Data breaches can cost companies valuable resources and damage public relations. Following the series of high-profile, high-impact data breaches at a number of retail companies, the U.S. government has re-energized its effort to combat cyber crime. Government officials are encouraging stronger preventive measures, such as secure file sharing solutions, and calling for stricter national standards requiring businesses to notify affected individuals.
Holding companies accountable
Not all breaches impact a broad population or result in identity theft. For that reason, some businesses might delay their response to a data incident or even take shortcuts in their security practices. However, even a small vulnerability can cause a significant problem and waiting to inform people can put consumers at greater risk.
"The Administration recommends the establishment of a strong, uniform Federal standard requiring certain types of businesses to report data breaches and thefts of electronic personally identifiable information," Mythili Raman, acting assistant attorney general of the Department of Justice, told the Senate on Feb. 4. "Businesses should be required to provide prompt notice to consumers in the wake of a breach."
This summer, legislators introduced the Data Security and Breach Notification Act of 2013, which mandates that commercial entities implement security measures to protect personal information. It also requires companies to give notice to people whose information may have been exposed.
InformationWeek noted that there are already state laws regulating notification after data breaches - but only in some states. For example, California's law requires companies to notify people quickly and "without reasonable delay," the source said, but the standards are often vague and businesses are sometimes reluctant to make breaches public.
"There are areas where Congress can take action and lead in a way in protecting consumers and combating fraud. One such area is a uniform data breach notification standard," US Congressman Lee Terry (R-NE) said at a subcommittee data breach hearing. "Right now, national retailers have to comply with as many as 46 different state and territory notification rules, which can slow down how quickly a business can notify customers of a breach by creating confusion over who must be notified, how they must be notified, and when they must be notified."
By holding all companies to the same standards, legislators hope to level the playing field for organizations that handle the breach responsibly, rather than try to cover it up, the InformationWeek report explained. However, it can also be beneficial for companies to investigate fully before making an announcement so that they can provide people with comprehensive information all at once. Finding the right balance is the trick for legislators and business leaders.
Prevention is better than damage control
The goal of the notification laws is to hold organizations more accountable for implementing better security measures, not to punish them for being victims of criminal activity. By requiring companies to make their information vulnerabilities public, these policies encourage businesses to adopt safer secure file sharing and data management systems.
Better IT infrastructure, like managed file transfer, can also help organizations identify and assess the extent of a breach, InformationWeek observed, making it easier for companies to respond to problems and inform people accurately about the threat.
Data security isn't just about warding off computer hackers. Many breaches occur because of preventable errors, such as storing sensitive information on portable hardware that can then be stolen. To keep their data safe, businesses need solutions that maintain top security measures while storing, transferring and providing access to information. For example, wide area file services (WAFS) allow employees to share documents stored securely from remote locations, reducing the need for workers to keep company information on separate devices.
The government's interest in combating data theft both by investigating criminals and by holding organizations accountable for protecting information points to the need to approach the problem from all possible angles.