Businesses are at the mercy of hackers, sniffers, and the criminal element who are after your data. Many states have their own regulatory requirements, and this lacks uniformity and creates issues for those who do business across the United States. So what is next? Will we see uniformity in regulatory compliance for businesses across the country? H.R. 2205 is attempting to create business compliance, which will supersede the state regulations and protect consumer information.
H.R. 2205, or Data Security Act of 2015
Introduced on May 1st, 2015, the Data Security Bill of 2015 is a national consumer breach notification law. Today, 47 states, together with District of Columbia, Guam, Puerto Rico and the Virgin Islands have individual regulations specifying when and how organizations should notify consumers in the event of an electronic data breach. The state regulations vary greatly in terms of the procedures which organizations need to follow, as well as consequences for non-compliance.
The goal of the new law is to supersede the existing state regulations by creating a single system coordinating the notification process. It establishes rules for handling consumer financial and sensitive personal data. The Federal Trade Commission will have the authority to enforce the law.
The bill must be passed by the House and the Senate, and then signed by the President, to become law.
Organizations Affected
The law will apply to any individual or organization which handles personal information of consumers, including retail, real estate, transportation, and other organizations.
Timing of the Bill
According to Consumer Reports, personal data of over 70 million Americans was compromised in 2014. Until now, the financial industry has carried the biggest burden of notifying consumers of security breaches. Such laws as the Gramm-Leach-Bliley Act (GLBA) of 2005 require financial organizations to establish reasonable procedures for preventing breaches, as well as informing consumers of compromised data.
According to the statement, recently issued by the American Bankers Association in the support of the Data Security Bill, they want a “shared responsibility” with other industries for security breaches.
Bill’s Controversy
Organizations in many industries have raised concerns about the bill. The National Association of Realtors® is concerned about the burden of the data protection standards, and the expansion of FTC’s authority. The Retail Industry Leaders Association claims that it will burden the retailers (especially smaller businesses), requiring them to conduct criminal background checks on their employees involved in handling consumer data.
Although there is some merit to all the concerns, protecting consumers from fraud, and minimizing the consequences of stolen data, should be more important than the inconvenience of the new proposed measures.
In addition, GLBA affects all financial organizations, including very small firms, and most have found reasonable ways to comply with the law. There are many products on the market which limit security breaches while being inexpensive to deploy.
How to Comply with Data Security Act of 2015
Once the bill becomes law, organizations will have to create a “comprehensive information security program.” Some of the steps involved include designating an employee(s) to coordinate the program, identifying risks, designing and implementing safeguards to control the risks, overseeing third-party service providers, and periodically evaluating and adjusting the program.
In terms of technology security controls, the Act requires the affected organizations to implement the following:
- Security access controls to information systems,
- Encryption of sensitive financial or personal information in motion and at rest,
- System monitors to detect intrusions and attacks,
- Protection mechanisms to prevent sensitive electronic data from damage and loss,
- Procedures to properly dispose of sensitive data.
Depending on the size of the organization, and where their sensitive data is stored (on premises or in the cloud), the cost of compliance can range from thousands of dollars, to just a few dollars per person per month.
Smaller organizations which keep data in the cloud may be able to comply with the law by using a single reputable encryption service provider. Such providers can not only offer encryption services for data in motion and at rest, but also enable secure access to data (by authenticating senders and receivers). In addition, many also offer data disposition services.
Larger organizations storing data on premises can also integrate these solutions with a much lower cost than previously experienced.
Secure implementation of safeguards should be on the forefront of all business professional concerns. The fiduciary responsibilities business owners have of protecting information of their patrons is the minimum which a consumer should expect. The breaches being encountered everyday degrade the confidence consumers have in providing their information to businesses. Get secure, respect the responsibility you have to your clients, protect the integrity of your brand, and become part of the solution.
Identillect Technologies CEO Todd Sexton regularly lectures, consults and trains on compliance and cybersecurity for a wide variety of regulated industries.
For more information, visit www.identillect.com.
