The Target and Neiman Marcus breaches have raised a number of big questions in the data security sphere. Among the talk of how to ensure stronger security and defeat advanced new hacking techniques, another debate continues to pick up steam: Should the federal government regulate the data security industry?
Since the breach, several Senate lawmakers have introduced bills aimed at doing just that. One of the most noteworthy is the bill introduced by Senator Dianne Feinstein late last month. Along with three other senators, Senator Feinstein introduced the Data Security and Breach Notification Act, which would give the FTC the authority to develop a set of security standards for organizations that protect and store personal information.
Vermont Senator Patrick Leahy also introduced the Personal Data Privacy and Security Act, which would allow criminal penalties for anyone who “intentionally and willfully” conceals knowledge of a security breach. The White House also announced its intent to step in and regulate the data security sphere, recommending a “uniform federal standard” for the protection of sensitive data.
If done correctly, this could substantially benefit the data security industry. A uniform standard that lays down simple guidelines for the protection of data and for breach notification would be a huge step forward from the current confusing web of federal, state, and industry-led standards we use now. To understand this position, it helps to look at exactly what data security regulation looks like today.
In terms of data security practices, little actual legislation exists to regulate how businesses protect and store sensitive data. Only a few states have laws that regulate the storage and retrieval of personally identifiable information, including Massachusetts, California, Oregon, Nevada, and Maryland. Of the states regulating data security practices, Massachusetts has some of the toughest laws: every person or enterprise that deals with sensitive data is required to have a comprehensive security and reporting plan, to maintain extensive computer security requirements, and to encrypt all sensitive data. However, other states simply go by the reigning data security standards, the PCI-DSS. Nevada, for instance, has adopted and codified the PCI standards as state law.
Federally, no comprehensive data security standard exists. There are a number of industry-specific standards, such as HIPAA, COPPA (which protects sensitive data related to children), and the Fair Credit Reporting Act. However, the standards set by each of these laws are different, which in turn mandates different data security requirements and responses depending on the type of data being handled.
There are more comprehensive state laws for breach notification – 46 of the 50 states have laws regulating notifications and responses after detecting a breach. But again, these laws are not standardized; each state has different requirements for how and when customers must be notified after a breach. Several states, like Massachusetts and California, impose more stringent requirements than the standard PCI DSS rules. On the other hand, four states – Alabama, Kentucky, New Mexico, and South Dakota – have no laws regarding breach notification at all.
The adoption of a federal standard could solve many of the problems present in the current data security sphere. Adopting one comprehensive federal standard for all sensitive information would go a long way toward simplifying and unifying data security practices.
The biggest problem with the current system of security and notification is fragmentation: The federal and state government impose different requirements based on the type of data a company handles, such as payment card information, healthcare data, social security info, etc. However, as records are digitized and combined, many businesses find themselves handling multiple types of data at once. It’s not uncommon for a retailer to hold credit card data and PII, for instance, or for a hospital to process medical records and payment information.
Currently, these companies must handle each type of record as a separate data type, and must keep separate data security standards and breach notifications for each one. This means that companies must spend a significant amount of time and resources navigating a quagmire of federal and state regulations. These companies also incur a massive security burden through compliance obligations to different, sometimes incompatible, data security standards.
Another related problem is how the largest player in data security, the PCI Council, has set up the current data security requirements in a way that almost completely removes them from responsibility in the event of a breach. Card merchants such as MasterCard and Visa play a vast role in the setup of payment networks, but under the PCI DSS, all of the responsibility for a breach is on the retailer or bank, even if the breach occurred through a flaw in the payment network.
Finally, the current regulations for breach notification prove too easy to ignore or work around, and allow for long delays between discovery and a deadline for notification. Florida, Vermont and Wisconsin, for example, give companies 45 days to notify customers from the date of discovery. But even those states allow exceptions, such as when disclosure could hinder a police investigation.
A federal standard could go a long way toward addressing these issues. It won’t solve every problem – for instance, it likely won’t create a detailed data security standard for every use case. Companies would still need to find or design comprehensive data security solutions for their data. But a federal law would help standardize breach reporting and basic security best practices, an important first step in filling in the holes in the current patchwork of laws and standards we have now.
To learn more about our tokenization services and how they can help your business save time and money, contact one of our representatives today. You can also follow TokenEx on LinkedIn, Facebook and Twitter to get the latest industry information on tokenization, HIPAA, and data security.