I can think of no area that needs federal oversight more than the cyberspace arena, and by default, cybersecurity. Why? Because cyberspace doesn’t rest comfortably within the borders of one state or another. Everything is national; everything is global — or so it seems.
But as Congress continues to muddle around with drafting cybersecurity legislation that makes sense for the country as a whole, we are still dependent on state rules and regulations, particularly on data breach notification. And, this being the states, all of which do their own thing regardless of what anyone else is doing, we have a patchwork quilt of laws that can — and do — affect people who don’t live in those states where the businesses they utilize are located.
Here’s a question: Do you know the breach notification laws for your state? Do you know if they are strict or lax or if your state even has them? Do you know how these laws work across state lines? Did you know that 4 states have yet to enact a date breach notification law — Kentucky, Alabama, New Mexico and South Dakota — or that Virginia’s compliance laws are the strictest?
The researchers at Imation created a Compliance Heat Map that depicts the “strictness of data breach laws and resulting penalties for breaches by state.” The Compliance Heat Map provides a visual snapshot of the strictness of regulations by state, using a color scale ranging from light yellow (less strict) to dark red (more strict). In a release, David Duncan, director of software and security solutions at Imation, explained it:
What the compliance heat map tells us is that data security needs to be at top of mind for all IT pros, as there are rules in place for nearly all states and territories and non-compliance could mean serious penalties. Yet, companies also are challenged by explosive data growth and state and federal requirements that mandate active archiving, long-term retention and accessibility of that data. Businesses need resources to help navigate laws and develop secure and scalable infrastructures for data storage and protection.
I was also curious about how these breach laws work across state lines, so I asked Duncan. He told me:
In the state data breach notification regulations, the general criteria is that a consumer is a resident of a specific state. The laws of the 49 states where a consumer does not live do not apply. It is the businesses’ responsibility to notify the state in which a customer is a resident – based on the information that the company has of a consumer’s location.
So, it sounds to me that a customer who lives in Pennsylvania but whose personal information sits on a computer system in New York doesn’t have to be notified if there is a breach of that New York system. And if they do notify your state, will the state actually notify you? It’s all very shady. How much thought do businesses give to reaching out to everyone involved in a breach, especially smaller companies? After all, smaller companies are more likely to be hit with a breach.
I think the heat map makes a good case for the necessity of a solid national law. So I asked Duncan what his wish list would be for that national law. He thinks a national law should consist of the following:
- The loss of personal information (e.g., such as a device that is misplaced but is not known to be lost or stolen constitute a data breach)
- The minimum threshold for when consumers should be notified
- The threshold that would result in a different notification or remediation requirement (e.g. credit reporting service),
- The time allotted for the notification process,
- Consistent requirements for federal, state and local agency reporting and notification, and
- A uniform set of penalties
What do you think? Do the breach laws on a state level work or do we need something more consistent on a national level?