In response to the increase of high profile data security breaches, as well as the number of Americans affected by identify theft and other cybercrimes during 2014, President Obama announced legislative proposals to enhance consumer protections when businesses experience a cyberattack. If enacted, how will these new laws affect your business?
During 2014, the number of high profile corporate data breaches in the United States, such as those reported by Sony Pictures, Home Depot, Target, and J.P Morgan rose exponentially. According to the Identify Theft Resource Center, the number of data breaches in the United States increased 27.5 percent during 2014. In addition, The Pew Research Center reports the number of Americans affected by identify theft rose 11 percent during the six-month period January 2014 to July 2014. Furthermore, the non-profit information security firm ISACA reported that 43 percent of the businesses responding to their 2015 Global Security Status Survey indicated they thought their company is likely to incur a cyberattack in 2015. In response, President Obama proposed cybersecurity legislation during his 2015 State of the Union address. What are his proposals and how might they affect your business?
New Consumer Notification Requirements for Businesses Included in the President’s SOTU Proposal
The aspect of Obama’s proposed cybersecurity legislation, called the Personal Data Notification and Protection Act, which has garnered the most media attention concerns the consumer notification requirements for businesses that have experienced a data breach. Currently, individual states have enacted most of the cybersecurity laws, meaning regulations differ widely from state to state. In fact, CNET cited Heidi Shey of Forrester Research report that South Dakota, Alabama, and New Mexico do not have any laws addressing consumer protection. According to Bloomberg, most experts believe one of the business advantages of Obama’s proposed legislation is that it will ensure a level regulatory playing field for businesses. What are the consumer notification requirements included in the President’s cybersecurity proposal?
Business Consumer Data Breach Notification Requirements
Under current laws in many states, companies can potentially wait weeks, or even months, to notify customers of a data breach that might have compromised their Personally Identifiable Information (PII) held by the company. When a business delays the disclosure of a data breach, consumers do not have the opportunity to take step to reduce their risk of identity theft. To address this issue, President Obama proposed legislation requiring businesses to notify their customers and other potentially affected individuals within 30 days of a data breach.
According to ISACA, the details of this proposed legislation are as follows:
- The new laws apply only if company holds, transmits, receives, or collects PII belonging to 10,000 or more individuals during any consecutive twelve-month period.
- Within 30 days of the discovery of the breach, businesses must notify individuals whose PII is at risk by telephone, mail, or email. The notification also needs to include:
- The nature of the customer’s information potentially exposed in the cyberattack
- The toll free phone number and other contact information for the three major credit reporting agencies as well as the FTC
- In the event the breach affects more than 5,000 individuals in a particular state, the company also must issue a notification about the breach through local media sources.
Companies that determine through use of a government accepted risk assessment that consumers’ PII is not at risk of harm by the cyberattack are exempt from these notification requirements. This provision addresses the concerns of many businesspeople. Many have argued over notification about security breaches, especially when the public is not at risk, not only decreases consumer trust in companies, but may also lead to the public becoming complacent so they do not take action when their sensitive personal information is at risk.
President Obama’s Other Cybersecurity Legislation Proposals
Some of the other cybersecurity legislative initiatives the President proposed according to ISACA include:
- Updating the Computer Fraud and Abuse Act to provide for robust protections for businesses against cyberattacks on their networks, even when they originate from within the organization
- Enact legislation to provide prosecutors the basis to prosecute people who sell botnets, which cybercriminals often use in Distributed Denial of Service (DDOS) attacks and to steal data
- Enhance the authority of Federal law enforcement to allow for actions to deter sales of spyware used to stalk individuals and steal sensitive personal information
- Provide courts the authority and legal tools needed to shut down botnets involved in DDOS attacks and other Internet based criminal activities
- Amend the Racketeering Influenced and Corrupt Organizations Act (RICO) so it applies to online criminal activity
While these proposals offer some protection for businesses in the form of deterrence, companies need to take action to protect themselves from cybercriminals. What are the elements of an effective cybersecurity plans? What resources are available to businesses to develop processes, policies, and procedures to deter cybercrimes?
The Three Elements of an Effective Business Cybersecurity Plan
According to the National Cybersecurity Alliance, the three elements of an effective cybersecurity plan are as follows:
- Prevention: Take action to protect your businesses computers and networks from cyberattacks and mitigate the risk associated with data breaches. In addition to using security software, businesses also need to implement processes, policies, and procedures that enhance cybersecurity.
- Resolution: Businesses need to develop plans to deploy in the event of a network security breach and secure any needed resources required to decrease the risk from future attacks.
- Restitution: Companies need to have plans, processes, policies, and procedures ready to implement to decrease the security risks incurred by the employees and customers affected by the breach.
Some of the resources recommended for businesses by the National Cybersecurity Alliance include:
- The Federal Communications Commission’s Small Biz Cyber Planner 2.0
- The National Institute of Standards and Technology (NIST) Computer Security Division Resource Division issues monthly cybersecurit bulletins
- The Department of Homeland Security U.S. Computer Security Team provides a library of cybersecurity tips for businesses.
About Natural Wireless
Natural Wireless owns and operates its broadband network to provide businesses dedicated, secured, and symmetrical Internet connections with guaranteed reliability and speed. Contact us to learn more about Better Internet…Naturally!