By Tim Cranny
Panoptic Security Inc.
When most people think about security, Payment Card Industry Data Security Standard compliance and breach prevention typically come to mind. But just as important, knowing what to do after a breach occurs can make or break a company. In this article, I will focus on breach notification and address the critical questions of how, when and why, as well as what to tell your customers, partners and others who might be impacted by a breach.
An unavoidably messy issue, breaches involve the law, politics, psychology and customer perception issues, which can be difficult to measure or pin down, but the topic is especially timely. Recently, we've seen a series of major breaches (some of which were badly mishandled) and the White House just released a breach notification proposal to create a consistent national framework for how businesses must notify customers and others affected by a breach.
When considering a breach notification plan, it's important to understand:
Many such laws also state when you must take public action, like placing notices in newspapers and on your website. State laws typically apply to customers affected in that state, so it's likely you would have to concern yourself with individual state laws in addition to laws from your own state. The federal government is moving toward a single national notification rule, but that will take time to be constructed and implemented.
However, breaches inevitably bring a range of additional expenses, like the costs of offering victims free credit monitoring; recovery of electronic records; and dealing with the support, communication and legal issues that enter into play. Analysis of previous real-world breaches shows these additional costs are unavoidable and often end up being far greater than the explicit fines or penalties defined by legislation.
Now let's review the White House legislative proposal in a little more detail. First, in its current form (which will likely change after this publication goes to press), the proposal is light on details; many such critical details will emerge either during the drafting of the bill or even later as the Federal Trade Commission creates implementation rules.
Second, there is extensive discussion occurring among experts about whether the definition of "breach" is accurate. The proposal says that a breach is any theft, compromise or misuse of "sensitive personally identifiable information," which means any of the following:
A number of experts feel that the above definition is too narrow (and it isn't hard to think of information that you as a customer wouldn't want stolen, but which wouldn't trigger a breach notification according to the above definition).
Third, the proposal is fairly narrow in scope and would only apply to businesses with the designated types of information on 10,000 or more individuals in any 12-month period.
Fourth, the proposed law would supersede the multitude of state laws out there, giving organizations a single target to worry about.
In addition, the federal proposal describes several "safe harbor" provisions, which essentially say you escape the worst obligations of breach notification if you meet certain circumstances. The main safe harbor situation is one where the records have been encrypted and therefore cannot readily be accessed by a thief, and the company has comprehensive logging in place to track what happened and when.
In this situation the company must still base its decision on a formal risk assessment and notify the FTC, but they're not required to send notification directly to affected customers.
Furthermore, financial institutions that have only had credit card numbers (that is, no names, etc.) exposed also have a special safe harbor. They are exempt from the consumer notification requirements as long as they have a security program that does two things:
While the details are still being worked out, every company needs to recognize that breaches are a genuine risk. How they are handled can mean the difference between life and death for businesses affected. The rules are tightening, and failure to handle the situation carefully is becoming increasingly dangerous for businesses, both legally and financially.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next