Ever since California Senate Bill 1386 went into effect in 2003, state data breach notification laws have been...
gaining in significance. Additional states have hopped on board and existing ones are fine-tuning their rules. California has even expanded its protections to include health care-related information. Massachusetts has a forthcoming (Jan. 1) comprehensive set of information security requirements on the books like no other. It appears that the seriousness of data breaches is growing and state lawmakers are paying attention.
All of these information privacy and security rules are being forced on businesses, whether they like it or not. Interestingly, I often find in my work that the very people who should be on top of compliance are completely out of the loop with these state laws. In fact, when interviewing in-house legal counsel and compliance managers about how they're managing the extensive requirements, I'm usually given blank stares.
Many say they haven't heard of these notification laws or, in some cases, they say they haven't had the time to analyze how each law affects their business. On the other side of the equation, the common response I get from IT and security managers on this issue is, "our lawyers and compliance manager handle that." Wow, what a disconnect.
Everyone seems to understand their responsibilities associated with federal laws and industry regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS). However, there's no real accountability at the state level. Why is this happening? I'm guessing compliance overload is part of it. The complexities involved with keeping up with everything at the state and federal levels are enormous. This is especially true for those who manage compliance in a siloed fashion with different sets of controls, documentation and processes for each set of rules. There's also the continued lack of management support on security and compliance initiatives.
Furthermore, by and large new laws on the books don't translate into better security. We've seen that over and over with HIPAA, GLBA, PCI and others. Why would state breach notification laws be any different? An economic crisis doesn't help either.
I'm not fond of government intrusion into the open market. That said, in this context, where businesses are often sloppy and careless when handling sensitive information, something has to be done. Unfortunately, the effect that these laws have on businesses is akin to the effect a police car has on us when we're driving down the road: We see the officer and we tend to slow down and focus on obeying the law. But a moment or two after we lose sight of the officer we get back into our old ways, drifting back up to speed.
These breach notification laws are no different. Many people don't know about them, and as with the police officer scenario they just blow down the road full speed, running the risk of something bad happening. Of those who do pay attention to these state laws, many will focus on short-term tweaks of their IT operations and business processes to "comply," and then proceed forward doing nothing more to manage their information risks. Thus, the cycle continues.
The thing we have to remember is that these laws are not perfect. A Carnegie Mellon University study outlines how breach notification laws have little to no effect on identify theft. But that's still no excuse when it comes to the law and fiduciary responsibilities of business leaders. Gilbert Arland once said, "Failure to hit the bull's-eye is never the fault of the target" -- something that hits home in this situation. There's always room for improvement to do what's right, regardless of whether or not it's forced upon us.
So where do you go from here? This is no doubt a complex issue, but it's critical to get started in some fashion. The best thing you can do to get rolling is to establish a small and nimble security/compliance committee consisting of the right people. By pulling together legal counsel, IT, security, business operations and an executive or two, the team can start developing solutions for tackling state breach notification.
It's important to survey the landscape, but don't get too caught up in the particulars of each law. Instead determine what sensitive information you have and how it's at risk. Then go to work creating a solid information security/IT governance program that works at the highest levels possible across the business. Focusing on bang for the buck rather than drowning in the details will do wonders for your compliance efforts -- and your sanity.
Kevin Beaver, CISSP, is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. With more than 20 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored and co-authored seven books on information security, including Hacking for Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at firstname.lastname@example.org.