One of the new cybersecurity initiatives being championed by President Obama is the Personal Data Notification & Protection Act, which will create federal standards for breach notification. I’ve long thought this act was overdue. With even the smallest companies able to conduct business transactions nationally and internationally, thanks to e-commerce, the boundaries of state-regulated data breach notification laws were too blurry. It is even an area that Congress agrees has to be fixed. As reported in a Tech Target article, the chairman of the Senate subcommittee on Consumer Protection, Product Safety, Insurance and Data Security stated:
In light of recent data breaches, consumers and companies have called for policy changes in this area. This hearing will help the Committee gain a better understanding of how to develop a clear and consistent national data breach notification standard that will help both companies and consumers when they face data security challenges.
Perhaps addressing the problem of data breach notification laws couldn’t be coming at a better time. A new study released by Software Advice found that SMBs don’t have a very good understanding of breach notification laws.
The vast majority of SMBs – 67 percent – are unsure of the data notification breach laws and regulations in their state. Or in other words, if their company is the victim of an attack, they are unclear of what the law requires them to do (or, perhaps, even if they are required to do anything, since there are still several states without any type of data breach notification regulations in place).
Even worse, the survey discovered, is that more than half of these businesses don’t have any plan in place in case of a data breach. Too many companies are going to be caught off guard when the inevitable happens.
Part of the problem with the uncertainty of breach notification laws is the vague description of what needs to be reported. As the report stated:
Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, says that although state laws vary, they do share common features. When defining PII, the statutes “almost always” include a combination of an individual's name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.
However, the definition of a “sensitive data element” may be broader.
As the attacks become more sophisticated and spearphishing attacks become even more targeted, SMBs have to do a better job preparing for the worst possible event. And that includes understanding how to relay the information about a breach to their customers, whose information is what ends up being compromised more often than not. Hopefully, by putting federal standards in place, SMBs will have an easier time understanding what constitutes a breach and when it needs to be reported.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba