During the past two years, it seems as though we are always hearing about a data breach. Unfortunately, we often don’t hear about these data breaches until they are weeks — or even months — in the past.
Gary S. Miliefsky is a cyber security expert and the CEO of the website SnoopWall. He has advised the National Infrastructure Advisory Council, and recently blew the lid on how Russian, Indian, and Chinese hackers have been using flashlight apps to gather your personal information. He thinks it’s high time that a national data breach notification law is put into place, for the safety of consumers as well as for the long-term benefit of businesses.
What is the Federal Data Breach Notification law?
“This nine-page bill proposed by the White House covers federal protection of consumer personally identifiable information,” says Miliefsky. “This is information usually lost in a data breach and ranges from your name, address, date of birth, and mother’s maiden name to credit card records, medical records, and pretty much anything that is yours and private.”
The idea behind the bill is to require certain businesses to disclose a data breach within 30 days of discovering it. Right now, there are some states, like California and Massachusetts, with rather strict reporting requirements. However, not every state is so aggressive, and the Federal Data Breach Notification law aims to ensure that all businesses are required to report data breaches in a timely fashion. “Under this law, federal fines can be imposed on a business that doesn’t comply,” says Miliefsky.
Miliefsky points to a recent data breach at Sony Pictures Entertainment. “Some of their former employees located in various states weren’t notified about the breach for more than 90 days,” he says. “The sooner a citizen is notified, the quicker they are aware that they should be monitoring their credit file and other records more closely for the risk of fraud.”
Business impact of a Federal Data Breach Notification law
“Businesses that manage at least 10,000 consumer records would be impacted and would be required to report a breach unless they feel that the breach was of unintelligible information,” says Miliefsky. “Not reporting properly and then being investigated could result in a fine of up to $1,000 per consumer personally identifiable information breach breach, with a maximum of up to $1 million per violation,” he explains. “It can be even higher if it was willful or intentional by the organization managing the records.”
While it seems as though it requires businesses to increase their vigilance in these matters, and could lead to some higher costs initially, Miliefsky thinks the long-term benefits to businesses would be felt. He points out that many of us have had our identities stolen. He says, on average, every U.S. consumer has had his or her identity stolen at least three times.
Many consumers no longer trust companies with their records. The Federal Data Breach Notification law could change that to some degree. Companies could win back some consumer trust and goodwill by quicker data breach notifications.
Additionally, this law would force companies to pursue best practices when dealing with cyber security. Miliefsky says that many data breaches start with poor employee training. The threat of fines could encourage businesses to move forward with better employee training to prevent data breaches in the future, benefitting businesses and consumers alike. “You can’t simply throw more money at automation like better firewalls and antivirus systems and assume you’re doing a great job protecting confidential consumer records,” he says. Instead, he suggests adding employing training about better email practices and password protection, as well as educating them about avoiding phishing attacks and remote access Trojans.
Consumer action and data breaches
Miliefsky worries that 30 days is even too long a timeframe for a data breach notification. He would like to see organizations required to report the discovery of a breach within hours since time is of the essence in these cases. He points out that these data breaches allow hackers to sell information on the black market quickly. In turn, black market fraudsters can use the information to get loans, make purchases using credit cards, and take other actions. Even vigilant consumers might not realize that they need to monitor their information closer without a data breach discovery notification.
With the knowledge that they need to take action sooner, consumers could better protect their own information and their finances. On top of that, many businesses would benefit as well, since, when it comes to fraudulent purchases, the onus is on businesses to pay for the losses. Preventing the use of stolen consumer personal private data could save businesses money, too.
In the end, it’s important to realize that the increased digitization of our society is likely to lead to more data breaches. Even if data breaches can’t be entirely stopped, it is possible to limit their damage. “The faster this reporting becomes and the more frequent this information is updated and shared the smaller the window of vulnerability becomes,” Miliefsky insists. “By making public this information instead of hiding it, it will become less and less valuable to criminals.
Quizzle Pro+ offers best-in-class protection against America’s fastest growing crime. For more information, visit theimk.com.