Should companies be required to notify consumers in the event of a data breach? Senator Mark Kirk thinks so, and according to SC Magazine, he plans to introduce a bill that would compel businesses to disclose a breach under certain conditions. Kirk and other advocates see this as a way "to make sure the system that Congress designs is easy for industry to put in place and doesn't act like a wet blanket on the 21st century economy." Opponents, meanwhile, argue mandatory breach notification could further compromise consumer privacy and put corporate assets at risk. With companies now potentially facing breach threats at every turn, would this kind of legislation be helpful?
Businesses of all sizes can face an uphill battle when dealing with breaches. A new Forrester report predicts that in 2015, 60 percent of organizations will suffer a security breach. Kroll Ontrack, meanwhile, reports that while 40 percent of adults in the United Kingdom have been victimized by data breaches and 64 percent worry about a future attack, 34 percent of firms have no plan in place to deal with the aftermath of a breach. It's easy to see how the statistics have led policy makers to focus on mandatory reporting as a starting point: If businesses are compelled to report network compromise, then they may have no choice but to design a defense plan aimed at avoiding customer ire.
For Senator Mark Kirk, there's a simple solution: If more than 1,000 credit card numbers are compromised in any breach, companies should be required to notify affected customers. This isn't the first attempt at breach regulation; in January, President Obama said he would call for the implementation of a Personal Data Notification and Protection Act in an effort to strengthen "the obligations companies have to notify customers when their personal information has been exposed." While full details on the act haven't been disclosed, one key feature is a 30-day notification requirement after the discovery of a breach.
Critics of such bills worry that they're too weak, according to PCWorld, because they "preempt stronger breach notification laws in several states" and exclude certain types of data by focusing on financial information alone. That focus makes sense, since as reported by Bank Info Security, the majority of breaches (34 percent) happen to financial institutions, and the sheer amount of financial data stolen in retail breaches alone can be staggering. However, by tying mandatory reporting to credit card data, businesses would have no obligation to inform customers if other classes of personal information are compromised, such as healthcare or geolocation data.
If legislation alone can't get the job done, what's another option? Forrester suggests companies begin "planning for failure," by designing ways to deal with breaches not if they occur, but when. This is a departure from traditional IT security thinking, which holds that by using the right technology, businesses can make themselves immune to malware, breaches and other cyberthreats. By adopting a proactive rather than reactive posture — such as implementing cloud-based application security protocols and rigorous, end-to-end network security testing — organizations can not only lower the threat of a breach, but they can also be better prepared to deal with the aftermath.
Senator Kirk's bill and similar legislation proposed by the White House offer a frontline response to financial breaches, essentially putting companies in the spotlight as a way to encourage improved security behavior. But by tackling the back end, businesses can shore up their overall defensive posture, limit the impact of breaches and stand ready to secure customer data.
Interested in better security by planning to fail? Get your copy of the Forrester report here.