U.S. Senators are again looking at crafting a law that creates a national standard for reporting data breaches. Referred to as the Data Security and Breach Notification Act of 2012 (S.3333), the draft bill would require businesses and government agencies to “take reasonable measures to protect and secure data in electronic form containing personal information.” The Federal Trade Commission would enforce the legislation, and fines for violating the law could reach up to $500,000 per incident.
There are currently 40 different state laws in place. This bill would override any existing state data breach legislation. Implementing a single law could simplify compliance and make for a more consistent notification process in the event of a breach.
What’s in the proposed bill?
The new bill includes multiple boundaries for reporting breaches.
- A breach would have to be reported only if the organization “reasonably believes [the breach] has caused or will cause identity theft or other financial harm.”
- The organization would have to notify the FBI or Secret Service if the number of records involved total 10,000 or more people.
- Any organization that stored data with a third party would face similar requirements for reporting data breaches once they’d been alerted to the breach by the third party.
- Federal law enforcement agencies could request that breach notifications be delayed if the notification would interfere with an investigation.
- Notification could be delayed indefinitely for national security purposes.
How would customers be notified?
Affected customers could be notified in one of three ways: mail, phone, or email. Caveats include: If sending a notification involved “excessive cost” or the organization did not have the customer’s contact details, the organization could post a “conspicuous notice” on their website or publish notifications via print or broadcast media in the affected region.
While this draft bill continues its journey to become law, it is important to know that all 50 states have breach notification laws in place—some stronger than others. In the event of a data breach, you will most likely have to make some type of public notification, placing your brand and reputation at risk.
If you don’t already have strong payment security measures in place, what are you waiting for?
TrustCommerce secure payment solutions:
- Remove all customer payment and privacy information from an organization’s site and/or servers.
- Defer your risk by storing all customer payment information within TrustCommerce’s secure data storage system.
- Leverage tokenization, at no additional cost, to replace sensitive card holder and ACH payment data with a BillingID to safely process payment information and access transaction reports.
We understand the importance of security and risk mitigation. Security and privacy elements are the foundation of all TrustCommerce applications, infrastructure, processing facilities and corporate operations. Protect your business, and your brand, with our comprehensive secure payment solutions.
- “Senators Float National Data Breach Law, Take Four,” by Mathew J. Schwartz, June 25, 2012, Information Week. http://bit.ly/KRb0KN
- Data Security and Breach Notification Act of 2012 (S.3333) draft bill: http://scr.bi/LlDNDP