Security Breach: The Senate Wants to Protect Your Information
In response to Target’s massive data breach affecting nearly 110 million consumers, the Data Security and Breach Notification Act has been introduced in the U.S. Senate. Both Target and its customers were victims of the 2013 cyberattack, which increased susceptibility to identity theft for customers, and tanked profits for the company. The new legislation attempts to increase the security of consumer information, and to set requirements for companies to notify consumers and government agencies of security breaches.
The Act will establish six requirements for companies to increase data security protection:
- Create a security policy with respect to the collection, use, sale, dissemination, and maintenance of personal information.
- Identify a point of contact who is responsible for the management of information security.
- Create a process to identify and assess possible vulnerabilities within the security systems maintained by the company, including regular monitoring for breaches.
- Create a process to make necessary changes to security practices used to maintain personal information including architecture, installation, and operating software.
- Create a process to dispose data in electronic form by destroying, erasing, or encrypting the information.
- Implement a standard method(s) to destroy paper and other non-electronic data that contains personal information.
While some companies maintain their own security of personal information, others contract this responsibility to third party groups. In the event of a security breach, this legislation requires any group responsible for maintaining personal information to contact the Federal Trade Commission, and to contact all consumers whose information may have been compromised. Consumers must be contacted either by mail, email, or telephone, and it is the company’s responsibility to create a hotline or website to provide additional information to those affected by the breach. If a security breach affects more than 5,000 people, companies are required to notify all major credit reporting agencies. Also, some companies will be responsible for providing at least one free credit report per quarter for each consumer with compromised personal information, for up to two years.
Some covered companies, like small businesses and non-profit organizations, that are unable to provide free credit reports due to cost may be exempt from this practice. Additionally, companies that find other correspondence methods too costly may employ alternative notification methods like contacting print and broadcast media to inform the public. If a company does not follow the reporting requirements and are not exempted from certain practices, they can be fined.
If this legislation is passed, a company’s data security will not improve as a result of it, but rather in spite of it. Companies are improving security to combat the threat of class-action lawsuits and enormous financial losses as a result of a security breach without federal action. The Data Security and Breach Notification Act fails to understand that companies are also victims when dealing with cyberattacks, and no matter what security measures are in place, all electronic information is vulnerable to being hacked. The bill also fails to acknowledge the role bankcards play in the insecurity of personal information. As noted by David French, Vice President of The National Retail Federation, the bankcard industry prefers magnetic strip cards over PIN-and-Chip technology, which is more secure. Retail companies cannot be the only group held accountable for the actions of cyber criminals.
Requiring companies to notify government organizations, credit reporting agencies, and consumers is a more effective policy. Although companies are improving cybersecurity, a breach in that security could cause companies to hide or delay informing consumers. This delay may impede a person from contacting their financial institution in time to prevent the misuse of his personal information. Another benefit of requiring companies to inform the public of a breach is that it reduces the consumer burden of proving identity fraud. Consumers need to be protected, and when companies fall short of providing that protection, they have a responsibility to assist consumers in correcting the company’s mistake; however, lawmakers should consider that consumers and companies are victims of data security breaches, and that different industries influence the ability to effectively secure data.
Teerah Goodrum (@AisleNotes), is a graduate student at Howard University with a concentration in Public Administration and Public Policy. Her time on Capitol Hill as a Science and Technology Legislative Assistant has given her insight into the tech community. In her spare time she enjoys visiting her favorite city, Seattle, and playing fantasy football.