” he said.
“They have the flexibility to try different schemas, and to evolve
standards based on their citizens, whereas federal standards have
little ability to be tailored to smaller groups and have minimal
flexibility in execution. While data breaches are fast becoming
commonplace, they are still very new, and further experimentation may
be beneficial at the state level, even though national standards would
ease compliance.”

With the difficulty for the federal government to move much
cybersecurity legislation forward, that may remain the status quo for
some time.