The design and implementation of data breach laws are complicated by the fact that breaches are often international. When a website is hacked, its users might be from many countries, and the hackers might be stationed across the globe.
For this reason, some people hope for universal data breach legislation, international regulations that will guide how businesses respond to a data breach. While that sounds nice, it’s unlikely these data breach laws will actually help consumers or businesses.
Realistically, an international data breach law would probably need to be watered down in order to get various countries to agree to it – an improbable scenario. A recent SC Magazine article explains that the European Union currently has extremely high data breach standards (so high they make it hard for business owners), and U.S. lawmakers have shown no signs of wanting to restrict the IT industry in this way.
While international laws are unlikely to happen, U.S. businesses might see a new federal law in the next few years. Before we look at some of the data breach bills being discussed in Congress and the White House, let's first review the challenges these lawmakers face.
Why Are Data Breach Laws Difficult to Implement?
Data breach laws can be as complicated as a data breach itself. The laws are designed by politicians and legislators who don't really understand the problems related to preventing and responding to a data breach.
To make matters worse, data breaches come in all shapes and sizes – it's hard to make one law to address them all. Consequently, data breach laws often have trouble agreeing on…
- A definition for “data breach.” Hackers can use the smallest pieces of personal information to break into a user's account, making it difficult for lawmakers to settle on a definition for “data breach.” Some laws call it a loss of private data containing addresses, SSNs, and banking information. Other laws state that a stolen login combined with other information can be considered a data breach.
- A time frame for response. The EU recently signed a law that would punish companies that fail to report a data breach within 24 hours of its occurrence. Such extreme laws are impractical and unlikely to take hold in the U.S., where most states require business to respond within 45 days or as soon as reasonably possible.
- A small business's responsibility. All state laws agree businesses should contact their customers after a breach, but they disagree about how and when. Some states will also require you to contact the attorney general and / or consumer advocacy groups after a breach.
For more on current state data breach laws, read our Data Breach Response Guide.
Will There Ever Be a Federal Data Breach Law in the U.S.?
Right now, state laws determine how businesses respond to a data breach. But lawmakers are currently working to synthesize 50 different state laws into one set of federal guidelines.
Within the last few weeks, both the President and Congress have each contributed new suggestions for federal data breach regulations, which included ideas regarding…
- The Critical Infrastructure Cyber Community (C3). C3 is an optional "framework" that provides a list of recommendations for commercial businesses and government contractors who want to beef up their security. The program is mostly aimed at bolstering key infrastructure (banks, major manufacturers, utility companies, etc.) and protecting it from cyber terrorism.
- The Personal Data Privacy and Security Act. Senator Patrick Leahy (D – VT) has been trying to pass this bill in Congress for the last decade. After the Target data breach, he renewed his efforts. If the bill passes, it won't make much of a difference for most IT companies. It mostly standardizes the state data breach laws we already have. (For more on this bill, read our analysis in "What the Reintroduction of the Data Privacy Act Means for Small Businesses.")
- The Data Security Act of 2014. This bill-in-progress is similar to the Personal Data Privacy and Security Act. It replaces state data breach laws with one overarching federal law and mandates reporting data breaches affecting more than 5,000 users to consumer advocacy groups. (To learn more, check out "The Data Security Act of 2014: What you Need to Know.")
What Can IT Professionals Do about the Risk of a Data Breach?
Contractors, developers, network designers, and other IT workers, have little protection from the cost of data breach, even with data breach laws. A hacked client can still sue. Because of this, many companies turn to small business insurance to cover their data breach liability. Depending on the type of IT work you do, you might need one or both of these policies…
- E&O Insurance covers third-party data breaches, those that happen on client networks and lead to lawsuits filed against your company. This is the most common data breach coverage for IT contractors.
- Cyber Liability Insurance covers first-party data breaches, those that happen on your own network / computer. This coverage is only important for IT companies that keep client / customer information on their own computers. DBAs or business intelligence companies might need this coverage.
