50 States, 50 Different Definitions of a Data Breach

Almost every week, we hear of another data breach – another instance of thousands, sometimes millions, of people losing control of their personal information. A single data breach has the power to not only tarnish a company’s reputation, but severely cut into its bottom line too. According to the 2018 Ponemon Report, the average total cost of a data breach is $3.86 million.

Despite the prevalence and recurrence of these attacks, there is no federal law that clearly defines what constitutes a breach or outlines how a company should respond to it. Instead, there are dozens of conflicting state standards that vary wildly. To solve this problem, Congress needs to create a single standardized approach that makes compliance easier for American businesses and consumers impacted by data breaches.

For example, in California, government notification is required if there is a data breach that requires more than 500 state residents to be notified. In Texas, no government notification is required, but if more than 10,000 persons are notified, a company must notify all nationwide consumer reporting agencies. Congress and the Federal Trade Commission need to step into this void and pass one clear set of regulations that chief information security officers across the United States can follow.

Every single state and the District of Columbia has enacted legislation requiring organizations to notify individuals of security breaches of personally identifiable information – showing how important this issue is to Americans, which makes it even more stunning that the federal government has not passed its own standard. Exabytes of data cross state lines every day so this is clearly an interstate commerce issue that the federal government can, and should, step in and fix. Even if a business only has nexus in a single state, the business more than likely has customers across the country or shares data with vendors in other states.

According to Microsoft’s Trends for Small Businesses in 2018 survey, 25 percent of small-to-midsized businesses are doing nothing to protect themselves against a data breach. And Nationwide found that almost eight in 10 small business owners do not have an incident response plan for responding to and limiting the effects of a data security event. Merely tracking the numerous different data breach standards in each state that they operate in would take many resources away from many small businesses. A small mom-and-pop shop should not have to hire expensive privacy attorneys to ensure that they are not running afoul of some state’s data breach regulations in case they suffer a cyberattack.

A federal data breach standard needs to provide guidance in a few key areas:

•   What constitutes a data breach? Congress needs to start by defining what exactly a breach is. Is it simply the release of a single piece of PII? Is it two percent or more of a company’s customer data? Is it the unauthorized acquisition of information that compromises the security, confidentiality or integrity of that data?

•   What does it pre-empt? The type of data is also relevant when outlining a breach – banks are covered by Gramm-Leach-Bliley; healthcare providers are covered by the Health Insurance Portability and Accountability Act – those entities do not want FTC regulation on top of their sector regulation. A new federal standard should preempt the state regulations, but protect Gramm-Leach-Bliley, HIPAA, and other sector regulations.

•   How long do companies have before they should notify their customers? Perhaps most importantly, legislators need to determine how much time organizations have until they must notify individuals of a breach. While it may be ideal to notify customers within 24-48 hours of discovery of the breach, there are many instances where a longer standard may be needed. Once an organization discovers a breach, they may need to work with law enforcement to catch the hacker. It can also take some organizations weeks to determine the full scope of a breach. A good example to follow is that of the Office of Personnel Management when it announced in 2015 that it was the target of a data breach. OPM regularly updated the public about the scope of its breach as it learned more details.

While a clear federal standard is needed, it will not replace the need for organizations to have a crisis response plan ready in the event of a data breach. An effective crisis response plan is created by a response team that has clearly-defined roles and responsibilities that they set before a breach happens. You do not want to become the Harvard Business Review case study for how not to respond to a data breach. After a breach, your focus should be your customer. The best executives tell their employees to take any action needed to keep customers happy. You should also work with law enforcement to determine who and where the attack is coming from.

Many data breach notification laws have been debated in Congress, but a compromise has yet to be found. Until that happens, millions of Americans will remain vulnerable and businesses will have to navigate a myriad of conflicting state laws. In the meantime, companies should look to create their own easily enacted crisis response plan that prepares them for what seems like the inevitable in today’s world.

Bob Worrall is senior vice president and chief information officer leading Juniper Network’s Global Information Technology team.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult