Should Data Breach Notification Laws Change at the National Level?
No company likes to get hacked, so it’s understandable that so few companies are anxiously standing at the front of the line to announce that they were the victim of a cyber-attack.
In 2016, tracked data breaches in the U.S. increased by 40% year-over-year, but it may not be a question of more attacks occurring, but rather an increase in brands reporting hacks in the wake of legislative pressure.
Recently, Arby’s stepped forward just a month after being alerted of an issue with its POS systems leaking credit card numbers to hackers, while it took much longer for Wendy’s to fess up to a similar attack that occurred in 2015.
Those attacks were miniscule in comparison to what Yahoo encountered on two separate occasions, affecting over a billion combined users. Concerns in the wake of the attacks has put Yahoo’s pending sale to Verizon on the backburner until Q2 at the earliest, according to recent reports.
How Should Government Regulate Cyber Security Reporting Standards?
Any day, we are expecting an executive order from the President aimed at cyber security, outlining which department heads within government agencies would be held accountable for maintaining and reporting on cyber security, while modernizing government equipment to minimize cyber security risks. While these are much needed, data breach notification laws at the national level are something we would also like to see addressed in the near future.
In Canada, where only 30% of CEOs in the country feel confident about their existing security measures, privacy laws are being updated to force companies to speak up. Australia has also agreed to new data breach notification laws recently.
Data breach notification laws in the United States are currently done at the state level, however, most breaches affect people well beyond a company’s home base. Timeliness of announcing a breach is a grey area that varies state-to-state. In Missouri, the deadline for consumer notice is “without unreasonable delay” and government notification is required if over 1,000 residents are affected. Illinois does not require Attorney General notification like Missouri, and gives a timeline of “most expedient time possible and without unreasonable delay.”
Three states, South Dakota, New Mexico and Alabama do not have a law on the books.
The argument for a national data breach notification law has been going on for years, with numerous bills failing to make it through Congress.
We think it’s time for data breach notification laws in both the private and public sector to go national to hold companies more accountable and provide more information to consumers who may fall victim more quickly and efficiently.
Worried About Your Business’ Cyber Security?
Not an expert in IT? We’re here to help. ThrottleNet offers industry-leading managed network, secure cloud and IT consulting solutions to small businesses throughout the St. Louis area, and we would love to become a trusted business partner, helping you navigate the ever-changing landscape of information technology. Contact us today to get started!