The data breach at Citigroup in May – a breach which reportedly exposed an estimated 200,000 customer accounts – has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers. What are the next steps your company should take?
Two bills are proposed by both House and Senate legislators.
First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011. The new bill provides:
- Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
- A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
- A requirement that the government ensure sensitive data is protected when the government hires third-party contractors.
This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email “without unreasonable delay.” Media notices would be required for breaches involving 5,000 or more people. The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.
But that’s not the only security bill that has businesses concerned.
In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she’s named The SAFE (Secure and Fortify) Data Act that would also require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.
Companies no longer viewed as the victims
All this sounds good from the consumer’s point of view. But what about the expense – and potential penalties – suffered by the “owners” of the data: the businesses themselves?
While these bills may address the public’s interest for notification — and indeed they would bring some semblance of a national standard – they also represent an interesting shift in the liabilities that companies will face. How is that?
Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers – or fail to report a data breach in a reasonable amount of time – would not only suffer the theft of data, but also be held liable for its loss.
This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won’t take adequate precautions to secure the sensitive data of our customers, they’ll pay a hefty price.
Where does your company stand?
In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?
The challenge is first to determine exactly what qualifies as adequate precautions.
A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.
HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers. If sensitive data itself is kept securely encrypted, a data breach doesn’t expose the content of the information itself.
Secure managed file transfer protocols – which send data using encryption – is the second place to focus attention.
If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached – through hacking, theft, or other malicious actions – is worthless. Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization’s liability.
The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What’s needed is legislation to encourage companies secure the underlying data that is the target of the hackers.
Isn’t it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?